summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2014-02-28 10:05:34 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-03-02 21:17:59 +0100
commit77cb1c56f13a41d1920efb2946db10a00ed63c9c (patch)
tree80d711d902538acc89f31444d3c90d496204ed1f
parent056402b9937e43054a3b5780fe9eff2aa9ef84ef (diff)
downloadsssd-77cb1c56f13a41d1920efb2946db10a00ed63c9c.tar.gz
sssd-77cb1c56f13a41d1920efb2946db10a00ed63c9c.tar.xz
sssd-77cb1c56f13a41d1920efb2946db10a00ed63c9c.zip
SUDO: AD provider
This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
-rw-r--r--Makefile.am5
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf21
-rw-r--r--src/man/sssd-ad.5.xml6
-rw-r--r--src/man/sssd.conf.5.xml15
-rw-r--r--src/providers/ad/ad_common.h4
-rw-r--r--src/providers/ad/ad_init.c25
-rw-r--r--src/providers/ad/ad_sudo.c51
8 files changed, 122 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am
index 4cc31b4fb..38cf13957 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1804,6 +1804,11 @@ libsss_ad_la_SOURCES = \
src/util/sss_krb5.c \
src/util/sss_ldap.c
+if BUILD_SUDO
+libsss_ad_la_SOURCES += \
+ src/providers/ad/ad_sudo.c
+endif
+
libsss_ad_la_CFLAGS = \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index e6cf663ec..98b2fee63 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -730,7 +730,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
control_provider_dict = {
'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs',
'session', 'hostid', 'subdomains'],
- 'ad': ['id', 'auth', 'access', 'chpass', 'subdomains'],
+ 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'subdomains'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 6b136f2ec..aa20ca0bb 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -132,3 +132,24 @@ krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
[provider/ad/subdomains]
+
+[provider/ad/sudo]
+ldap_sudo_search_base = str, None, false
+ldap_sudo_full_refresh_interval = int, None, false
+ldap_sudo_smart_refresh_interval = int, None, false
+ldap_sudo_use_host_filter = bool, None, false
+ldap_sudo_hostnames = str, None, false
+ldap_sudo_ip = str, None, false
+ldap_sudo_include_netgroups = bool, None, false
+ldap_sudo_include_regexp = bool, None, false
+ldap_sudorule_object_class = str, None, false
+ldap_sudorule_name = str, None, false
+ldap_sudorule_command = str, None, false
+ldap_sudorule_host = str, None, false
+ldap_sudorule_user = str, None, false
+ldap_sudorule_option = str, None, false
+ldap_sudorule_runasuser = str, None, false
+ldap_sudorule_runasgroup = str, None, false
+ldap_sudorule_notbefore = str, None, false
+ldap_sudorule_notafter = str, None, false
+ldap_sudorule_order = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 38cc31278..8cd94d4ae 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -60,9 +60,9 @@
</para>
<para>
However, it is neither necessary nor recommended to set these
- options. The AD provider can also be used as an access and chpass
- provider. No configuration of the access provider is required on
- the client side.
+ options. The AD provider can also be used as an access, chpass and
+ sudo provider. No configuration of the access provider is required
+ on the client side.
</para>
<para>
By default, the AD provider will map UID and GID values from the
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 5d861c73c..29b08d53d 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1450,14 +1450,23 @@ fallback_homedir = /home/%u
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
- </citerefentry> for more information on configuring LDAP.
+ </citerefentry> for more information on configuring
+ LDAP.
+ </para>
+ <para>
+ <quote>ipa</quote> the same as <quote>ldap</quote>
+ but with IPA default settings.
+ </para>
+ <para>
+ <quote>ad</quote> the same as <quote>ldap</quote>
+ but with AD default settings.
</para>
<para>
<quote>none</quote> disables SUDO explicitly.
</para>
<para>
- Default: The value of <quote>id_provider</quote> is used if it
- is set.
+ Default: The value of <quote>id_provider</quote> is
+ used if it is set.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index d370cef69..bc11e54b0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -128,4 +128,8 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
struct ad_options *ctx);
void ad_dyndns_timer(void *pvt);
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data);
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index eff6d990d..500d807e9 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -467,3 +467,28 @@ int sssm_ad_subdomains_init(struct be_ctx *bectx,
return EOK;
}
+
+
+int sssm_ad_sudo_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+#ifdef BUILD_SUDO
+ struct ad_id_ctx *id_ctx;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing AD sudo handler\n"));
+
+ ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ad_id_init failed.\n"));
+ return ret;
+ }
+
+ return ad_sudo_init(bectx, id_ctx, ops, pvt_data);
+#else
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Sudo init handler called but SSSD is "
+ "built without sudo support, ignoring\n"));
+ return EOK;
+#endif
+}
diff --git a/src/providers/ad/ad_sudo.c b/src/providers/ad/ad_sudo.c
new file mode 100644
index 000000000..b85c95c5c
--- /dev/null
+++ b/src/providers/ad/ad_sudo.c
@@ -0,0 +1,51 @@
+/*
+ SSSD
+
+ AD SUDO Provider Initialization functions
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/ad/ad_common.h"
+#include "providers/ldap/sdap_sudo.h"
+
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ int ret;
+ struct ad_options *ad_options;
+ struct sdap_options *ldap_options;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo AD back end\n"));
+
+ ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize LDAP SUDO [%d]: %s\n",
+ ret, strerror(ret)));
+ return ret;
+ }
+
+ ad_options = id_ctx->ad_options;
+ ldap_options = id_ctx->sdap_id_ctx->opts;
+
+ ad_options->id->sudorule_map = ldap_options->sudorule_map;
+ return EOK;
+}