diff options
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 26 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 1 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 29 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 1 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_srv.c | 296 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_srv.h | 47 |
9 files changed, 399 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 7a3523334..332669551 100644 --- a/Makefile.am +++ b/Makefile.am @@ -465,6 +465,7 @@ dist_noinst_HEADERS = \ src/providers/ipa/ipa_id.h \ src/providers/ipa/ipa_hostid.h \ src/providers/ipa/ipa_opts.h \ + src/providers/ipa/ipa_srv.h \ src/providers/proxy/proxy.h \ src/tools/tools_util.h \ src/tools/sss_sync_ops.h \ @@ -1513,6 +1514,7 @@ libsss_ipa_la_SOURCES = \ src/providers/ipa/ipa_selinux.c \ src/providers/ipa/ipa_selinux_maps.c \ src/providers/ipa/ipa_selinux_common.c \ + src/providers/ipa/ipa_srv.c \ src/util/user_info_msg.c \ src/util/find_uid.c \ src/util/sss_ldap.c \ diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index a1f223956..1f997f238 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -142,6 +142,7 @@ option_strings = { 'ipa_automount_location' : _("The automounter location this IPA client is using"), 'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"), 'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"), + 'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"), # [provider/ad] 'ad_domain' : _('Active Directory domain'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index a165bc23a..04855d6ce 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -10,6 +10,7 @@ ipa_hbac_search_base = str, None, false ipa_host_search_base = str, None, false ipa_master_domain_search_base = str, None, false ipa_ranges_search_base = str, None, false +ipa_enable_dns_sites = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index c4227da23..f8cb0939d 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -160,6 +160,32 @@ </varlistentry> <varlistentry> + <term>ipa_enable_dns_sites (boolean)</term> + <listitem> + <para> + Enables DNS sites - location based + service discovery. + </para> + <para> + If true and service discovery (see Service + Discovery paragraph at the bottom of the man page) + is enabled, then the SSSD will first attempt + location based discovery using a query that contains + "_location.hostname.example.com" and then fall back + to traditional SRV discovery. If the location based + discovery succeeds, the IPA servers located with + the location based discovery are treated as primary + servers and the IPA servers located using the + traditional SRV discovery are used as back up + servers + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ipa_hbac_search_base (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index e3915bebc..ae1c91731 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -52,6 +52,7 @@ enum ipa_basic_opt { IPA_HBAC_SUPPORT_SRCHOST, IPA_AUTOMOUNT_LOCATION, IPA_RANGES_SEARCH_BASE, + IPA_ENABLE_DNS_SITES, IPA_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index cdca706da..b65a6cea1 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -39,6 +39,7 @@ #include "providers/ipa/ipa_selinux.h" #include "providers/ldap/sdap_access.h" #include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_srv.h" struct ipa_options *ipa_options = NULL; @@ -111,6 +112,8 @@ int sssm_ipa_id_init(struct be_ctx *bectx, struct sdap_id_ctx *sdap_ctx; struct stat stat_buf; const char *hostname; + const char *ipa_domain; + struct ipa_srv_plugin_ctx *srv_ctx; errno_t err; int ret; @@ -210,11 +213,27 @@ int sssm_ipa_id_init(struct be_ctx *bectx, /* setup SRV lookup plugin */ hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME); - ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin " - "[%d]: %s\n", ret, strerror(ret))); - goto done; + if (dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES)) { + /* use IPA plugin */ + ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN); + srv_ctx = ipa_srv_plugin_ctx_init(bectx, bectx->be_res->resolv, + hostname, ipa_domain); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n")); + ret = ENOMEM; + goto done; + } + + be_fo_set_srv_lookup_plugin(bectx, ipa_srv_plugin_send, + ipa_srv_plugin_recv, srv_ctx, "IPA"); + } else { + /* fall back to standard plugin */ + ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, strerror(ret))); + goto done; + } } *ops = &ipa_id_ops; diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 970d05b39..a3d0210a2 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -50,6 +50,7 @@ struct dp_option ipa_basic_opts[] = { { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING }, { "ipa_ranges_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_enable_dns_sites", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ipa/ipa_srv.c b/src/providers/ipa/ipa_srv.c new file mode 100644 index 000000000..34a85b56e --- /dev/null +++ b/src/providers/ipa/ipa_srv.c @@ -0,0 +1,296 @@ +/* + Authors: + Pavel B??ezina <pbrezina@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <string.h> +#include <talloc.h> +#include <tevent.h> + +#include "util/util.h" +#include "resolv/async_resolv.h" +#include "providers/fail_over_srv.h" + +#define IPA_DNS_LOCATION "_location" + +struct ipa_srv_plugin_ctx { + struct resolv_ctx *resolv_ctx; + const char *hostname; + const char *ipa_domain; +}; + +struct ipa_srv_plugin_ctx * +ipa_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + const char *hostname, + const char *ipa_domain) +{ + struct ipa_srv_plugin_ctx *ctx = NULL; + + ctx = talloc_zero(mem_ctx, struct ipa_srv_plugin_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->resolv_ctx = resolv_ctx; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { + goto fail; + } + + ctx->ipa_domain = talloc_strdup(ctx, ipa_domain); + if (ctx->ipa_domain == NULL) { + goto fail; + } + + return ctx; + +fail: + talloc_free(ctx); + return NULL; +} + +struct ipa_srv_plugin_state { + struct tevent_context *ev; + struct ipa_srv_plugin_ctx *ctx; + const char *service; + const char *protocol; + const char *discovery_domain; + + char *dns_domain; + struct fo_server_info *primary_servers; + size_t num_primary_servers; + struct fo_server_info *backup_servers; + size_t num_backup_servers; +}; + +static void ipa_srv_plugin_primary_done(struct tevent_req *subreq); +static void ipa_srv_plugin_backup_done(struct tevent_req *subreq); + +/* If IPA server supports sites, we will use + * _locations.hostname.discovery_domain for primary servers and + * discovery_domain for backup servers. If the server does not support sites or + * client's SRV record is not found, we will use the latter for primary + * servers, setting backup servers to NULL */ +struct tevent_req *ipa_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt) +{ + struct ipa_srv_plugin_state *state = NULL; + struct ipa_srv_plugin_ctx *ctx = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char **domains = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_srv_plugin_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("tevent_req_create() failed\n")); + return NULL; + } + + ctx = talloc_get_type(pvt, struct ipa_srv_plugin_ctx); + if (ctx == NULL) { + ret = EINVAL; + goto immediately; + } + + state->ev = ev; + state->ctx = ctx; + state->service = service; + state->protocol = protocol; + + if (discovery_domain != NULL) { + state->discovery_domain = discovery_domain; + } else { + state->discovery_domain = ctx->ipa_domain; + } + if (state->discovery_domain == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, ("Looking up primary servers\n")); + + domains = talloc_zero_array(state, const char *, 3); + if (domains == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (strchr(ctx->hostname, '.') == NULL) { + /* not FQDN, append domain name */ + domains[0] = talloc_asprintf(domains, IPA_DNS_LOCATION ".%s.%s", + ctx->hostname, state->discovery_domain); + } else { + domains[0] = talloc_asprintf(domains, IPA_DNS_LOCATION ".%s", + ctx->hostname); + } + if (domains[0] == NULL) { + ret = ENOMEM; + goto immediately; + } + domains[1] = state->discovery_domain; + + subreq = fo_discover_srv_send(state, ev, ctx->resolv_ctx, + state->service, state->protocol, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_srv_plugin_primary_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void ipa_srv_plugin_primary_done(struct tevent_req *subreq) +{ + struct ipa_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + const char **domains = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_srv_plugin_state); + + ret = fo_discover_srv_recv(state, subreq, + &state->dns_domain, + &state->primary_servers, + &state->num_primary_servers); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + if (strcmp(state->dns_domain, state->discovery_domain) == 0) { + /* IPA server does not support sites or this host is in default site */ + state->backup_servers = NULL; + state->num_backup_servers = 0; + + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, ("Looking up backup servers\n")); + + domains = talloc_zero_array(state, const char *, 3); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + domains[0] = state->discovery_domain; + + subreq = fo_discover_srv_send(state, state->ev, state->ctx->resolv_ctx, + state->service, state->protocol, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_srv_plugin_backup_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void ipa_srv_plugin_backup_done(struct tevent_req *subreq) +{ + struct ipa_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_srv_plugin_state); + + ret = fo_discover_srv_recv(state, subreq, NULL, + &state->backup_servers, + &state->num_backup_servers); + talloc_zfree(subreq); + if (ret == ERR_SRV_NOT_FOUND || ret == ERR_SRV_LOOKUP_ERROR) { + /* we have successfully fetched primary servers, so we will + * finish the request normally */ + DEBUG(SSSDBG_MINOR_FAILURE, ("Unable to retrieve backup servers " + "[%d]: %s\n", ret, sss_strerror(ret))); + ret = EOK; + } + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t ipa_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers) +{ + struct ipa_srv_plugin_state *state = NULL; + state = tevent_req_data(req, struct ipa_srv_plugin_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_primary_servers) { + *_primary_servers = talloc_steal(mem_ctx, state->primary_servers); + } + + if (_num_primary_servers) { + *_num_primary_servers = state->num_primary_servers; + } + + if (_backup_servers) { + *_backup_servers = talloc_steal(mem_ctx, state->backup_servers); + } + + if (_num_backup_servers) { + *_num_backup_servers = state->num_backup_servers; + } + + if (_dns_domain) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + + return EOK; +} diff --git a/src/providers/ipa/ipa_srv.h b/src/providers/ipa/ipa_srv.h new file mode 100644 index 000000000..e92479aa3 --- /dev/null +++ b/src/providers/ipa/ipa_srv.h @@ -0,0 +1,47 @@ +/* + Authors: + Pavel B??ezina <pbrezina@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __IPA_SRV_H__ +#define __IPA_SRV_H__ + +struct ipa_srv_plugin_ctx; + +struct ipa_srv_plugin_ctx * +ipa_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + const char *hostname, + const char *ipa_domain); + +struct tevent_req *ipa_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt); + +errno_t ipa_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +#endif /* __IPA_SRV_H__ */ |