URL: https://github.com/SSSD/sssd/pull/519
Author: justin-stephenson
Title: #519: DEBUG: Print simple access provider allow and deny lists
Action: opened
PR body:
"""
Prior to this PR, debug level 9 logs do not print the simple allow and deny
user or group lists that are checked against during simple access checks when
`access_provider = simple`
These debug statements helped to solve a downstream customer case where
`simple_allow_users` was not working as expected, the administrator discovered
when they saw the usernames printed in the logs that the `simple_allow_users`
list was coming from a **/etc/sssd/conf.d/alternate.conf** file which was
overriding what they set in **/etc/sssd/sssd.conf**.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/519/head:pr519
git checkout pr519
From caee10611d27392ec0b763052e8f2d740915592d Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Sun, 18 Feb 2018 13:26:05 -0500
Subject: [PATCH] DEBUG: Print simple allow and deny lists
For debug purposes, print the simple allow and deny users/groups lists
when a sufficient log debug level is set.
---
src/providers/simple/simple_access_check.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index f894f614d..b20f177bf 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -55,6 +55,9 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
/* First, check whether the user is in the allowed users list */
if (ctx->allow_users != NULL) {
for(i = 0; ctx->allow_users[i] != NULL; i++) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Checking against allow list username [%s].\n",
+ ctx->allow_users[i]);
domain = find_domain_by_object_name(ctx->domain,
ctx->allow_users[i]);
if (domain == NULL) {
@@ -92,6 +95,9 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
/* Next check whether this user has been specifically denied */
if (ctx->deny_users != NULL) {
for(i = 0; ctx->deny_users[i] != NULL; i++) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Checking against deny list username [%s].\n",
+ ctx->deny_users[i]);
domain = find_domain_by_object_name(ctx->domain,
ctx->deny_users[i]);
if (domain == NULL) {
@@ -133,6 +139,9 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
if (ctx->allow_groups && !*access_granted) {
matched = false;
for (i = 0; ctx->allow_groups[i]; i++) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Checking against allow list group name [%s].\n",
+ ctx->allow_groups[i]);
domain = find_domain_by_object_name(ctx->domain,
ctx->allow_groups[i]);
if (domain == NULL) {
@@ -169,6 +178,9 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
if (ctx->deny_groups) {
matched = false;
for (i = 0; ctx->deny_groups[i]; i++) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Checking against deny list group name [%s].\n",
+ ctx->deny_groups[i]);
domain = find_domain_by_object_name(ctx->domain,
ctx->deny_groups[i]);
if (domain == NULL) {
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
