summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/man/sssd-ipa.5.xml12
-rw-r--r--src/providers/ipa/ipa_access.c4
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h1
-rw-r--r--src/providers/ipa/ipa_hbac_common.c3
-rw-r--r--src/providers/ipa/ipa_hbac_hosts.c173
-rw-r--r--src/providers/ipa/ipa_hbac_private.h3
9 files changed, 165 insertions, 36 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 6858ce49c..d39949f94 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -102,6 +102,7 @@ option_strings = {
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"),
+ 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 8688dc8d2..bfa364eb4 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -112,6 +112,7 @@ krb5_fast_principal = str, None, false
[provider/ipa/access]
ipa_hbac_refresh = int, None, false
ipa_hbac_treat_deny_as = str, None, false
+ipa_hbac_support_srchost = bool, None, false
[provider/ipa/chpass]
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 32d691d70..d85ae86c8 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -237,6 +237,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ipa_hbac_support_srchost (boolean)</term>
+ <listitem>
+ <para>
+ If this is set to false, then srchost as given
+ to SSSD by PAM will be ignored.
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>ipa_netgroup_member_of (string)</term>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index f02f64ed8..880f07d31 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -298,6 +298,10 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
hbac_ctx_sysdb(hbac_ctx),
sdap_id_op_handle(hbac_ctx->sdap_op),
hbac_ctx_sdap_id_ctx(hbac_ctx)->opts,
+ dp_opt_get_bool(hbac_ctx->ipa_options,
+ IPA_HBAC_SUPPORT_SRCHOST),
+ dp_opt_get_string(hbac_ctx->ipa_options,
+ IPA_HOSTNAME),
hbac_ctx->hbac_search_base);
if (req == NULL) {
DEBUG(1, ("Could not get host info\n"));
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 3e848e322..05299931c 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -40,7 +40,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
- { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }
+ { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING },
+ { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 165f8fda0..d415d4d01 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -53,6 +53,7 @@ enum ipa_basic_opt {
IPA_KRB5_REALM,
IPA_HBAC_REFRESH,
IPA_HBAC_DENY_METHOD,
+ IPA_HBAC_SUPPORT_SRCHOST,
IPA_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index 88532302d..859b98403 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -333,10 +333,13 @@ hbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
}
/* Get the source hosts */
+
ret = hbac_shost_attrs_to_rule(new_rule,
hbac_ctx_sysdb(hbac_ctx),
new_rule->name,
hbac_ctx->rules[idx],
+ dp_opt_get_bool(hbac_ctx->ipa_options,
+ IPA_HBAC_SUPPORT_SRCHOST),
&new_rule->srchosts);
if (ret != EOK) {
DEBUG(1, ("Could not parse source hosts for rule [%s]\n",
diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c
index 75cbcd7fb..3a00a2201 100644
--- a/src/providers/ipa/ipa_hbac_hosts.c
+++ b/src/providers/ipa/ipa_hbac_hosts.c
@@ -33,12 +33,25 @@ struct ipa_hbac_host_state {
const char *search_base;
const char **attrs;
+ bool support_srchost;
+ const char *hostname;
+
/* Return values */
size_t host_count;
struct sysdb_attrs **hosts;
size_t hostgroup_count;
struct sysdb_attrs **hostgroups;
+ struct sdap_attr_map_info *hostgroup_map;
+};
+
+#define HOSTGROUP_MAP_ATTRS_COUNT 5
+static struct sdap_attr_map hostgroup_map[] = {
+ {"objectclass", "ipahostgroup", "hostgroup", NULL},
+ {"name_attr", IPA_CN, IPA_CN, NULL},
+ {"member", IPA_MEMBER, SYSDB_ORIG_MEMBER, NULL},
+ {"memberof", IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF, NULL},
+ {"ipa_id", IPA_UNIQUE_ID, IPA_UNIQUE_ID, NULL}
};
static void
@@ -53,6 +66,8 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sdap_handle *sh,
struct sdap_options *opts,
+ bool support_srchost,
+ const char *hostname,
const char *search_base)
{
errno_t ret;
@@ -70,9 +85,20 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx,
state->sysdb = sysdb;
state->sh = sh;
state->opts = opts;
+ state->support_srchost = support_srchost;
+ state->hostname = hostname;
state->search_base = search_base;
- host_filter = talloc_asprintf(state, "(objectClass=%s)", IPA_HOST);
+ if (support_srchost) {
+ host_filter = talloc_asprintf(state, "(objectClass=%s)", IPA_HOST);
+ } else {
+ if (hostname == NULL) {
+ ret = EINVAL;
+ goto immediate;
+ }
+ host_filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=%s))",
+ IPA_HOST, IPA_HOST_FQDN, hostname);
+ }
if (host_filter == NULL) {
ret = ENOMEM;
goto immediate;
@@ -126,6 +152,8 @@ ipa_hbac_host_info_done(struct tevent_req *subreq)
struct ipa_hbac_host_state *state =
tevent_req_data(req, struct ipa_hbac_host_state);
char *hostgroup_filter;
+ const char *host_dn;
+ int i;
ret = sdap_get_generic_recv(subreq, state,
&state->host_count,
@@ -150,23 +178,64 @@ ipa_hbac_host_info_done(struct tevent_req *subreq)
return;
}
- hostgroup_filter = talloc_asprintf(state, "(objectClass=%s)",
- IPA_HOSTGROUP);
- if (hostgroup_filter == NULL) {
- tevent_req_error(req, ENOMEM);
- return;
+ /* Complete the map */
+ for (i = 0; i < HOSTGROUP_MAP_ATTRS_COUNT; i++) {
+ /* These are allocated on the state, so the next time they'll
+ * have to be allocated again
+ */
+ hostgroup_map[i].name = talloc_strdup(state,
+ hostgroup_map[i].def_name);
+ if (hostgroup_map[i].name == NULL) {
+ tevent_req_error(req, ret);
+ return;
+ }
}
/* Look up host groups */
- subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
- state->search_base, LDAP_SCOPE_SUB,
- hostgroup_filter, state->attrs, NULL, 0,
- dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
- if (subreq == NULL) {
- DEBUG(1, ("Error requesting host info\n"));
- tevent_req_error(req, EIO);
- return;
+ if (state->support_srchost) {
+ hostgroup_filter = talloc_asprintf(state, "(objectClass=%s)",
+ IPA_HOSTGROUP);
+ if (hostgroup_filter == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
+ state->search_base, LDAP_SCOPE_SUB,
+ hostgroup_filter, state->attrs, hostgroup_map,
+ HOSTGROUP_MAP_ATTRS_COUNT,
+ dp_opt_get_int(state->opts->basic,
+ SDAP_ENUM_SEARCH_TIMEOUT));
+ if (subreq == NULL) {
+ DEBUG(1, ("Error requesting host info\n"));
+ tevent_req_error(req, EIO);
+ return;
+ }
+ } else {
+ state->hostgroup_map = talloc_zero(state, struct sdap_attr_map_info);
+ if (state->hostgroup_map == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ state->hostgroup_map->map = hostgroup_map;
+ state->hostgroup_map->num_attrs = HOSTGROUP_MAP_ATTRS_COUNT;
+
+ ret = sysdb_attrs_get_string(state->hosts[0], SYSDB_ORIG_DN, &host_dn);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ subreq = sdap_deref_search_send(state, state->ev, state->opts, state->sh,
+ host_dn, IPA_MEMBEROF, state->attrs,
+ 1, state->hostgroup_map,
+ dp_opt_get_int(state->opts->basic,
+ SDAP_ENUM_SEARCH_TIMEOUT));
+ if (subreq == NULL) {
+ DEBUG(1, ("Error requesting host info\n"));
+ tevent_req_error(req, EIO);
+ return;
+ }
}
tevent_req_set_callback(subreq, ipa_hbac_hostgroup_info_done, req);
}
@@ -180,26 +249,43 @@ ipa_hbac_hostgroup_info_done(struct tevent_req *subreq)
struct ipa_hbac_host_state *state =
tevent_req_data(req, struct ipa_hbac_host_state);
- ret = sdap_get_generic_recv(subreq, state,
- &state->hostgroup_count,
- &state->hostgroups);
- talloc_zfree(subreq);
- if (ret != EOK) goto done;
+ struct sdap_deref_attrs **deref_result;
+ const char *hostgroup_name;
+ int i;
- ret = replace_attribute_name(IPA_MEMBER, SYSDB_ORIG_MEMBER,
- state->hostgroup_count,
- state->hostgroups);
- if (ret != EOK) {
- DEBUG(1, ("Could not replace attribute names\n"));
- goto done;
- }
+ if (state->support_srchost) {
+ ret = sdap_get_generic_recv(subreq, state,
+ &state->hostgroup_count,
+ &state->hostgroups);
+ talloc_zfree(subreq);
+ } else {
+ ret = sdap_deref_search_recv(subreq, state,
+ &state->hostgroup_count,
+ &deref_result);
+ talloc_zfree(subreq);
+ if (ret != EOK) goto done;
- ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF,
- state->hostgroup_count,
- state->hostgroups);
- if (ret != EOK) {
- DEBUG(1, ("Could not replace attribute names\n"));
- goto done;
+ if (state->hostgroup_count == 0) {
+ DEBUG(SSSDBG_FUNC_DATA, ("No host groups were dereferenced\n"));
+ } else {
+ state->hostgroups = talloc_zero_array(state, struct sysdb_attrs *,
+ state->hostgroup_count);
+ if (state->hostgroups == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; i < state->hostgroup_count; i++) {
+ ret = sysdb_attrs_get_string(deref_result[i]->attrs,
+ IPA_CN, &hostgroup_name);
+ if (ret != EOK) goto done;
+
+ DEBUG(SSSDBG_FUNC_DATA, ("Dereferenced host group: %s\n",
+ hostgroup_name));
+ state->hostgroups[i] = talloc_steal(state->hostgroups,
+ deref_result[i]->attrs);
+ }
+ }
}
done:
@@ -454,16 +540,33 @@ hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
const char *rule_name,
struct sysdb_attrs *rule_attrs,
+ bool support_srchost,
struct hbac_rule_element **source_hosts)
{
errno_t ret;
size_t host_count;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ TALLOC_CTX *tmp_ctx;
size_t idx;
struct ldb_message_element *el;
struct hbac_rule_element *shosts;
- DEBUG(7, ("Processing source hosts for rule [%s]\n", rule_name));
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) return ENOMEM;
+
+ DEBUG(SSSDBG_TRACE_FUNC, ("Processing source hosts for rule [%s]\n", rule_name));
+
+ if (!support_srchost) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Source hosts disabled, setting ALL\n"));
+ shosts = talloc_zero(tmp_ctx, struct hbac_rule_element);
+ if (shosts == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ shosts->category = HBAC_CATEGORY_ALL;
+ ret = EOK;
+ goto done;
+ }
ret = hbac_host_attrs_to_rule(tmp_ctx, sysdb,
rule_name, rule_attrs,
diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
index 6b5956df0..05256058d 100644
--- a/src/providers/ipa/ipa_hbac_private.h
+++ b/src/providers/ipa/ipa_hbac_private.h
@@ -105,6 +105,8 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sdap_handle *sh,
struct sdap_options *opts,
+ bool support_srchost,
+ const char *hostname,
const char *search_base);
errno_t
@@ -127,6 +129,7 @@ hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
const char *rule_name,
struct sysdb_attrs *rule_attrs,
+ bool support_srchost,
struct hbac_rule_element **source_hosts);
errno_t
get_ipa_hostgroupname(TALLOC_CTX *mem_ctx,