diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-07-29 12:04:34 +0300 |
|---|---|---|
| committer | Alexander Bokovoy <abokovoy@redhat.com> | 2014-10-01 18:54:53 +0300 |
| commit | 680e9a9523e57592b48700639ca9868d9eb5e766 (patch) | |
| tree | e490cf7a5fbaa0adb139f528337109e45ddb9b88 /src/back-sch.h | |
| parent | 7e319653c352da1e8c6354bc8f95a2306d70c54b (diff) | |
| download | slapi-nis-idviews.tar.gz slapi-nis-idviews.tar.xz slapi-nis-idviews.zip | |
Add support for FreeIPA ID viewsidviews
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
Diffstat (limited to 'src/back-sch.h')
| -rw-r--r-- | src/back-sch.h | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/src/back-sch.h b/src/back-sch.h index 2f4a3df..f74e82d 100644 --- a/src/back-sch.h +++ b/src/back-sch.h @@ -69,6 +69,8 @@ struct backend_search_cbdata { Slapi_PBlock *pb; struct plugin_state *state; char *target, *strfilter, **attrs; + char *idview; + Slapi_Entry **overrides; int scope, sizelimit, timelimit, attrsonly; bool_t check_access; enum sch_search_nsswitch_t check_nsswitch; @@ -87,6 +89,29 @@ struct backend_search_cbdata { struct backend_staged_search *cur_staged; }; +struct backend_search_filter_config { + bool_t search_user; + bool_t search_group; + bool_t search_uid; + bool_t search_gid; + bool_t search_members; + bool_t name_set; + bool_t wrong_search; + bool_t override_found; + char *name; + /* If callback is defined, it is called on each filter after analyzing it */ + void (*callback)(Slapi_Filter *filter, const char *filter_type, struct berval *bval, struct backend_search_filter_config *config); + void *callback_data; +}; + +/* Analyzes the filter to decide what kind of NSS search is it + * Returns 0 on success, 1 on failure + * struct backend_search_filter_config is populated with information about the filter + * config.name should be freed with slapi_ch_free_string() + */ + +int backend_analyze_search_filter(Slapi_Filter *filter, struct backend_search_filter_config *config); + void backend_search_nsswitch(struct backend_set_data *set_data, struct backend_search_cbdata *cbdata); @@ -95,4 +120,14 @@ bool_t backend_retrieve_from_nsswitch(struct backend_staged_search *staged, int backend_sch_do_pam_auth(Slapi_PBlock *pb, const char *username); +#ifdef USE_IPA_IDVIEWS +void idview_get_overrides(struct backend_search_cbdata *cbdata); +void idview_free_overrides(struct backend_search_cbdata *cbdata); +void idview_process_overrides(struct backend_search_cbdata *cbdata, + const char *key, const char *map, const char *domain, + Slapi_Entry *entry); +void idview_replace_target_dn(char **target, char **idview); +void idview_replace_filter(struct backend_search_cbdata *cbdata); +#endif + #endif |