summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-06-05 15:07:10 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-08-01 16:19:42 +0200
commit07b7b76d7cd494cbd26263503ba2732c21819941 (patch)
tree860a74f647b7b1b28fedaf2de808693ae28e8dd4
parentf6cd1236c27817b97db002094b76648d92b55f82 (diff)
downloadsssd-07b7b76d7cd494cbd26263503ba2732c21819941.tar.gz
sssd-07b7b76d7cd494cbd26263503ba2732c21819941.tar.xz
sssd-07b7b76d7cd494cbd26263503ba2732c21819941.zip
Primary server support: new options in krb5 provider
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
-rw-r--r--src/config/SSSDConfig/__init__.py.in2
-rwxr-xr-xsrc/config/SSSDConfigTest.py6
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf2
-rw-r--r--src/man/sssd-krb5.5.xml4
-rw-r--r--src/man/sssd-ldap.5.xml2
-rw-r--r--src/providers/ad/ad_opts.h3
-rw-r--r--src/providers/ipa/ipa_opts.h3
-rw-r--r--src/providers/krb5/krb5_common.h2
-rw-r--r--src/providers/krb5/krb5_init.c17
-rw-r--r--src/providers/krb5/krb5_opts.h2
-rw-r--r--src/providers/ldap/ldap_common.c7
-rw-r--r--src/providers/ldap/ldap_opts.h1
-rw-r--r--src/providers/ldap/sdap.h1
15 files changed, 45 insertions, 11 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 485688433..c6ccbff0c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -145,6 +145,7 @@ option_strings = {
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
'krb5_server' : _('Kerberos server address'),
+ 'krb5_backup_server' : _('Kerberos backup server address'),
'krb5_realm' : _('Kerberos realm'),
'krb5_auth_timeout' : _('Authentication timeout'),
@@ -163,6 +164,7 @@ option_strings = {
# [provider/krb5/chpass]
'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
+ 'krb5_backup_kpasswd' : _('Server where the change password service is running if not on the KDC'),
# [provider/ldap]
'ldap_uri' : _('ldap_uri, The URI of the LDAP server'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 95cb00995..eefbe786a 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -581,8 +581,10 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
backup_list = control_list[:]
control_list.extend(
['krb5_server',
+ 'krb5_backup_server',
'krb5_realm',
'krb5_kpasswd',
+ 'krb5_backup_kpasswd',
'krb5_ccachedir',
'krb5_ccname_template',
'krb5_keytab',
@@ -736,9 +738,11 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
options = domain.list_provider_options('krb5', 'auth')
control_list = [
'krb5_server',
+ 'krb5_backup_server',
'krb5_kdcip',
'krb5_realm',
'krb5_kpasswd',
+ 'krb5_backup_kpasswd',
'krb5_ccachedir',
'krb5_ccname_template',
'krb5_keytab',
@@ -915,9 +919,11 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
backup_list = control_list[:]
control_list.extend(
['krb5_server',
+ 'krb5_backup_server',
'krb5_kdcip',
'krb5_realm',
'krb5_kpasswd',
+ 'krb5_backup_kpasswd',
'krb5_ccachedir',
'krb5_ccname_template',
'krb5_keytab',
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 6c323399e..763ea0d46 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -23,6 +23,7 @@ ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
+krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
krb5_canonicalize = bool, None, false
@@ -120,3 +121,4 @@ krb5_fast_principal = str, None, false
[provider/ad/chpass]
krb5_kpasswd = str, None, false
+krb5_backup_kpasswd = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index fa380a672..cf16ea6e9 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -29,9 +29,11 @@ ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
+krb5_backup_server = str, None, false
krb5_realm = str, None, false
krb5_auth_timeout = int, None, false
krb5_kpasswd = str, None, false
+krb5_backup_kpasswd = str, None, false
krb5_canonicalize = bool, None, false
ldap_krb5_keytab = str, None, false
ldap_krb5_init_creds = bool, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index c52df1a6d..3a36f5efb 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -1,9 +1,11 @@
[provider/krb5]
krb5_kdcip = str, None, false
krb5_server = str, None, false
+krb5_backup_server = str, None, false
krb5_realm = str, None, true
krb5_auth_timeout = int, None, false
krb5_kpasswd = str, None, false
+krb5_backup_kpasswd = str, None, false
[provider/krb5/auth]
krb5_ccachedir = str, None, false
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index efc84e240..f4fd1cb73 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -71,7 +71,7 @@
for details on the configuration of a SSSD domain.
<variablelist>
<varlistentry>
- <term>krb5_server (string)</term>
+ <term>krb5_server, krb5_backup_server (string)</term>
<listitem>
<para>
Specifies the comma-separated list of IP addresses or hostnames
@@ -110,7 +110,7 @@
</varlistentry>
<varlistentry>
- <term>krb5_kpasswd (string)</term>
+ <term>krb5_kpasswd, krb5_backup_kpasswd (string)</term>
<listitem>
<para>
If the change password service is not running on the
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 93d5783af..e7d49c96f 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1474,7 +1474,7 @@
</varlistentry>
<varlistentry>
- <term>krb5_server (string)</term>
+ <term>krb5_server, krb5_backup_server (string)</term>
<listitem>
<para>
Specifies the comma-separated list of IP addresses or hostnames
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 41491ddc2..458e7ea4d 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -83,6 +83,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
@@ -123,6 +124,7 @@ struct dp_option ad_def_ldap_opts[] = {
struct dp_option ad_def_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -130,6 +132,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4925c599f..bf1b7a33d 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -96,6 +96,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
@@ -241,6 +242,7 @@ struct sdap_attr_map ipa_selinux_user_map[] = {
struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -248,6 +250,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 337fcf55f..51bd26773 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -49,6 +49,7 @@
enum krb5_opts {
KRB5_KDC = 0,
+ KRB5_BACKUP_KDC,
KRB5_REALM,
KRB5_CCACHEDIR,
KRB5_CCNAME_TMPL,
@@ -56,6 +57,7 @@ enum krb5_opts {
KRB5_KEYTAB,
KRB5_VALIDATE,
KRB5_KPASSWD,
+ KRB5_BACKUP_KPASSWD,
KRB5_STORE_PASSWORD_IF_OFFLINE,
KRB5_RENEWABLE_LIFETIME,
KRB5_LIFETIME,
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 60c18a8f0..a7b06fdf1 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -61,7 +61,9 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
struct krb5_ctx *ctx = NULL;
int ret;
const char *krb5_servers;
+ const char *krb5_backup_servers;
const char *krb5_kpasswd_servers;
+ const char *krb5_backup_kpasswd_servers;
const char *krb5_realm;
const char *errstr;
int errval;
@@ -98,9 +100,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
ctx->opts = krb5_options->opts;
krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
- if (krb5_servers == NULL) {
- DEBUG(SSSDBG_CONF_SETTINGS, ("Missing krb5_server option, using service discovery!\n"));
- }
+ krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
if (krb5_realm == NULL) {
@@ -109,13 +109,22 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
}
ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- NULL, krb5_realm, &ctx->service);
+ krb5_backup_servers, krb5_realm, &ctx->service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
return ret;
}
krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD);
+ krb5_backup_kpasswd_servers = dp_opt_get_string(ctx->opts,
+ KRB5_BACKUP_KPASSWD);
+ if (krb5_kpasswd_servers == NULL && krb5_backup_kpasswd_servers != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("kpasswd server wasn't specified but "
+ "backup kpasswd given. Using it as primary\n"));
+ krb5_kpasswd_servers = krb5_backup_kpasswd_servers;
+ krb5_backup_kpasswd_servers = NULL;
+ }
+
if (krb5_kpasswd_servers == NULL && krb5_servers != NULL) {
DEBUG(0, ("Missing krb5_kpasswd option and KDC set explicitly, "
"will use KDC for pasword change operations!\n"));
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index 9de93b0cd..dc9b17648 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -27,6 +27,7 @@
struct dp_option default_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -34,6 +35,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 76236743e..b9fef0863 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1041,6 +1041,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
{
int ret;
const char *krb5_servers;
+ const char *krb5_backup_servers;
const char *krb5_realm;
const char *krb5_opt_realm;
struct krb5_service *service = NULL;
@@ -1050,9 +1051,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
if (tmp_ctx == NULL) return ENOMEM;
krb5_servers = dp_opt_get_string(opts, SDAP_KRB5_KDC);
- if (krb5_servers == NULL) {
- DEBUG(SSSDBG_CONF_SETTINGS, ("Missing krb5_server option, using service discovery!\n"));
- }
+ krb5_backup_servers = dp_opt_get_string(opts, SDAP_KRB5_BACKUP_KDC);
krb5_opt_realm = dp_opt_get_string(opts, SDAP_KRB5_REALM);
if (krb5_opt_realm == NULL) {
@@ -1072,7 +1071,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
}
ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- NULL, krb5_realm, &service);
+ krb5_backup_servers, krb5_realm, &service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
goto done;
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 9be6a0f65..4e876bdcc 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -76,6 +76,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 70b4e6ada..01c33e421 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -194,6 +194,7 @@ enum sdap_basic_opt {
SDAP_KRB5_KEYTAB,
SDAP_KRB5_KINIT,
SDAP_KRB5_KDC,
+ SDAP_KRB5_BACKUP_KDC,
SDAP_KRB5_REALM,
SDAP_KRB5_CANONICALIZE,
SDAP_PWD_POLICY,