diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-06-14 13:09:00 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-28 20:20:59 +0200 |
| commit | 5e60c73cb91d1659755fb5ea829837db68d46163 (patch) | |
| tree | 4a8408f379e5f39e55c822e774f88b743d6c6bdd | |
| parent | 8ff0aba893d8da1a8163ccaf9ad2c5b6bccd121f (diff) | |
| download | sssd-5e60c73cb91d1659755fb5ea829837db68d46163.tar.gz sssd-5e60c73cb91d1659755fb5ea829837db68d46163.tar.xz sssd-5e60c73cb91d1659755fb5ea829837db68d46163.zip | |
Add support for new ipaRangeType attribute
Recent versions of FreeIPA support a range type attribute to allow
different type of ranges for sub/trusted-domains. If the attribute is
available it will be used, if not the right value is determined with the
help of the other idrange attributes.
Fixes https://fedorahosted.org/sssd/ticket/1961
| -rw-r--r-- | src/db/sysdb.h | 2 | ||||
| -rw-r--r-- | src/db/sysdb_ranges.c | 16 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 4 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_idmap.c | 5 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 33 |
5 files changed, 54 insertions, 6 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 489188b7f..0b99dee07 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -130,6 +130,7 @@ #define SYSDB_BASE_RID "baseRID" #define SYSDB_SECONDARY_BASE_RID "secondaryBaseRID" #define SYSDB_DOMAIN_ID "domainID" +#define SYSDB_ID_RANGE_TYPE "idRangeType" #define SYSDB_NEXTID_FILTER "("SYSDB_NEXTID"=*)" @@ -245,6 +246,7 @@ struct range_info { uint32_t base_rid; uint32_t secondary_base_rid; char *trusted_dom_sid; + char *range_type; }; diff --git a/src/db/sysdb_ranges.c b/src/db/sysdb_ranges.c index cc72033eb..5b444eac6 100644 --- a/src/db/sysdb_ranges.c +++ b/src/db/sysdb_ranges.c @@ -53,6 +53,7 @@ errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, SYSDB_BASE_RID, SYSDB_SECONDARY_BASE_RID, SYSDB_DOMAIN_ID, + SYSDB_ID_RANGE_TYPE, NULL}; struct range_info **list; struct ldb_dn *basedn; @@ -140,6 +141,17 @@ errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, DEBUG(SSSDBG_MINOR_FAILURE, ("find_attr_as_uint32_t failed.\n")); goto done; } + + tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_ID_RANGE_TYPE, + NULL); + if (tmp_str != NULL) { + list[c]->range_type = talloc_strdup(list, tmp_str); + if (list[c]->range_type == NULL) { + ret = ENOMEM; + goto done; + } + } + } list[res->count] = NULL; @@ -228,6 +240,10 @@ errno_t sysdb_range_create(struct sysdb_ctx *sysdb, struct range_info *range) (unsigned long)time(NULL)); if (ret) goto done; + ret = add_string(msg, LDB_FLAG_MOD_ADD, SYSDB_ID_RANGE_TYPE, + range->range_type); + if (ret) goto done; + ret = ldb_add(sysdb->ldb, msg); if (ret) goto done; diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 6dacdc570..8bf2d3e17 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -142,6 +142,10 @@ struct ipa_options { struct ipa_auth_ctx *auth_ctx; }; +#define IPA_RANGE_LOCAL "ipa-local" +#define IPA_RANGE_AD_TRUST "ipa-ad-trust" +#define IPA_RANGE_AD_TRUST_POSIX "ipa-ad-trust-posix" + /* options parsers */ int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ipa/ipa_idmap.c b/src/providers/ipa/ipa_idmap.c index a02724f3e..c108ca75b 100644 --- a/src/providers/ipa/ipa_idmap.c +++ b/src/providers/ipa/ipa_idmap.c @@ -23,10 +23,7 @@ #include "util/util.h" #include "providers/ldap/sdap_idmap.h" - -#define IPA_RANGE_LOCAL "ipa-local" -#define IPA_RANGE_AD_TRUST "ipa-ad-trust" -#define IPA_RANGE_AD_TRUST_POSIX "ipa-ad-trust-posix" +#include "providers/ipa/ipa_common.h" static void * ipa_idmap_talloc(size_t size, void *pvt) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 76ea709a6..120b9553f 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -35,6 +35,7 @@ #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" +#define IPA_RANGE_TYPE "ipaRangeType" #define IPA_BASE_ID "ipaBaseID" #define IPA_ID_RANGE_SIZE "ipaIDRangeSize" @@ -60,7 +61,7 @@ enum ipa_subdomains_req_type { struct ipa_subdomains_req_params { const char *filter; tevent_req_fn cb; - const char *attrs[8]; + const char *attrs[9]; }; struct ipa_subdomains_ctx { @@ -188,6 +189,34 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); goto done; } + + ret = sysdb_attrs_get_string(reply[c], IPA_RANGE_TYPE, &value); + if (ret == EOK) { + range_list[c]->range_type = talloc_strdup(range_list[c], value); + if (range_list[c]->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + } else if (ret == ENOENT) { + /* Older IPA servers might not have the range_type attribute, but + * only support local ranges and trusts with algorithmic mapping. */ + if (range_list[c]->trusted_dom_sid == NULL) { + range_list[c]->range_type = talloc_strdup(range_list[c], + IPA_RANGE_LOCAL); + } else { + range_list[c]->range_type = talloc_strdup(range_list[c], + IPA_RANGE_AD_TRUST); + } + } else { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + goto done; + } + if (range_list[c]->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } } range_list[c] = NULL; @@ -377,7 +406,7 @@ static struct ipa_subdomains_req_params subdomain_requests[] = { ipa_subdomains_handler_ranges_done, { OBJECTCLASS, IPA_CN, IPA_BASE_ID, IPA_BASE_RID, IPA_SECONDARY_BASE_RID, - IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, NULL + IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, IPA_RANGE_TYPE, NULL } } }; |