[SSSD] [sssd PR#544][synchronized] IPA: Qualify the externalUser sudo attribute

Thu, 29 Mar 2018 12:03:16 -0700 

   URL: https://github.com/SSSD/sssd/pull/544
Author: jhrozek
 Title: #544: IPA: Qualify the externalUser sudo attribute
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/544/head:pr544
git checkout pr544

From 86d31351861bed9c993f100f6603b1c9cff754c3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 26 Mar 2018 11:36:00 +0200
Subject: [PATCH] IPA: Qualify the externalUser sudo attribute

We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.

Reproducer:
    on the server:
        ipa sudocmd-add --desc='For reading log files' /usr/bin/less
        ipa sudorule-add readfiles
        ipa sudorule-add-user --users=lcluser
        ipa sudorule-mod --hostcat=all readfiles

    then on the client:
        configure sssd with:
            id_provider = files
            sudo_provider = ipa
            ipa_domain = ipa.test

        run:
            sudo useradd lcluser
            sudo passwd lcluser
            su - lcluser
            sudo -l
---
 src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index a96ae3447..bfa66b2c6 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
     return fqdn;
 }
 
+static const char *
+convert_ext_user(TALLOC_CTX *mem_ctx,
+                 struct ipa_sudo_conv *conv,
+                 const char *value,
+                 bool *skip_entry)
+{
+    return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
+}
+
 static const char *
 convert_group(TALLOC_CTX *mem_ctx,
               struct ipa_sudo_conv *conv,
@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
                  {SYSDB_IPA_SUDORULE_RUNASEXTUSER,       SYSDB_SUDO_CACHE_AT_RUNASUSER  , NULL},
                  {SYSDB_IPA_SUDORULE_RUNASEXTGROUP,      SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
                  {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP,  SYSDB_SUDO_CACHE_AT_RUNASUSER  , convert_runasextusergroup},
-                 {SYSDB_IPA_SUDORULE_EXTUSER,            SYSDB_SUDO_CACHE_AT_USER       , NULL},
+                 {SYSDB_IPA_SUDORULE_EXTUSER,            SYSDB_SUDO_CACHE_AT_USER       , convert_ext_user},
                  {SYSDB_IPA_SUDORULE_ALLOWCMD,           SYSDB_IPA_SUDORULE_ORIGCMD     , NULL},
                  {SYSDB_IPA_SUDORULE_DENYCMD,            SYSDB_IPA_SUDORULE_ORIGCMD     , NULL},
                  {NULL, NULL, NULL}};

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to