summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-08-30 10:51:19 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-09-02 09:58:29 -0400
commit9d3d669cc353475cfe023c2a20cc51fd07428b82 (patch)
tree400a35dcfc2703d22d91a31b3baacacfbd097743 /src
parentb4378a86e669f3136c71c409c692302517b3474e (diff)
downloadsssd-9d3d669cc353475cfe023c2a20cc51fd07428b82.tar.gz
sssd-9d3d669cc353475cfe023c2a20cc51fd07428b82.tar.xz
sssd-9d3d669cc353475cfe023c2a20cc51fd07428b82.zip
Add option to specify the kerberos replay cache dir
Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980
Diffstat (limited to 'src')
-rw-r--r--src/conf_macros.m415
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml20
-rw-r--r--src/monitor/monitor.c31
7 files changed, 70 insertions, 0 deletions
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 8ead0b29b..2a109b5f8 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -161,6 +161,21 @@ AC_DEFUN([WITH_KRB5_PLUGIN_PATH],
AC_SUBST(krb5pluginpath)
])
+AC_DEFUN([WITH_KRB5_RCACHE_DIR],
+ [ AC_ARG_WITH([krb5-rcache-dir],
+ [AC_HELP_STRING([--with-krb5-rcache-dir=PATH],
+ [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]]
+ )
+ ]
+ )
+ krb5rcachedir="__LIBKRB5_DEFAULTS__"
+ if test x"$with_krb5_rcache_dir" != x; then
+ krb5rcachedir=$with_krb5_rcache_dir
+ fi
+ AC_SUBST(krb5rcachedir)
+ AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches])
+ ])
+
AC_DEFUN([WITH_PYTHON_BINDINGS],
[ AC_ARG_WITH([python-bindings],
[AC_HELP_STRING([--with-python-bindings],
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5e50991f3..4d6157612 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -63,6 +63,7 @@
#define CONFDB_MONITOR_NAME_REGEX "re_expression"
#define CONFDB_MONITOR_FULL_NAME_FORMAT "full_name_format"
#define CONFDB_MONITOR_TRY_INOTIFY "try_inotify"
+#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"
/* NSS */
#define CONFDB_NSS_CONF_ENTRY "config/nss"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 3f983327d..2ba9ea4e1 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -49,6 +49,7 @@ option_strings = {
'sbus_timeout' : _('Timeout for messages sent over the SBUS'),
're_expression' : _('Regex to parse username and domain'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
+ 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 0e5a630e0..ebfd372e5 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -266,6 +266,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'sbus_timeout',
're_expression',
'full_name_format',
+ 'krb5_rcache_dir',
'debug_level',
'debug_timestamps',
'debug_to_files',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 49836e457..a080ae12c 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -17,6 +17,7 @@ timeout = int, None, false
sbus_timeout = int, None, false
re_expression = str, None, false
full_name_format = str, None, false
+krb5_rcache_dir = str, None, false
[nss]
# Name service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e03805561..f5119433b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -185,6 +185,26 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_rcache_dir (string)</term>
+ <listitem>
+ <para>
+ Directory on the filesystem where SSSD should
+ store Kerberos replay cache files.
+ </para>
+ <para>
+ This option accepts a special value
+ __LIBKRB5_DEFAULTS__ that will instruct SSSD
+ to let libkrb5 decide the appropriate
+ location for the replay cache.
+ </para>
+ <para>
+ Default: Distribution-specific and specified
+ at build-time. (__LIBKRB5_DEFAULTS__ if not
+ configured)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 2e2478204..431b875cc 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -57,6 +57,11 @@
* monitor will get crazy hammering children with messages */
#define MONITOR_DEF_PING_TIME 10
+/* Special value to leave the Kerberos Replay Cache set to use
+ * the libkrb5 defaults
+ */
+#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__"
+
struct svc_spy;
struct mt_svc {
@@ -1871,8 +1876,34 @@ int monitor_process_init(struct mt_ctx *ctx,
struct sysdb_ctx_list *db_list;
struct tevent_signal *tes;
struct sss_domain_info *dom;
+ char *rcachedir;
int num_providers;
int ret;
+ int error;
+
+ /* Set up the environment variable for the Kerberos Replay Cache */
+ ret = confdb_get_string(ctx->cdb, ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_KRB5_RCACHEDIR,
+ KRB5_RCACHE_DIR,
+ &rcachedir);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0)
+ {
+ errno = 0;
+ ret = setenv("KRB5RCACHEDIR", rcachedir, 1);
+ if (ret < 0) {
+ error = errno;
+ DEBUG(1,
+ ("Unable to set KRB5RCACHEDIR: %s."
+ "Will attempt to use libkrb5 defaults\n",
+ strerror(error)));
+ }
+ talloc_zfree(rcachedir);
+ }
/* Set up an event handler for a SIGHUP */
tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0,