diff options
| -rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 35 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 13 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 13 | ||||
| -rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 37 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_private.h | 2 |
10 files changed, 103 insertions, 3 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index f4734b8c3..d27d2f8a6 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -129,6 +129,7 @@ option_strings = { 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), 'ldap_referrals' : _('Follow LDAP referrals'), 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'), + 'ldap_deref' : _('How to dereference aliases'), # [provider/ldap/id] 'ldap_search_timeout' : _('Length of time to wait for a search request'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 001d4fce2..04b6632d5 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -30,6 +30,7 @@ ldap_rootdse_last_usn = str, None, false ldap_referrals = bool, None, false ldap_krb5_ticket_lifetime = int, None, false ldap_dns_service_name = str, None, false +ldap_deref = str, None, false [provider/ipa/id] ldap_search_timeout = int, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 1f5d7ab2a..1af6b0c8b 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -23,6 +23,7 @@ ldap_rootdse_last_usn = str, None, false ldap_referrals = bool, None, false ldap_krb5_ticket_lifetime = int, None, false ldap_dns_service_name = str, None, false +ldap_deref = str, None, false [provider/ldap/id] ldap_search_timeout = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 87d388ade..8c38ca769 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -990,6 +990,41 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com </listitem> </varlistentry> + <varlistentry> + <term>ldap_deref (string)</term> + <listitem> + <para> + Specifies how alias dereferencing is done when + performing a search. The following options are + allowed: + </para> + <para> + <emphasis>never</emphasis>: Aliases are never + dereferenced. + </para> + <para> + <emphasis>searching</emphasis>: Aliases are + dereferenced in subordinates of the base object, + but not in locating the base object of the search. + </para> + <para> + <emphasis>finding</emphasis>: Aliases are only + dereferenced when locating the base object of the + search. + </para> + <para> + <emphasis>always</emphasis>: Aliases are + dereferenced both in searching and in locating the + base object of the search. + </para> + <para> + Default: Empty (this is handled as + <emphasis>never</emphasis> by the LDAP client + libraries) + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 758bf9de9..aee8b65f4 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -27,6 +27,7 @@ #include <arpa/inet.h> #include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_async_private.h" struct dp_option ipa_basic_opts[] = { { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -75,7 +76,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER } + { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; struct sdap_attr_map ipa_attr_map[] = { @@ -359,6 +361,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, SDAP_NETGROUP_SEARCH_BASE))); } + value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF); + if (value != NULL) { + ret = deref_string_to_val(value, &i); + if (ret != EOK) { + DEBUG(1, ("Failed to verify ldap_deref option.\n")); + goto done; + } + } + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, ipa_attr_map, SDAP_AT_GENERAL, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 8cbcaebb6..ef1cac207 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 38 +#define IPA_OPTS_BASIC_TEST 39 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index ea5f95707..543774b87 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -71,7 +71,8 @@ struct dp_option default_basic_opts[] = { { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER } + { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; struct sdap_attr_map generic_attr_map[] = { @@ -188,6 +189,8 @@ int ldap_get_options(TALLOC_CTX *memctx, int ret; int account_cache_expiration; int offline_credentials_expiration; + const char *ldap_deref; + int ldap_deref_val; opts = talloc_zero(memctx, struct sdap_options); if (!opts) return ENOMEM; @@ -293,6 +296,14 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } + ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF); + if (ldap_deref != NULL) { + ret = deref_string_to_val(ldap_deref, &ldap_deref_val); + if (ret != EOK) { + DEBUG(1, ("Failed to verify ldap_deref option.\n")); + goto done; + } + } #ifndef HAVE_LDAP_CONNCB bool ldap_referrals; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 4506085f1..be4cf8a02 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -178,6 +178,7 @@ enum sdap_basic_opt { SDAP_ACCESS_FILTER, SDAP_NETGROUP_SEARCH_BASE, SDAP_NESTING_LEVEL, + SDAP_DEREF, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index b62050521..e4ca96242 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -28,6 +28,24 @@ #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D +errno_t deref_string_to_val(const char *str, int *val) +{ + if (strcasecmp(str, "never") == 0) { + *val = LDAP_DEREF_NEVER; + } else if (strcasecmp(str, "searching") == 0) { + *val = LDAP_DEREF_SEARCHING; + } else if (strcasecmp(str, "finding") == 0) { + *val = LDAP_DEREF_FINDING; + } else if (strcasecmp(str, "always") == 0) { + *val = LDAP_DEREF_ALWAYS; + } else { + DEBUG(1, ("Illegal deref option [%s].\n", str)); + return EINVAL; + } + + return EOK; +} + /* ==Connect-to-LDAP-Server=============================================== */ struct sdap_connect_state { @@ -61,6 +79,8 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, int msgid; char *errmsg = NULL; bool ldap_referrals; + const char *ldap_deref; + int ldap_deref_val; req = tevent_req_create(memctx, &state, struct sdap_connect_state); if (!req) return NULL; @@ -130,6 +150,23 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, goto fail; } + /* Set alias dereferencing */ + ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF); + if (ldap_deref != NULL) { + ret = deref_string_to_val(ldap_deref, &ldap_deref_val); + if (ret != EOK) { + DEBUG(1, ("deref_string_to_val failed.\n")); + goto fail; + } + + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_DEREF, &ldap_deref_val); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("Failed to set deref option to %d\n", ldap_deref_val)); + goto fail; + } + + } + ret = setup_ldap_connection_callbacks(state->sh, state->ev); if (ret != EOK) { DEBUG(1, ("setup_ldap_connection_callbacks failed.\n")); diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h index 10ed44693..f049fa6aa 100644 --- a/src/providers/ldap/sdap_async_private.h +++ b/src/providers/ldap/sdap_async_private.h @@ -53,6 +53,8 @@ int sdap_get_rootdse_recv(struct tevent_req *req, TALLOC_CTX *memctx, struct sysdb_attrs **rootdse); +errno_t deref_string_to_val(const char *str, int *val); + /* from sdap_child_helpers.c */ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, |