AD: Add AD auth and chpass providers

These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
author: Stephen Gallagher <sgallagh@redhat.com> 2012-06-27 21:38:13 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-07-06 11:44:45 -0400
commit: d92c50f6d75ae980b0d130134112a33e1584724c (patch)
tree: 324350844b27c46a9e6fe27d0f3f3a70679c36c8 /src/providers
parent: effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 (diff)
download: sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.gz
sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.xz
sssd-d92c50f6d75ae980b0d130134112a33e1584724c.zip
4 files changed, 159 insertions, 1 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 92cd40eca..d8f8aff6f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -598,3 +598,67 @@ ad_set_search_bases(struct sdap_options *id_opts)
 done:
     return ret;
 }
+
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+                    struct ad_options *ad_opts,
+                    struct be_ctx *bectx,
+                    struct dp_option **_opts)
+{
+    errno_t ret;
+    struct dp_option *krb5_options;
+    const char *ad_servers;
+    const char *krb5_realm;
+
+    TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+    if (!tmp_ctx) return ENOMEM;
+
+    /* Get krb5 options */
+    ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
+                         ad_def_krb5_opts, KRB5_OPTS,
+                         &krb5_options);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              ("Could not read Kerberos options from the configuration\n"));
+        goto done;
+    }
+
+    ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
+
+    /* Force the krb5_servers to match the ad_servers */
+    ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
+    if (ret != EOK) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS,
+          ("Option %s set to %s\n",
+           krb5_options[KRB5_KDC].opt_name,
+           ad_servers));
+
+    /* Set krb5 realm */
+    /* Set the Kerberos Realm for GSSAPI */
+    krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
+    if (!krb5_realm) {
+        /* Should be impossible, this is set in ad_get_common_options() */
+        DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
+        ret = EINVAL;
+        goto done;
+    }
+
+    /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
+     * been upper-cased in ad_common_options()
+     */
+    ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
+    if (ret != EOK) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS,
+          ("Option %s set to %s\n",
+           krb5_options[KRB5_REALM].opt_name,
+           krb5_realm));
+
+
+    *_opts = talloc_steal(mem_ctx, krb5_options);
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index fefb67b60..d34f498a0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -60,7 +60,7 @@ struct ad_options {
 
     /* Auth and chpass Provider */
     struct dp_option *auth;
-    struct ad_auth_ctx *auth_ctx;
+    struct krb5_ctx *auth_ctx;
 };
 
 errno_t
@@ -81,5 +81,10 @@ ad_get_id_options(struct ad_options *ad_opts,
                    struct confdb_ctx *cdb,
                    const char *conf_path,
                    struct sdap_options **_opts);
+errno_t
+ad_get_auth_options(TALLOC_CTX *mem_ctx,
+                    struct ad_options *ad_opts,
+                    struct be_ctx *bectx,
+                    struct dp_option **_opts);
 
 #endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index da659da25..89101a5b1 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -31,6 +31,7 @@
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_idmap.h"
 #include "providers/krb5/krb5_auth.h"
+#include "providers/krb5/krb5_init_shared.h"
 #include "providers/ad/ad_id.h"
 
 struct ad_options *ad_options = NULL;
@@ -176,6 +177,90 @@ done:
     return ret;
 }
 
+int
+sssm_ad_auth_init(struct be_ctx *bectx,
+                  struct bet_ops **ops,
+                  void **pvt_data)
+{
+    errno_t ret;
+    struct krb5_ctx *krb5_auth_ctx = NULL;
+
+    if (!ad_options) {
+        ret = common_ad_init(bectx);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    if (ad_options->auth_ctx) {
+        /* Already initialized */
+        *ops = &ad_auth_ops;
+        *pvt_data = ad_options->auth_ctx;
+        return EOK;
+    }
+
+    krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx);
+    if (!krb5_auth_ctx) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    krb5_auth_ctx->service = ad_options->service->krb5_service;
+
+    ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,
+                              &krb5_auth_ctx->opts);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Could not determine Kerberos options\n"));
+        goto done;
+    }
+
+    ret = krb5_child_init(krb5_auth_ctx, bectx);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Could not initialize krb5_child settings: [%s]\n",
+               strerror(ret)));
+        goto done;
+    }
+
+    ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx);
+    *ops = &ad_auth_ops;
+    *pvt_data = ad_options->auth_ctx;
+
+done:
+    if (ret != EOK) {
+        talloc_free(krb5_auth_ctx);
+    }
+    return ret;
+}
+
+int
+sssm_ad_chpass_init(struct be_ctx *bectx,
+                    struct bet_ops **ops,
+                    void **pvt_data)
+{
+    errno_t ret;
+
+    if (!ad_options) {
+        ret = common_ad_init(bectx);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    if (ad_options->auth_ctx) {
+        /* Already initialized */
+        *ops = &ad_chpass_ops;
+        *pvt_data = ad_options->auth_ctx;
+        return EOK;
+    }
+
+    ret = sssm_ad_auth_init(bectx, ops, pvt_data);
+    *ops = &ad_chpass_ops;
+    ad_options->auth_ctx = *pvt_data;
+    return ret;
+}
+
 static void
 ad_shutdown(struct be_req *req)
 {
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index ec4fc0509..589b866b4 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -173,4 +173,8 @@ errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
 errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
                             const char *username, const char **_upn);
 
+int sssm_krb5_auth_init(struct be_ctx *bectx,
+                        struct bet_ops **ops,
+                        void **pvt_auth_data);
+
 #endif /* __KRB5_COMMON_H__ */
author	Stephen Gallagher <sgallagh@redhat.com>	2012-06-27 21:38:13 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-07-06 11:44:45 -0400
commit	d92c50f6d75ae980b0d130134112a33e1584724c (patch)
tree	324350844b27c46a9e6fe27d0f3f3a70679c36c8 /src/providers
parent	effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 (diff)
download	sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.gz sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.xz sssd-d92c50f6d75ae980b0d130134112a33e1584724c.zip