summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2012-06-27 21:38:13 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-07-06 11:44:45 -0400
commitd92c50f6d75ae980b0d130134112a33e1584724c (patch)
tree324350844b27c46a9e6fe27d0f3f3a70679c36c8 /src/providers/ad
parenteffcbdb12c7ef892f1fd92a745cb33a08ca4ba30 (diff)
downloadsssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.gz
sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.xz
sssd-d92c50f6d75ae980b0d130134112a33e1584724c.zip
AD: Add AD auth and chpass providers
These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
Diffstat (limited to 'src/providers/ad')
-rw-r--r--src/providers/ad/ad_common.c64
-rw-r--r--src/providers/ad/ad_common.h7
-rw-r--r--src/providers/ad/ad_init.c85
3 files changed, 155 insertions, 1 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 92cd40eca..d8f8aff6f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -598,3 +598,67 @@ ad_set_search_bases(struct sdap_options *id_opts)
done:
return ret;
}
+
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+ struct ad_options *ad_opts,
+ struct be_ctx *bectx,
+ struct dp_option **_opts)
+{
+ errno_t ret;
+ struct dp_option *krb5_options;
+ const char *ad_servers;
+ const char *krb5_realm;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ /* Get krb5 options */
+ ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
+ ad_def_krb5_opts, KRB5_OPTS,
+ &krb5_options);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Could not read Kerberos options from the configuration\n"));
+ goto done;
+ }
+
+ ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
+
+ /* Force the krb5_servers to match the ad_servers */
+ ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
+ if (ret != EOK) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ ("Option %s set to %s\n",
+ krb5_options[KRB5_KDC].opt_name,
+ ad_servers));
+
+ /* Set krb5 realm */
+ /* Set the Kerberos Realm for GSSAPI */
+ krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
+ if (!krb5_realm) {
+ /* Should be impossible, this is set in ad_get_common_options() */
+ DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+ /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
+ * been upper-cased in ad_common_options()
+ */
+ ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
+ if (ret != EOK) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ ("Option %s set to %s\n",
+ krb5_options[KRB5_REALM].opt_name,
+ krb5_realm));
+
+
+ *_opts = talloc_steal(mem_ctx, krb5_options);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index fefb67b60..d34f498a0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -60,7 +60,7 @@ struct ad_options {
/* Auth and chpass Provider */
struct dp_option *auth;
- struct ad_auth_ctx *auth_ctx;
+ struct krb5_ctx *auth_ctx;
};
errno_t
@@ -81,5 +81,10 @@ ad_get_id_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options **_opts);
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+ struct ad_options *ad_opts,
+ struct be_ctx *bectx,
+ struct dp_option **_opts);
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index da659da25..89101a5b1 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -31,6 +31,7 @@
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/krb5/krb5_auth.h"
+#include "providers/krb5/krb5_init_shared.h"
#include "providers/ad/ad_id.h"
struct ad_options *ad_options = NULL;
@@ -176,6 +177,90 @@ done:
return ret;
}
+int
+sssm_ad_auth_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ errno_t ret;
+ struct krb5_ctx *krb5_auth_ctx = NULL;
+
+ if (!ad_options) {
+ ret = common_ad_init(bectx);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ if (ad_options->auth_ctx) {
+ /* Already initialized */
+ *ops = &ad_auth_ops;
+ *pvt_data = ad_options->auth_ctx;
+ return EOK;
+ }
+
+ krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx);
+ if (!krb5_auth_ctx) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ krb5_auth_ctx->service = ad_options->service->krb5_service;
+
+ ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,
+ &krb5_auth_ctx->opts);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Could not determine Kerberos options\n"));
+ goto done;
+ }
+
+ ret = krb5_child_init(krb5_auth_ctx, bectx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Could not initialize krb5_child settings: [%s]\n",
+ strerror(ret)));
+ goto done;
+ }
+
+ ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx);
+ *ops = &ad_auth_ops;
+ *pvt_data = ad_options->auth_ctx;
+
+done:
+ if (ret != EOK) {
+ talloc_free(krb5_auth_ctx);
+ }
+ return ret;
+}
+
+int
+sssm_ad_chpass_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ errno_t ret;
+
+ if (!ad_options) {
+ ret = common_ad_init(bectx);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ if (ad_options->auth_ctx) {
+ /* Already initialized */
+ *ops = &ad_chpass_ops;
+ *pvt_data = ad_options->auth_ctx;
+ return EOK;
+ }
+
+ ret = sssm_ad_auth_init(bectx, ops, pvt_data);
+ *ops = &ad_chpass_ops;
+ ad_options->auth_ctx = *pvt_data;
+ return ret;
+}
+
static void
ad_shutdown(struct be_req *req)
{