URL: https://github.com/SSSD/sssd/pull/519 Author: justin-stephenson Title: #519: DEBUG: Print simple access provider allow and deny lists Action: opened
PR body: """ Prior to this PR, debug level 9 logs do not print the simple allow and deny user or group lists that are checked against during simple access checks when `access_provider = simple` These debug statements helped to solve a downstream customer case where `simple_allow_users` was not working as expected, the administrator discovered when they saw the usernames printed in the logs that the `simple_allow_users` list was coming from a **/etc/sssd/conf.d/alternate.conf** file which was overriding what they set in **/etc/sssd/sssd.conf**. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/519/head:pr519 git checkout pr519
From caee10611d27392ec0b763052e8f2d740915592d Mon Sep 17 00:00:00 2001 From: Justin Stephenson <jstep...@redhat.com> Date: Sun, 18 Feb 2018 13:26:05 -0500 Subject: [PATCH] DEBUG: Print simple allow and deny lists For debug purposes, print the simple allow and deny users/groups lists when a sufficient log debug level is set. --- src/providers/simple/simple_access_check.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index f894f614d..b20f177bf 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -55,6 +55,9 @@ simple_check_users(struct simple_ctx *ctx, const char *username, /* First, check whether the user is in the allowed users list */ if (ctx->allow_users != NULL) { for(i = 0; ctx->allow_users[i] != NULL; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Checking against allow list username [%s].\n", + ctx->allow_users[i]); domain = find_domain_by_object_name(ctx->domain, ctx->allow_users[i]); if (domain == NULL) { @@ -92,6 +95,9 @@ simple_check_users(struct simple_ctx *ctx, const char *username, /* Next check whether this user has been specifically denied */ if (ctx->deny_users != NULL) { for(i = 0; ctx->deny_users[i] != NULL; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Checking against deny list username [%s].\n", + ctx->deny_users[i]); domain = find_domain_by_object_name(ctx->domain, ctx->deny_users[i]); if (domain == NULL) { @@ -133,6 +139,9 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, if (ctx->allow_groups && !*access_granted) { matched = false; for (i = 0; ctx->allow_groups[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Checking against allow list group name [%s].\n", + ctx->allow_groups[i]); domain = find_domain_by_object_name(ctx->domain, ctx->allow_groups[i]); if (domain == NULL) { @@ -169,6 +178,9 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, if (ctx->deny_groups) { matched = false; for (i = 0; ctx->deny_groups[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Checking against deny list group name [%s].\n", + ctx->deny_groups[i]); domain = find_domain_by_object_name(ctx->domain, ctx->deny_groups[i]); if (domain == NULL) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org