diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-15 14:13:40 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-14 21:47:29 +0200 |
commit | 30dd3f3e063dded0ec9f58bc2535a94727d8e96d (patch) | |
tree | c7a0fea133261dd2734a2d534b8c4d1959d4686a /src/providers/ad | |
parent | 0c37b025b3da6bed26d7c84c4254f8ecc05bfc77 (diff) | |
download | sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.tar.gz sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.tar.xz sssd-30dd3f3e063dded0ec9f58bc2535a94727d8e96d.zip |
AD: Add ad_create_1way_trust_options
Related:
https://fedorahosted.org/sssd/ticket/2638
For one-way trusts we can assume that AD domain is the same as the
Kerberis realm. On the other hand, SASL realm and keytab path are
specified, unlike two-way trusts that use the system keytab.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/ad')
-rw-r--r-- | src/providers/ad/ad_common.c | 79 | ||||
-rw-r--r-- | src/providers/ad/ad_common.h | 6 |
2 files changed, 79 insertions, 6 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 22af7cbd2..130cdeb61 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -135,6 +135,35 @@ ad_create_default_options(TALLOC_CTX *mem_ctx) return ad_options; } +static errno_t +set_common_ad_trust_opts(struct ad_options *ad_options, + const char *realm, + const char *ad_domain, + const char *hostname) +{ + errno_t ret; + + ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD krb5 realm\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD hostname\n"); + return ret; + } + + return EOK; +} + struct ad_options * ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *realm, @@ -147,23 +176,61 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, ad_options = ad_create_default_options(mem_ctx); if (ad_options == NULL) return NULL; - ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm); + ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); talloc_free(ad_options); return NULL; } - ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); + ret = ad_set_sdap_options(ad_options, ad_options->id); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); talloc_free(ad_options); return NULL; } - ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname); + return ad_options; +} + +struct ad_options * +ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + const char *ad_domain, + const char *hostname, + const char *keytab, + const char *sasl_authid) +{ + struct ad_options *ad_options; + const char *realm; + errno_t ret; + + ad_options = ad_create_default_options(mem_ctx); + if (ad_options == NULL) return NULL; + + realm = get_uppercase_realm(ad_options, ad_domain); + if (!realm) { + talloc_free(ad_options); + return NULL; + } + + ret = set_common_ad_trust_opts(ad_options, realm, + ad_domain, hostname); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); + talloc_free(ad_options); + return NULL; + } + + /* Set AD_KEYTAB to the special 1way keytab */ + ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n"); + talloc_free(ad_options); + return NULL; + } + + /* Set SDAP_SASL_AUTHID to the trust principal */ + ret = dp_opt_set_string(ad_options->id->basic, + SDAP_SASL_AUTHID, sasl_authid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n"); talloc_free(ad_options); return NULL; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 0766b4dc9..817f5b42c 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -110,6 +110,12 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, const char *ad_domain, const char *hostname); +struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + const char *ad_domain, + const char *hostname, + const char *keytab, + const char *sasl_authid); + errno_t ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, const char *primary_servers, |