summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-04-28 13:48:42 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-06-08 13:27:25 +0200
commit5d0cae396c75aaedcc8e41542e6e8504700b6ac8 (patch)
treed4de3170e512bf83210f6874952abe9ce60b3b23
parentca9fe24396ad2087375121905f7ba0023b0f8d12 (diff)
downloadsssd-5d0cae396c75aaedcc8e41542e6e8504700b6ac8.tar.gz
sssd-5d0cae396c75aaedcc8e41542e6e8504700b6ac8.tar.xz
sssd-5d0cae396c75aaedcc8e41542e6e8504700b6ac8.zip
subdomains: Inherit cleanup period and tokengroup settings from parent domain
Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650) (cherry picked from commit 602eb710c62c192060debad3062f13677ec3b105)
-rw-r--r--src/man/sssd.conf.5.xml9
-rw-r--r--src/providers/ad/ad_subdomains.c4
-rw-r--r--src/providers/ipa/ipa_subdomains.c4
-rw-r--r--src/providers/ldap/sdap.c58
-rw-r--r--src/providers/ldap/sdap.h4
-rw-r--r--src/tests/cmocka/test_sdap.c160
6 files changed, 239 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cf01a3b41..4961d5b95 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -489,6 +489,15 @@
ignore_group_members
</para>
<para>
+ ldap_purge_cache_timeout
+ </para>
+ <para>
+ ldap_use_tokengroups
+ </para>
+ <para>
+ ldap_user_principal
+ </para>
+ <para>
Example:
<programlisting>
subdomain_inherit = ldap_purge_cache_timeout
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5a6e9338d..71c01b9d7 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -183,6 +183,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
return EFAULT;
}
+ sdap_inherit_options(subdom->parent->sd_inherit,
+ id_ctx->sdap_id_ctx->opts,
+ ad_id_ctx->sdap_id_ctx->opts);
+
/* Set up the ID mapping object */
ad_id_ctx->sdap_id_ctx->opts->idmap_ctx =
id_ctx->sdap_id_ctx->opts->idmap_ctx;
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 44751e48c..d01ef6092 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -232,6 +232,10 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
return EFAULT;
}
+ sdap_inherit_options(subdom->parent->sd_inherit,
+ id_ctx->sdap_id_ctx->opts,
+ ad_id_ctx->sdap_id_ctx->opts);
+
ret = sdap_id_setup_tasks(be_ctx,
ad_id_ctx->sdap_id_ctx,
sdom,
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 2568bdd1f..051e3c1d2 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -243,6 +243,64 @@ int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx,
return EOK;
}
+static void sdap_inherit_basic_options(char **inherit_opt_list,
+ struct dp_option *parent_opts,
+ struct dp_option *subdom_opts)
+{
+ int inherit_options[] = {
+ SDAP_CACHE_PURGE_TIMEOUT,
+ SDAP_AD_USE_TOKENGROUPS,
+ SDAP_OPTS_BASIC /* sentinel */
+ };
+ int i;
+
+ for (i = 0; inherit_options[i] != SDAP_OPTS_BASIC; i++) {
+ dp_option_inherit(inherit_opt_list,
+ inherit_options[i],
+ parent_opts,
+ subdom_opts);
+ }
+}
+
+static void sdap_inherit_user_options(char **inherit_opt_list,
+ struct sdap_attr_map *parent_user_map,
+ struct sdap_attr_map *child_user_map)
+{
+ int inherit_options[] = {
+ SDAP_AT_USER_PRINC,
+ SDAP_OPTS_USER /* sentinel */
+ };
+ int i;
+ int opt_index;
+ bool inherit_option;
+
+ for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
+ opt_index = inherit_options[i];
+
+ inherit_option = string_in_list(parent_user_map[opt_index].opt_name,
+ inherit_opt_list,
+ false);
+ if (inherit_option == false) {
+ continue;
+ }
+
+ sdap_copy_map_entry(parent_user_map, child_user_map, opt_index);
+ }
+}
+
+void sdap_inherit_options(char **inherit_opt_list,
+ struct sdap_options *parent_sdap_opts,
+ struct sdap_options *child_sdap_opts)
+{
+ sdap_inherit_basic_options(inherit_opt_list,
+ parent_sdap_opts->basic,
+ child_sdap_opts->basic);
+
+ sdap_inherit_user_options(inherit_opt_list,
+ parent_sdap_opts->user_map,
+ child_sdap_opts->user_map);
+}
+
int sdap_get_map(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
const char *conf_path,
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e7e1b5194..6612ab200 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -491,6 +491,10 @@ int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx,
struct sdap_attr_map **_map,
size_t *_new_size);
+void sdap_inherit_options(char **inherit_opt_list,
+ struct sdap_options *parent_sdap_opts,
+ struct sdap_options *child_sdap_opts);
+
int sdap_get_map(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
const char *conf_path,
diff --git a/src/tests/cmocka/test_sdap.c b/src/tests/cmocka/test_sdap.c
index dab449050..a3d5bc7a2 100644
--- a/src/tests/cmocka/test_sdap.c
+++ b/src/tests/cmocka/test_sdap.c
@@ -795,6 +795,152 @@ static void test_sdap_copy_map_entry_null_name(void **state)
assert_null(uuid_val);
}
+struct test_sdap_inherit_ctx {
+ struct sdap_options *parent_sdap_opts;
+ struct sdap_options *child_sdap_opts;
+};
+
+struct sdap_options *mock_sdap_opts(TALLOC_CTX *mem_ctx)
+{
+ int ret;
+ struct sdap_options *opts;
+
+ opts = talloc_zero(mem_ctx, struct sdap_options);
+ assert_non_null(opts);
+
+ ret = sdap_copy_map(opts, rfc2307_user_map,
+ SDAP_OPTS_USER, &opts->user_map);
+ assert_int_equal(ret, ERR_OK);
+
+ ret = dp_copy_defaults(opts, default_basic_opts,
+ SDAP_OPTS_BASIC, &opts->basic);
+ assert_int_equal(ret, ERR_OK);
+
+ return opts;
+}
+
+static int test_sdap_inherit_option_setup(void **state)
+{
+ int ret;
+ struct test_sdap_inherit_ctx *test_ctx;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context,
+ struct test_sdap_inherit_ctx);
+ assert_non_null(test_ctx);
+
+ test_ctx->child_sdap_opts = talloc_zero(test_ctx, struct sdap_options);
+
+ test_ctx->parent_sdap_opts = mock_sdap_opts(test_ctx);
+ assert_non_null(test_ctx->parent_sdap_opts);
+ test_ctx->child_sdap_opts = mock_sdap_opts(test_ctx);
+ assert_non_null(test_ctx->child_sdap_opts);
+
+ test_ctx->parent_sdap_opts->user_map[SDAP_AT_USER_PRINC].name = \
+ discard_const("test_princ");
+
+ ret = dp_opt_set_int(test_ctx->parent_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT, 123);
+ assert_int_equal(ret, EOK);
+
+ *state = test_ctx;
+ return 0;
+}
+
+static int test_sdap_inherit_option_teardown(void **state)
+{
+ struct test_sdap_inherit_ctx *test_ctx = \
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
+
+ talloc_free(test_ctx);
+ assert_true(leak_check_teardown());
+ return 0;
+}
+
+static void test_sdap_inherit_option_null(void **state)
+{
+ struct test_sdap_inherit_ctx *test_ctx = \
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
+ int val;
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 10800);
+
+ sdap_inherit_options(NULL,
+ test_ctx->parent_sdap_opts,
+ test_ctx->child_sdap_opts);
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 10800);
+}
+
+static void test_sdap_inherit_option_notset(void **state)
+{
+ struct test_sdap_inherit_ctx *test_ctx = \
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
+ int val;
+ const char *inherit_options[] = { "ldap_use_tokengroups", NULL };
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 10800);
+
+ /* parent has nondefault, but it's not supposed to be inherited */
+ sdap_inherit_options(discard_const(inherit_options),
+ test_ctx->parent_sdap_opts,
+ test_ctx->child_sdap_opts);
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 10800);
+}
+
+static void test_sdap_inherit_option_basic(void **state)
+{
+ struct test_sdap_inherit_ctx *test_ctx = \
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
+ int val;
+ const char *inherit_options[] = { "ldap_purge_cache_timeout", NULL };
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 10800);
+
+ /* parent has nondefault, but it's not supposed to be inherited */
+ sdap_inherit_options(discard_const(inherit_options),
+ test_ctx->parent_sdap_opts,
+ test_ctx->child_sdap_opts);
+
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
+ SDAP_CACHE_PURGE_TIMEOUT);
+ assert_int_equal(val, 123);
+}
+
+static void test_sdap_inherit_option_user(void **state)
+{
+ struct test_sdap_inherit_ctx *test_ctx = \
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
+ const char *inherit_options[] = { "ldap_user_principal", NULL };
+
+ assert_string_equal(
+ test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name,
+ "krbPrincipalName");
+
+ /* parent has nondefault, but it's not supposed to be inherited */
+ sdap_inherit_options(discard_const(inherit_options),
+ test_ctx->parent_sdap_opts,
+ test_ctx->child_sdap_opts);
+
+ assert_string_equal(
+ test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name,
+ "test_princ");
+
+ talloc_free(test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -848,6 +994,20 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sdap_copy_map_entry_null_name,
copy_map_entry_test_setup,
copy_map_entry_test_teardown),
+
+ /* Option inherit tests */
+ cmocka_unit_test_setup_teardown(test_sdap_inherit_option_null,
+ test_sdap_inherit_option_setup,
+ test_sdap_inherit_option_teardown),
+ cmocka_unit_test_setup_teardown(test_sdap_inherit_option_notset,
+ test_sdap_inherit_option_setup,
+ test_sdap_inherit_option_teardown),
+ cmocka_unit_test_setup_teardown(test_sdap_inherit_option_basic,
+ test_sdap_inherit_option_setup,
+ test_sdap_inherit_option_teardown),
+ cmocka_unit_test_setup_teardown(test_sdap_inherit_option_user,
+ test_sdap_inherit_option_setup,
+ test_sdap_inherit_option_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */