LDAP: Add support for SSH user public keys

author: Jan Cholasta <jcholast@redhat.com> 2012-02-03 22:29:47 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2012-02-07 00:26:57 +0100
commit: af5a58fc3811af8521721f731d8234d983042cea (patch)
tree: 612316c32255519ee2145e71f5bca8f259ebe34b
parent: 34c78b745eb349eef2b0f13ef2b722632aebe619 (diff)
download: sssd-af5a58fc3811af8521721f731d8234d983042cea.tar.gz
sssd-af5a58fc3811af8521721f731d8234d983042cea.tar.xz
sssd-af5a58fc3811af8521721f731d8234d983042cea.zip
10 files changed, 44 insertions, 6 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 00ce5b79d..71769f577 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -221,6 +221,7 @@ option_strings = {
     'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'),
     'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'),
     'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'),
+    'ldap_user_ssh_public_key' : _('SSH public key attribute'),
 
     'ldap_group_search_base' : _('Base DN for group lookups'),
     # not used # 'ldap_group_search_scope' : _('Scope of group lookups'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index fae996312..00a71ab4e 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -74,6 +74,7 @@ ldap_user_shadow_flag = str, None, false
 ldap_user_krb_last_pwd_change = str, None, false
 ldap_user_krb_password_expiration = str, None, false
 ldap_pwd_attribute = str, None, false
+ldap_user_ssh_public_key = str, None, false
 ldap_group_search_base = str, None, false
 ldap_group_search_scope = str, None, false
 ldap_group_search_filter = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 57f7688c6..4fa7ed0ba 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -75,6 +75,7 @@ ldap_ns_account_lock = str, None, false
 ldap_user_nds_login_disabled = str, None, false
 ldap_user_nds_login_expiration_time = str, None, false
 ldap_user_nds_login_allowed_time_map = str, None, false
+ldap_user_ssh_public_key = str, None, false
 ldap_group_search_base = str, None, false
 ldap_group_search_scope = str, None, false
 ldap_group_search_filter = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index a74c9d431..e9a89606b 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -114,6 +114,8 @@
 #define SYSDB_USN "entryUSN"
 #define SYSDB_HIGH_USN "highestUSN"
 
+#define SYSDB_SSH_PUBKEY "sshPublicKey"
+
 #define SYSDB_NEXTID_FILTER "("SYSDB_NEXTID"=*)"
 
 #define SYSDB_UC "objectclass="SYSDB_USER_CLASS
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index f0faf6900..31b5652fd 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -15,7 +15,10 @@ endif
 if BUILD_AUTOFS
 AUTOFS_CONDS = ;with_autofs
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)
+if BUILD_SSH
+SSH_CONDS = ;with_ssh
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)
 
 
 #Special Rules:
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index a145e388f..8e1f35e41 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -578,6 +578,16 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry condition="with_ssh">
+                    <term>ldap_user_ssh_public_key (string)</term>
+                    <listitem>
+                        <para>
+                            The LDAP attribute that contains the user's SSH
+                            public keys.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ldap_force_upper_case_realm (boolean)</term>
                     <listitem>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 615cdcaa1..2f987c205 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -152,7 +152,8 @@ struct sdap_attr_map ipa_user_map[] = {
     { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
     { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
     { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
-    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+    { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }
 };
 
 struct sdap_attr_map ipa_group_map[] = {
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index ce8848384..c92eb282a 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -151,7 +151,8 @@ struct sdap_attr_map rfc2307_user_map[] = {
     { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
     { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
     { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
-    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+    { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }
 };
 
 struct sdap_attr_map rfc2307_group_map[] = {
@@ -198,7 +199,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
     { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
     { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
     { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
-    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+    { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+    { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }
 };
 
 struct sdap_attr_map rfc2307bis_group_map[] = {
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 1f97f554d..3ac19498a 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -20,6 +20,7 @@
 */
 
 #include "util/util.h"
+#include "util/crypto/sss_crypto.h"
 #include "confdb/confdb.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap.h"
@@ -101,6 +102,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
     int a, i, ret;
     const char *name;
     bool store;
+    bool base64;
 
     lerrno = 0;
     ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
@@ -171,6 +173,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
         }
     }
     while (str) {
+        base64 = false;
         if (map) {
             for (a = 1; a < attrs_num; a++) {
                 /* check if this attr is valid with the chosen schema */
@@ -182,6 +185,9 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
             if (a < attrs_num) {
                 store = true;
                 name = map[a].sys_name;
+                if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) {
+                    base64 = true;
+                }
             } else {
                 store = false;
                 name = NULL;
@@ -217,8 +223,18 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
                     goto fail;
                 }
                 for (i = 0; vals[i]; i++) {
-                    v.data = (uint8_t *)vals[i]->bv_val;
-                    v.length = vals[i]->bv_len;
+                    if (base64) {
+                        v.data = (uint8_t *)sss_base64_encode(attrs,
+                                (uint8_t *)vals[i]->bv_val, vals[i]->bv_len);
+                        if (!v.data) {
+                            ret = ENOMEM;
+                            goto fail;
+                        }
+                        v.length = strlen((const char *)v.data);
+                    } else {
+                        v.data = (uint8_t *)vals[i]->bv_val;
+                        v.length = vals[i]->bv_len;
+                    }
 
                     ret = sysdb_attrs_add_val(attrs, name, &v);
                     if (ret) goto fail;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 2a63ea830..5d4238466 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -256,6 +256,7 @@ enum sdap_user_attrs {
     SDAP_AT_NDS_LOGIN_DISABLED,
     SDAP_AT_NDS_LOGIN_EXPIRATION_TIME,
     SDAP_AT_NDS_LOGIN_ALLOWED_TIME_MAP,
+    SDAP_AT_USER_SSH_PUBLIC_KEY,
 
     SDAP_OPTS_USER /* attrs counter */
 };
author	Jan Cholasta <jcholast@redhat.com>	2012-02-03 22:29:47 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2012-02-07 00:26:57 +0100
commit	af5a58fc3811af8521721f731d8234d983042cea (patch)
tree	612316c32255519ee2145e71f5bca8f259ebe34b
parent	34c78b745eb349eef2b0f13ef2b722632aebe619 (diff)
download	sssd-af5a58fc3811af8521721f731d8234d983042cea.tar.gz sssd-af5a58fc3811af8521721f731d8234d983042cea.tar.xz sssd-af5a58fc3811af8521721f731d8234d983042cea.zip