diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2010-04-16 17:58:52 +0200 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-05-07 17:14:32 -0400 |
| commit | 66da80489c0114878043b40592c5f47d41eb0ffd (patch) | |
| tree | a69750b3275692fd6dd370da90cce74ad2615e2a /src/providers | |
| parent | dd025b4cbd501e2f34461f9d8359a829b81f5c2f (diff) | |
| download | sssd-66da80489c0114878043b40592c5f47d41eb0ffd.tar.gz sssd-66da80489c0114878043b40592c5f47d41eb0ffd.tar.xz sssd-66da80489c0114878043b40592c5f47d41eb0ffd.zip | |
Use service discovery in backends
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
Diffstat (limited to 'src/providers')
| -rw-r--r-- | src/providers/data_provider_fo.c | 32 | ||||
| -rw-r--r-- | src/providers/dp_backend.h | 9 | ||||
| -rw-r--r-- | src/providers/fail_over.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 24 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 3 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.c | 21 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 4 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_init.c | 8 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 57 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.h | 8 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_init.c | 24 | ||||
| -rw-r--r-- | src/providers/ldap/sdap.h | 1 |
13 files changed, 162 insertions, 33 deletions
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c index cbdb78624..14ebbdb5d 100644 --- a/src/providers/data_provider_fo.c +++ b/src/providers/data_provider_fo.c @@ -53,6 +53,11 @@ struct be_failover_ctx { struct be_svc_data *svcs; }; +int be_fo_is_srv_identifier(const char *server) +{ + return server && strcasecmp(server, BE_SRV_IDENTIFIER) == 0; +} + static int be_fo_get_options(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, struct fo_options *opts) { @@ -61,6 +66,7 @@ static int be_fo_get_options(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, /* todo get timeout from configuration */ opts->retry_timeout = 30; + opts->srv_retry_timeout = 14400; ret = confdb_get_string(ctx->cdb, mem_ctx, ctx->conf_path, CONFDB_DOMAIN_FAMILY_ORDER, @@ -234,6 +240,32 @@ int be_fo_service_add_callback(TALLOC_CTX *memctx, return EOK; } +int be_fo_add_srv_server(struct be_ctx *ctx, const char *service_name, + const char *query_service, const char *proto, + const char *domain, void *user_data) +{ + struct be_svc_data *svc; + int ret; + + DLIST_FOR_EACH(svc, ctx->be_fo->svcs) { + if (strcmp(svc->name, service_name) == 0) { + break; + } + } + if (NULL == svc) { + return ENOENT; + } + + ret = fo_add_srv_server(svc->fo_service, query_service, + domain, proto, user_data); + if (ret && ret != EEXIST) { + DEBUG(1, ("Failed to add SRV lookup reference to failover service\n")); + return ret; + } + + return EOK; +} + int be_fo_add_server(struct be_ctx *ctx, const char *service_name, const char *server, int port, void *user_data) { diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h index 496c80700..ec0510e39 100644 --- a/src/providers/dp_backend.h +++ b/src/providers/dp_backend.h @@ -26,6 +26,11 @@ #include "providers/fail_over.h" #include "db/sysdb.h" +/* a special token, if used in place of the hostname, denotes that real + * hostnames should be looked up from DNS using SRV requests + */ +#define BE_SRV_IDENTIFIER "_srv_" + struct be_ctx; struct bet_ops; struct be_req; @@ -147,10 +152,14 @@ void be_run_online_cb(struct be_ctx *be); typedef void (be_svc_callback_fn_t)(void *, struct fo_server *); int be_init_failover(struct be_ctx *ctx); +int be_fo_is_srv_identifier(const char *server); int be_fo_add_service(struct be_ctx *ctx, const char *service_name); int be_fo_service_add_callback(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, be_svc_callback_fn_t *fn, void *private_data); +int be_fo_add_srv_server(struct be_ctx *ctx, const char *service_name, + const char *query_service, const char *proto, + const char *domain, void *user_data); int be_fo_add_server(struct be_ctx *ctx, const char *service_name, const char *server, int port, void *user_data); diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h index 70e694fee..a31ace21e 100644 --- a/src/providers/fail_over.h +++ b/src/providers/fail_over.h @@ -159,4 +159,6 @@ const char *fo_get_server_name(struct fo_server *server); struct hostent *fo_get_server_hostent(struct fo_server *server); +int fo_is_srv_lookup(struct fo_server *s); + #endif /* !__FAIL_OVER_H__ */ diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 7d457b7db..aa84e7a94 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -67,7 +67,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER } + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING } }; struct sdap_attr_map ipa_attr_map[] = { @@ -155,12 +156,9 @@ int ipa_get_options(TALLOC_CTX *memctx, } } - /* FIXME: Make non-fatal once we have discovery */ server = dp_opt_get_string(opts->basic, IPA_SERVER); if (!server) { - DEBUG(0, ("Can't find ipa server, missing option!\n")); - ret = EINVAL; - goto done; + DEBUG(1, ("No ipa server set, will use service discovery!\n")); } ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); @@ -537,6 +535,10 @@ int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, } service->krb5_service->realm = realm; + if (!servers) { + servers = BE_SRV_IDENTIFIER; + } + /* split server parm into a list */ ret = split_on_separator(tmp_ctx, servers, ',', true, &list, NULL); if (ret != EOK) { @@ -549,6 +551,18 @@ int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, talloc_steal(service, list[i]); + if (be_fo_is_srv_identifier(list[i])) { + ret = be_fo_add_srv_server(ctx, "IPA", "ldap", + FO_PROTO_TCP, ctx->domain->name, NULL); + if (ret) { + DEBUG(0, ("Failed to add server\n")); + goto done; + } + + DEBUG(6, ("Added service lookup for service IPA\n")); + continue; + } + ret = be_fo_add_server(ctx, "IPA", list[i], 0, NULL); if (ret && ret != EEXIST) { DEBUG(0, ("Failed to add server\n")); diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 77628189c..9daede2db 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 32 +#define IPA_OPTS_BASIC_TEST 33 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 1689ac28e..596aecfbd 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -72,8 +72,7 @@ int common_ipa_init(struct be_ctx *bectx) ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER); if (!ipa_servers) { - DEBUG(0, ("Missing ipa_server option!\n")); - return EINVAL; + DEBUG(1, ("Missing ipa_server option - using service discovery!\n")); } ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 1423b0890..bc2d3fbc1 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -334,6 +334,10 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, goto done; } + if (!servers) { + servers = BE_SRV_IDENTIFIER; + } + ret = split_on_separator(tmp_ctx, servers, ',', true, &list, NULL); if (ret != EOK) { DEBUG(1, ("Failed to parse server list!\n")); @@ -344,6 +348,23 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, talloc_steal(service, list[i]); server_spec = talloc_strdup(service, list[i]); + if (!server_spec) { + ret = ENOMEM; + goto done; + } + + if (be_fo_is_srv_identifier(server_spec)) { + ret = be_fo_add_srv_server(ctx, service_name, service_name, + FO_PROTO_TCP, ctx->domain->name, NULL); + if (ret) { + DEBUG(0, ("Failed to add server\n")); + goto done; + } + + DEBUG(6, ("Added service lookup\n")); + continue; + } + port_str = strrchr(server_spec, ':'); if (port_str == NULL) { port = 0; diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 0482ef023..12c487a90 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -40,8 +40,8 @@ #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" -#define SSS_KRB5KDC_FO_SRV "KRB5KDC" -#define SSS_KRB5KPASSWD_FO_SRV "KRB5KPASSWD" +#define SSS_KRB5KDC_FO_SRV "KERBEROS" +#define SSS_KRB5KPASSWD_FO_SRV "KPASSWD" enum krb5_opts { KRB5_KDC = 0, diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 0bacb3f8f..03d952607 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -90,8 +90,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); if (krb5_servers == NULL) { - DEBUG(0, ("Missing krb5_kdcip option!\n")); - return EINVAL; + DEBUG(1, ("Missing krb5_kdcip option, using service discovery!\n")); } krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM); @@ -108,8 +107,9 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, } krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD); - if (krb5_kpasswd_servers == NULL) { - DEBUG(0, ("Missing krb5_kpasswd option, using KDC!\n")); + if (krb5_kpasswd_servers == NULL && krb5_servers != NULL) { + DEBUG(0, ("Missing krb5_kpasswd option and KDC set explicitly, " + "will use KDC for pasword change operations!\n")); ctx->kpasswd_service = NULL; } else { ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 90ec7e2e7..03b2133a8 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -31,7 +31,7 @@ int ldap_child_debug_fd = -1; struct dp_option default_basic_opts[] = { - { "ldap_uri", DP_OPT_STRING, { "ldap://localhost" }, NULL_STRING }, + { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_search_base", DP_OPT_STRING, { "dc=example,dc=com" }, NULL_STRING }, { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING}, @@ -63,7 +63,8 @@ struct dp_option default_basic_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER } + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING } }; struct sdap_attr_map generic_attr_map[] = { @@ -537,30 +538,46 @@ static void sdap_uri_callback(void *private_data, struct fo_server *server) if (!service) return; tmp = (const char *)fo_get_server_user_data(server); - if (tmp && ldap_is_ldap_url(tmp)) { - new_uri = talloc_strdup(service, tmp); + + if (fo_is_srv_lookup(server)) { + if (!tmp) { + DEBUG(1, ("Unknown service, using ldap\n")); + tmp = SSS_LDAP_SRV_NAME; + } + new_uri = talloc_asprintf(service, "%s://%s:%d", + tmp, + fo_get_server_name(server), + fo_get_server_port(server)); } else { - new_uri = talloc_asprintf(service, "ldap://%s", - fo_get_server_name(server)); + if (tmp && ldap_is_ldap_url(tmp)) { + new_uri = talloc_strdup(service, tmp); + } else { + new_uri = talloc_asprintf(service, "ldap://%s", + fo_get_server_name(server)); + } } + if (!new_uri) { DEBUG(2, ("Failed to copy URI ...\n")); return; } + DEBUG(6, ("Constructed uri '%s'\n", new_uri)); + /* free old one and replace with new one */ talloc_zfree(service->uri); service->uri = new_uri; } int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, - const char *service_name, const char *urls, - struct sdap_service **_service) + const char *service_name, const char *dns_service_name, + const char *urls, struct sdap_service **_service) { TALLOC_CTX *tmp_ctx; struct sdap_service *service; LDAPURLDesc *lud; char **list = NULL; + char *srv_user_data; int ret; int i; @@ -587,6 +604,10 @@ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, goto done; } + if (!urls) { + urls = BE_SRV_IDENTIFIER; + } + /* split server parm into a list */ ret = split_on_separator(tmp_ctx, urls, ',', true, &list, NULL); if (ret != EOK) { @@ -596,6 +617,26 @@ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, /* now for each URI add a new server to the failover service */ for (i = 0; list[i]; i++) { + if (be_fo_is_srv_identifier(list[i])) { + srv_user_data = talloc_strdup(service, dns_service_name); + if (!srv_user_data) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_srv_server(ctx, service_name, + dns_service_name, FO_PROTO_TCP, + ctx->domain->name, + srv_user_data); + if (ret) { + DEBUG(0, ("Failed to add server\n")); + goto done; + } + + DEBUG(6, ("Added service lookup\n")); + continue; + } + ret = ldap_url_parse(list[i], &lud); if (ret != LDAP_SUCCESS) { DEBUG(0, ("Failed to parse ldap URI (%s)!\n", list[i])); diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index ff1ffb725..3998e3001 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -30,6 +30,8 @@ #define PWD_POL_OPT_SHADOW "shadow" #define PWD_POL_OPT_MIT "mit_kerberos" +#define SSS_LDAP_SRV_NAME "ldap" + /* a fd the child process would log into */ extern int ldap_child_debug_fd; @@ -76,9 +78,9 @@ void sdap_pam_chpass_handler(struct be_req *breq); void sdap_handler_done(struct be_req *req, int dp_err, int error, const char *errstr); -int sdap_service_init(TALLOC_CTX *mmectx, struct be_ctx *ctx, - const char *service_name, const char *urls, - struct sdap_service **service); +int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *service_name, const char *dns_service_name, + const char *urls, struct sdap_service **_service); /* options parser */ int ldap_get_options(TALLOC_CTX *memctx, diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index b74ffc215..917ece0cb 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -52,6 +52,7 @@ int sssm_ldap_id_init(struct be_ctx *bectx, { struct sdap_id_ctx *ctx; const char *urls; + const char *dns_service_name; int ret; ctx = talloc_zero(bectx, struct sdap_id_ctx); @@ -65,14 +66,17 @@ int sssm_ldap_id_init(struct be_ctx *bectx, goto done; } + dns_service_name = dp_opt_get_string(ctx->opts->basic, + SDAP_DNS_SERVICE_NAME); + DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name)); + urls = dp_opt_get_string(ctx->opts->basic, SDAP_URI); if (!urls) { - DEBUG(0, ("Missing ldap_uri\n")); - ret = EINVAL; - goto done; + DEBUG(1, ("Missing ldap_uri, will use service discovery\n")); } - ret = sdap_service_init(ctx, ctx->be, "LDAP", urls, &ctx->service); + ret = sdap_service_init(ctx, ctx->be, "LDAP", + dns_service_name, urls, &ctx->service); if (ret != EOK) { DEBUG(1, ("Failed to initialize failover service!\n")); goto done; @@ -114,6 +118,7 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, { struct sdap_auth_ctx *ctx; const char *urls; + const char *dns_service_name; int ret; ctx = talloc(bectx, struct sdap_auth_ctx); @@ -127,14 +132,17 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, goto done; } + dns_service_name = dp_opt_get_string(ctx->opts->basic, + SDAP_DNS_SERVICE_NAME); + DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name)); + urls = dp_opt_get_string(ctx->opts->basic, SDAP_URI); if (!urls) { - DEBUG(0, ("Missing ldap_uri\n")); - ret = EINVAL; - goto done; + DEBUG(1, ("Missing ldap_uri, will use service discovery\n")); } - ret = sdap_service_init(ctx, ctx->be, "LDAP", urls, &ctx->service); + ret = sdap_service_init(ctx, ctx->be, "LDAP", dns_service_name, + urls, &ctx->service); if (ret != EOK) { DEBUG(1, ("Failed to initialize failover service!\n")); goto done; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 1445e8eea..a4da43b35 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -150,6 +150,7 @@ enum sdap_basic_opt { SDAP_PWD_POLICY, SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, + SDAP_DNS_SERVICE_NAME, SDAP_OPTS_BASIC /* opts counter */ }; |