PromiseResult VerifyUsersPromise(EvalContext *ctx, Promise *pp) { Attributes a = { {0} }; CfLock thislock; char lockname[CF_BUFSIZE]; a = GetUserAttributes(ctx, pp); if (!UserSanityCheck(a, pp)) { return PROMISE_RESULT_FAIL; } PromiseBanner(pp); snprintf(lockname, CF_BUFSIZE - 1, "user-%s-%d", pp->promiser, a.users.policy); thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a.transaction, pp, false); if (thislock.lock == NULL) { return PROMISE_RESULT_SKIPPED; } PromiseResult result = PROMISE_RESULT_NOOP; VerifyOneUsersPromise(pp->promiser, a.users, &result, a.transaction.action, ctx, &a, pp); switch (result) { case PROMISE_RESULT_NOOP: cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_NOOP, pp, a, "User promise kept"); break; case PROMISE_RESULT_FAIL: case PROMISE_RESULT_DENIED: case PROMISE_RESULT_TIMEOUT: case PROMISE_RESULT_INTERRUPTED: case PROMISE_RESULT_WARN: cfPS(ctx, LOG_LEVEL_INFO, result, pp, a, "User promise not kept"); break; case PROMISE_RESULT_CHANGE: cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "User promise repaired"); break; default: ProgrammingError("Unknown promise result"); break; } YieldCurrentLock(thislock); return result; }
DWORD CollectCurrentADAttributesForUser( PSTR pszUserUPN, PSTR pszUserDomain, PSTR pszMessage, BOOLEAN bOnlineLogon ) { DWORD dwError = MAC_AD_ERROR_SUCCESS; PGPUSER_AD_ATTRS pUserADAttrs = NULL; PADU_CRED_CONTEXT pCredContext = NULL; BOOLEAN bDeactivateCredContext = FALSE; PSTR pszOrigCachePath = NULL; HANDLE hDirectory = (HANDLE)NULL; dwError = ADUBuildCredContext( NULL, pszUserUPN, bOnlineLogon, &pCredContext); BAIL_ON_MAC_ERROR(dwError); /* Update user logon message which is accessed and reported with LoginHook script */ dwError = CacheUserLoginMessage(pCredContext->pszHomeDirPath, pszMessage); BAIL_ON_MAC_ERROR(dwError); if (bOnlineLogon) { LOG("Connecting to AD using these credentials: path: %s, user: %s, domain: %s", pCredContext->pszCachePath, pszUserUPN, pszUserDomain); /* Set default credentials to the user's */ dwError = ADUInitKrb5(pszUserDomain); BAIL_ON_MAC_ERROR(dwError); dwError = ADUKrb5SetDefaultCachePath( pCredContext->pszCachePath, &pszOrigCachePath); BAIL_ON_MAC_ERROR(dwError); dwError = ADUActivateCredContext(pCredContext); BAIL_ON_MAC_ERROR(dwError); bDeactivateCredContext = TRUE; dwError = ADUOpenLwLdapDirectory(pszUserDomain, &hDirectory); BAIL_ON_MAC_ERROR(dwError); dwError = GetUserAttributes(hDirectory, pCredContext->pszSID, pszUserDomain, &pUserADAttrs); if (dwError) { LOG("Error (%d) while reading user AD attributes from domain DC", dwError); BAIL_ON_MAC_ERROR(dwError); } dwError = CacheUserAttributes(pCredContext->uid, pUserADAttrs); if (dwError) { LOG("Error (%d) while saving user AD attributes to cache", dwError); BAIL_ON_MAC_ERROR(dwError); } dwError = FlushDirectoryServiceCache(); if (dwError) { LOG("Failed to flush the Mac DirectoryService cache. Error: %d", dwError); BAIL_ON_MAC_ERROR(dwError); } } else { LOG("Offline logon, can't refresh AD user attributes for: user: %s, domain: %s", pszUserUPN, pszUserDomain); } cleanup: FreeUserAttributes(pUserADAttrs); if (hDirectory != (HANDLE)NULL) { LwLdapCloseDirectory(hDirectory); } if (pCredContext) { if (bDeactivateCredContext) { ADUDeactivateCredContext(pCredContext); } ADUFreeCredContext(pCredContext); } if (pszOrigCachePath) { DWORD dwError2 = ADUKrb5SetDefaultCachePath(pszOrigCachePath, NULL); if (dwError2) { LOG_ERROR("Failed to revert kerberos cache path [code:%d]", dwError2); } LwFreeMemory(pszOrigCachePath); } return LWGetMacError(dwError); error: goto cleanup; }