[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin
URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From e84f70cceec2421968977e4012bbf747e060b5f4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 15 Feb 2017 12:09:20 +0100 Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter() Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 --- daemons/ipa-kdb/ipa_kdb.h| 11 +++ daemons/ipa-kdb/ipa_kdb_principals.c | 58 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8a3f7d3..72f2675 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result); +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry); #if KRB5_KDB_API_VERSION < 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3bd8fb8..82c8574 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -37,6 +37,17 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s))" +#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ +"(|(ipakrbprincipalalias=%s)" \ + "(krbprincipalname:caseIgnoreIA5Match:=%s))" \ + "%s)" + +#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal))" \ +"(krbprincipalname=%s)" \ +"%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, return kerr; } -static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, - unsigned int flags, - char *principal, - LDAPMessage **result) +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result) { krb5_error_code kerr; char *src_filter = NULL; @@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, goto done; } -if (flags & KRB5_KDB_FLAG_ALIAS_OK) { -ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); +if (filter == NULL) { +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +} } else { -ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); +} } if (ret == -1) { @@ -913,11 +936,20 @
[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin
URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From e84f70cceec2421968977e4012bbf747e060b5f4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 15 Feb 2017 12:09:20 +0100 Subject: [PATCH 1/3] ipa-kdb: add ipadb_fetch_principals_with_extra_filter() Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 --- daemons/ipa-kdb/ipa_kdb.h| 11 +++ daemons/ipa-kdb/ipa_kdb_principals.c | 58 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8a3f7d3..72f2675 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result); +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry); #if KRB5_KDB_API_VERSION < 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3bd8fb8..82c8574 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -37,6 +37,17 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s))" +#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ +"(|(ipakrbprincipalalias=%s)" \ + "(krbprincipalname:caseIgnoreIA5Match:=%s))" \ + "%s)" + +#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal))" \ +"(krbprincipalname=%s)" \ +"%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, return kerr; } -static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, - unsigned int flags, - char *principal, - LDAPMessage **result) +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result) { krb5_error_code kerr; char *src_filter = NULL; @@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, goto done; } -if (flags & KRB5_KDB_FLAG_ALIAS_OK) { -ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); +if (filter == NULL) { +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +} } else { -ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); +} } if (ret == -1) { @@ -913,11 +936,20 @
[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin
URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From e84f70cceec2421968977e4012bbf747e060b5f4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 15 Feb 2017 12:09:20 +0100 Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter() Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 --- daemons/ipa-kdb/ipa_kdb.h| 11 +++ daemons/ipa-kdb/ipa_kdb_principals.c | 58 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8a3f7d3..72f2675 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result); +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry); #if KRB5_KDB_API_VERSION < 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3bd8fb8..82c8574 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -37,6 +37,17 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s))" +#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ +"(|(ipakrbprincipalalias=%s)" \ + "(krbprincipalname:caseIgnoreIA5Match:=%s))" \ + "%s)" + +#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal))" \ +"(krbprincipalname=%s)" \ +"%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, return kerr; } -static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, - unsigned int flags, - char *principal, - LDAPMessage **result) +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result) { krb5_error_code kerr; char *src_filter = NULL; @@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, goto done; } -if (flags & KRB5_KDB_FLAG_ALIAS_OK) { -ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); +if (filter == NULL) { +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +} } else { -ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); +} } if (ret == -1) { @@ -913,11 +936,20 @
[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin
URL: https://github.com/freeipa/freeipa/pull/575 Author: sumit-bose Title: #575: IPA certauth plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/575/head:pr575 git checkout pr575 From 27bcf2baab5129ce3f49e1ff74d9489753211c93 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 15 Feb 2017 12:09:20 +0100 Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter() Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 --- daemons/ipa-kdb/ipa_kdb.h| 11 +++ daemons/ipa-kdb/ipa_kdb_principals.c | 58 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8a3f7d3..72f2675 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result); +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry); #if KRB5_KDB_API_VERSION < 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3bd8fb8..82c8574 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -37,6 +37,17 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s))" +#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ +"(|(ipakrbprincipalalias=%s)" \ + "(krbprincipalname:caseIgnoreIA5Match:=%s))" \ + "%s)" + +#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal))" \ +"(krbprincipalname=%s)" \ +"%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, return kerr; } -static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, - unsigned int flags, - char *principal, - LDAPMessage **result) +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result) { krb5_error_code kerr; char *src_filter = NULL; @@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, goto done; } -if (flags & KRB5_KDB_FLAG_ALIAS_OK) { -ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); +if (filter == NULL) { +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +} } else { -ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); +if (flags & KRB5_KDB_FLAG_ALIAS_OK) { +ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); +} else { +ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); +} } if (ret == -1) { @@ -913,11 +936,20 @