diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-31 14:31:50 +0300 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-08-07 11:33:34 -0400 |
| commit | 87fcea3db1d716a9e0cd8e86c038d44342bd2b27 (patch) | |
| tree | 6252e76991afb739ba6b2ba8428c586cbfa871f2 /configure.ac | |
| parent | 4ddd2079b059c57f09419c72f73efee468318b01 (diff) | |
| download | slapi-nis-87fcea3db1d716a9e0cd8e86c038d44342bd2b27.tar.gz slapi-nis-87fcea3db1d716a9e0cd8e86c038d44342bd2b27.tar.xz slapi-nis-87fcea3db1d716a9e0cd8e86c038d44342bd2b27.zip | |
configure: add configure checks for sss_idmap and define attribute to lookup nsswitch
If schema compat plugin configuration has
'schema-compat-lookup-nsswitch: user|group' then schema compat plugin
will perform lookups of users/groups that were not found in the main
store using getpwnam_r()/getgrnam_r() and libsss_nss_idmap library.
This is special case to support legacy clients. Schema compat plugin in
the case is assumed to be running on FreeIPA master configured with
trusts against Active Directory and SSSD 1.11+ configured as
ipa_server_mode = True.
Additionally, such entries are added to schema compat plugin's map cache
and can be used for authentication purposes. They will use PAM
authentication pass-through to 'system-auth' service.
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 8d7cbe1..fe02f3a 100644 --- a/configure.ac +++ b/configure.ac @@ -309,6 +309,73 @@ AC_SUBST(ASYNCNS_CFLAGS) AC_SUBST(ASYNCNS_LIBS) fi +AC_ARG_WITH(nsswitch, + AS_HELP_STRING([--with-nsswitch], + [use nsswitch API to look up users and groups not found in the LDAP]), + use_nsswitch=$withval,use_nsswitch=AUTO) + +AM_CONDITIONAL([USE_NSSWITCH], [test "x$use_nsswitch" != xno]) + +AC_ARG_WITH(sss_nss_idmap, + AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap to discover SIDs. Requires --with-nsswitch as well]), + use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO) +AC_ARG_WITH(pam, + AS_HELP_STRING([--with-pam], + [use PAM API to authenticate users not found in the LDAP. Requires --with-nsswitch as well]), + use_pam=$withval,use_pam=AUTO) + +if test "x$use_nsswitch" = xno ; then + if test "x$use_pam" = xyes ; then + AC_ERROR([Cannot use PAM without nsswitch enabled]) + else + if test "x$use_pam" = xAUTO ; then + use_pam=no + fi + fi +fi +AM_CONDITIONAL([USE_PAM], [test "x$use_pam" != xno]) + +if test "x$use_nsswitch" != xno ; then + if pkg-config sss_nss_idmap 2> /dev/null ; then + if test x$use_sss_nss_idmap != xno ; then + AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.]) + PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap) + else + SSS_NSS_IDMAP_CFLAGS= + SSS_NSS_IDMAP_LIBS= + fi + else + if test x$use_sss_nss_idmap = xyes ; then + PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap) + else + SSS_NSS_IDMAP_CFLAGS= + SSS_NSS_IDMAP_LIBS= + fi + fi + AC_SUBST(SSS_NSS_IDMAP_CFLAGS) + AC_SUBST(SSS_NSS_IDMAP_LIBS) + + if test "x$use_pam" != xno ; then + AC_CHECK_HEADERS(security/pam_appl.h) + if test x$ac_cv_header_security_pam_appl_h = xyes ; then + use_pam=yes + else + use_pam=no + fi + + if test $use_pam = yes ; then + PAM_CFLAGS= + PAM_LIBS=-lpam + AC_DEFINE(USE_PAM,1,[Use PAM API to authenticate users not found in the LDAP tree]) + else + AC_ERROR([<security/pam_appl.h> not found and it is required for nsswitch-based mode]) + fi + AC_SUBST(PAM_CFLAGS) + AC_SUBST(PAM_LIBS) + fi + AC_DEFINE(USE_NSSWITCH,1,[Use nsswitch API to lookup users and groups not found in the LDAP tree]) +fi + mylibdir=`eval echo "$libdir" | sed "s,NONE,${ac_default_prefix},g"` mylibdir=`eval echo "$mylibdir" | sed "s,NONE,${ac_prefix},g"` case "$server" in @@ -401,6 +468,12 @@ AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_RDN_ATTR,"$rdnattr", attrattr=schema-compat-entry-attribute AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_ATTR_ATTR,"$attrattr", [Define to name of the attribute which is used to specify attributes to be used when constructing entries.]) +nsswitchattr=schema-compat-lookup-nsswitch +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_NSSWITCH_ATTR,"$nsswitchattr", + [Define to name of the attribute to cause the tree to talk to nsswitch API for users and groups when they were not found in the LDAP. The value of the attribute is either 'user' or 'group'.]) +nsswitchminidattr=schema-compat-nsswitch-min-id +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_NSSWITCH_MIN_ID_ATTR,"$nsswitchminidattr", + [Define to name of the attribute which is used to define lower bound of IDs (uid or gid) looked up through nsswitch API. Everything below is not considered belonging to trusted domains.]) maxvalue_attr=nis-max-value-size AC_DEFINE_UNQUOTED(NIS_PLUGIN_CONFIGURATION_MAXVALUE_ATTR,"$maxvalue_attr", |