diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-15 14:13:40 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-14 21:47:29 +0200 |
| commit | 30dd3f3e063dded0ec9f58bc2535a94727d8e96d (patch) | |
| tree | c7a0fea133261dd2734a2d534b8c4d1959d4686a | |
| parent | 0c37b025b3da6bed26d7c84c4254f8ecc05bfc77 (diff) | |
| download | sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.tar.gz sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.tar.xz sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.zip | |
AD: Add ad_create_1way_trust_options
Related:
https://fedorahosted.org/sssd/ticket/2638
For one-way trusts we can assume that AD domain is the same as the
Kerberis realm. On the other hand, SASL realm and keytab path are
specified, unlike two-way trusts that use the system keytab.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
| -rw-r--r-- | src/providers/ad/ad_common.c | 79 | ||||
| -rw-r--r-- | src/providers/ad/ad_common.h | 6 | ||||
| -rw-r--r-- | src/tests/cmocka/test_ad_common.c | 74 |
3 files changed, 153 insertions, 6 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 22af7cbd2..130cdeb61 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -135,6 +135,35 @@ ad_create_default_options(TALLOC_CTX *mem_ctx) return ad_options; } +static errno_t +set_common_ad_trust_opts(struct ad_options *ad_options, + const char *realm, + const char *ad_domain, + const char *hostname) +{ + errno_t ret; + + ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD krb5 realm\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD hostname\n"); + return ret; + } + + return EOK; +} + struct ad_options * ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, @@ -147,23 +176,61 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, ad_options = ad_create_default_options(mem_ctx); if (ad_options == NULL) return NULL; - ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm); + ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); talloc_free(ad_options); return NULL; } - ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); + ret = ad_set_sdap_options(ad_options, ad_options->id); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); talloc_free(ad_options); return NULL; } - ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname); + return ad_options; +} + +struct ad_options * +ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + const char *ad_domain, + const char *hostname, + const char *keytab, + const char *sasl_authid) +{ + struct ad_options *ad_options; + const char *realm; + errno_t ret; + + ad_options = ad_create_default_options(mem_ctx); + if (ad_options == NULL) return NULL; + + realm = get_uppercase_realm(ad_options, ad_domain); + if (!realm) { + talloc_free(ad_options); + return NULL; + } + + ret = set_common_ad_trust_opts(ad_options, realm, + ad_domain, hostname); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); + talloc_free(ad_options); + return NULL; + } + + /* Set AD_KEYTAB to the special 1way keytab */ + ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n"); + talloc_free(ad_options); + return NULL; + } + + /* Set SDAP_SASL_AUTHID to the trust principal */ + ret = dp_opt_set_string(ad_options->id->basic, + SDAP_SASL_AUTHID, sasl_authid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n"); talloc_free(ad_options); return NULL; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 0766b4dc9..817f5b42c 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -110,6 +110,12 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *ad_domain, const char *hostname); +struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + const char *ad_domain, + const char *hostname, + const char *keytab, + const char *sasl_authid); + errno_t ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, const char *primary_servers, diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c index c541b87db..985a05fae 100644 --- a/src/tests/cmocka/test_ad_common.c +++ b/src/tests/cmocka/test_ad_common.c @@ -44,6 +44,13 @@ #define KEYTAB_TEST_PRINC TEST_AUTHID"@"REALMNAME #define KEYTAB_PATH TEST_DIR"/keytab_test.keytab" +#define ONEWAY_DOMNAME "ONEWAY" +#define ONEWAY_HOST_NAME "ad."ONEWAY_DOMNAME + +#define ONEWAY_KEYTAB_PATH TEST_DIR"/oneway_test.keytab" +#define ONEWAY_AUTHID "host/"ONEWAY_HOST_NAME +#define ONEWAY_TEST_PRINC ONEWAY_AUTHID"@"ONEWAY_DOMNAME + static bool call_real_sasl_options; krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id) @@ -116,6 +123,70 @@ static int test_ad_common_teardown(void **state) return 0; } +static void test_ad_create_1way_trust_options(void **state) +{ + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + const char *s; + + call_real_sasl_options = true; + /* Make sure this is not the keytab that __wrap_krb5_kt_default uses */ + mock_keytab_with_contents(test_ctx, ONEWAY_KEYTAB_PATH, ONEWAY_TEST_PRINC); + + test_ctx->ad_ctx->ad_options = ad_create_1way_trust_options( + test_ctx->ad_ctx, + ONEWAY_DOMNAME, + ONEWAY_HOST_NAME, + ONEWAY_KEYTAB_PATH, + ONEWAY_AUTHID); + assert_non_null(test_ctx->ad_ctx->ad_options); + + assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type, + SDAP_SCHEMA_AD); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_DOMAIN); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_HOSTNAME); + assert_non_null(s); + assert_string_equal(s, ONEWAY_HOST_NAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_KEYTAB); + assert_non_null(s); + assert_string_equal(s, ONEWAY_KEYTAB_PATH); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_KEYTAB); + assert_non_null(s); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_AUTHID); + assert_non_null(s); + assert_string_equal(s, ONEWAY_AUTHID); + + talloc_free(test_ctx->ad_ctx->ad_options); + + unlink(ONEWAY_KEYTAB_PATH); +} static void test_ad_create_2way_trust_options(void **state) { struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, @@ -342,6 +413,9 @@ int main(int argc, const char *argv[]) const struct CMUnitTest tests[] = { cmocka_unit_test(test_ad_create_default_options), + cmocka_unit_test_setup_teardown(test_ad_create_1way_trust_options, + test_ad_common_setup, + test_ad_common_teardown), cmocka_unit_test_setup_teardown(test_ad_create_2way_trust_options, test_ad_common_setup, test_ad_common_teardown), |