summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile.am5
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf21
-rw-r--r--src/man/sssd-ad.5.xml6
-rw-r--r--src/man/sssd.conf.5.xml15
-rw-r--r--src/providers/ad/ad_common.h4
-rw-r--r--src/providers/ad/ad_init.c25
-rw-r--r--src/providers/ad/ad_sudo.c51
8 files changed, 122 insertions, 7 deletions
diff --git a/Makefile.am b/Makefile.am
index a861d0eca..31ac8130f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1970,6 +1970,11 @@ libsss_ad_la_SOURCES = \
src/util/sss_krb5.c \
src/util/sss_ldap.c
+if BUILD_SUDO
+libsss_ad_la_SOURCES += \
+ src/providers/ad/ad_sudo.c
+endif
+
libsss_ad_la_CFLAGS = \
$(AM_CFLAGS) \
$(SYSTEMD_LOGIN_CFLAGS) \
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 47e9e75a4..182572fce 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -731,7 +731,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
control_provider_dict = {
'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs',
'session', 'hostid', 'subdomains'],
- 'ad': ['id', 'auth', 'access', 'chpass', 'subdomains'],
+ 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'subdomains'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 6b136f2ec..aa20ca0bb 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -132,3 +132,24 @@ krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
[provider/ad/subdomains]
+
+[provider/ad/sudo]
+ldap_sudo_search_base = str, None, false
+ldap_sudo_full_refresh_interval = int, None, false
+ldap_sudo_smart_refresh_interval = int, None, false
+ldap_sudo_use_host_filter = bool, None, false
+ldap_sudo_hostnames = str, None, false
+ldap_sudo_ip = str, None, false
+ldap_sudo_include_netgroups = bool, None, false
+ldap_sudo_include_regexp = bool, None, false
+ldap_sudorule_object_class = str, None, false
+ldap_sudorule_name = str, None, false
+ldap_sudorule_command = str, None, false
+ldap_sudorule_host = str, None, false
+ldap_sudorule_user = str, None, false
+ldap_sudorule_option = str, None, false
+ldap_sudorule_runasuser = str, None, false
+ldap_sudorule_runasgroup = str, None, false
+ldap_sudorule_notbefore = str, None, false
+ldap_sudorule_notafter = str, None, false
+ldap_sudorule_order = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index b763e42ed..9b39e081c 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -60,9 +60,9 @@
</para>
<para>
However, it is neither necessary nor recommended to set these
- options. The AD provider can also be used as an access and chpass
- provider. No configuration of the access provider is required on
- the client side.
+ options. The AD provider can also be used as an access, chpass and
+ sudo provider. No configuration of the access provider is required
+ on the client side.
</para>
<para>
By default, the AD provider will map UID and GID values from the
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4ce90de7b..9668bb0c0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1465,14 +1465,23 @@ fallback_homedir = /home/%u
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
- </citerefentry> for more information on configuring LDAP.
+ </citerefentry> for more information on configuring
+ LDAP.
+ </para>
+ <para>
+ <quote>ipa</quote> the same as <quote>ldap</quote>
+ but with IPA default settings.
+ </para>
+ <para>
+ <quote>ad</quote> the same as <quote>ldap</quote>
+ but with AD default settings.
</para>
<para>
<quote>none</quote> disables SUDO explicitly.
</para>
<para>
- Default: The value of <quote>id_provider</quote> is used if it
- is set.
+ Default: The value of <quote>id_provider</quote> is
+ used if it is set.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index d370cef69..bc11e54b0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -128,4 +128,8 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
struct ad_options *ctx);
void ad_dyndns_timer(void *pvt);
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data);
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 60f1939af..74ef42304 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -467,3 +467,28 @@ int sssm_ad_subdomains_init(struct be_ctx *bectx,
return EOK;
}
+
+
+int sssm_ad_sudo_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+#ifdef BUILD_SUDO
+ struct ad_id_ctx *id_ctx;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD sudo handler\n");
+
+ ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ad_id_init failed.\n");
+ return ret;
+ }
+
+ return ad_sudo_init(bectx, id_ctx, ops, pvt_data);
+#else
+ DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
+ "built without sudo support, ignoring\n");
+ return EOK;
+#endif
+}
diff --git a/src/providers/ad/ad_sudo.c b/src/providers/ad/ad_sudo.c
new file mode 100644
index 000000000..53ce5af59
--- /dev/null
+++ b/src/providers/ad/ad_sudo.c
@@ -0,0 +1,51 @@
+/*
+ SSSD
+
+ AD SUDO Provider Initialization functions
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/ad/ad_common.h"
+#include "providers/ldap/sdap_sudo.h"
+
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ int ret;
+ struct ad_options *ad_options;
+ struct sdap_options *ldap_options;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo AD back end\n");
+
+ ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n",
+ ret, strerror(ret));
+ return ret;
+ }
+
+ ad_options = id_ctx->ad_options;
+ ldap_options = id_ctx->sdap_id_ctx->opts;
+
+ ad_options->id->sudorule_map = ldap_options->sudorule_map;
+ return EOK;
+}