diff options
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 19 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 26 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 38 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 1 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 319 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.h | 39 |
9 files changed, 447 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 303264c56..671496358 100644 --- a/Makefile.am +++ b/Makefile.am @@ -392,6 +392,7 @@ dist_noinst_HEADERS = \ src/providers/ipa/ipa_selinux_maps.h \ src/providers/ipa/ipa_auth.h \ src/providers/ipa/ipa_dyndns.h \ + src/providers/ipa/ipa_subdomains.h \ src/providers/ipa/ipa_id.h \ src/providers/ipa/ipa_hostid.h \ src/providers/ipa/ipa_opts.h \ @@ -1192,6 +1193,7 @@ libsss_ipa_la_SOURCES = \ src/providers/ipa/ipa_access.c \ src/providers/ipa/ipa_dyndns.c \ src/providers/ipa/ipa_hosts.c \ + src/providers/ipa/ipa_subdomains.c \ src/providers/ipa/ipa_hbac_hosts.c \ src/providers/ipa/ipa_hbac_private.h \ src/providers/ipa/ipa_hbac_rules.c \ diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index c7c877e74..850b9dbd6 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -6,6 +6,7 @@ ipa_dyndns_update = bool, None, false ipa_dyndns_iface = str, None, false ipa_hbac_search_base = str, None, false ipa_host_search_base = str, None, false +ipa_subdomains_search_base = str, None, false ldap_uri = str, None, false ldap_search_base = str, None, false ldap_schema = str, None, false diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index b5bd2816d..9b8a140ce 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -196,6 +196,25 @@ </varlistentry> <varlistentry> + <term>ipa_subdomains_search_base (string)</term> + <listitem> + <para> + Optional. Use the given string as search base for + trusted domains. + </para> + <para> + See <quote>ldap_search_base</quote> for + information about configuring multiple search + bases. + </para> + <para> + Default: the value of + <emphasis>cn=trusts,%basedn</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>krb5_validate (boolean)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 5d2f7987d..225c9786c 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -143,6 +143,9 @@ static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx, case IPA_SELINUX_SEARCH_BASE: class_name = "IPA_SELINUX"; break; + case IPA_SUBDOMAINS_SEARCH_BASE: + class_name = "IPA_SUBDOMAINS"; + break; default: DEBUG(SSSDBG_CONF_SETTINGS, ("Unknown search base type: [%d]\n", class)); @@ -487,6 +490,29 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, &ipa_opts->id->service_search_bases); if (ret != EOK) goto done; + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=trusts,%s", basedn); + if (value == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_SUBDOMAINS_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ipa_opts->basic[IPA_SUBDOMAINS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE))); + } + ret = ipa_parse_search_base(ipa_opts, ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE, + &ipa_opts->subdomains_search_bases); + if (ret != EOK) goto done; + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, ipa_attr_map, SDAP_AT_GENERAL, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index d29cf92df..9232260eb 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -41,6 +41,7 @@ enum ipa_basic_opt { IPA_HBAC_SEARCH_BASE, IPA_HOST_SEARCH_BASE, IPA_SELINUX_SEARCH_BASE, + IPA_SUBDOMAINS_SEARCH_BASE, IPA_KRB5_REALM, IPA_HBAC_REFRESH, IPA_HBAC_DENY_METHOD, @@ -123,6 +124,7 @@ struct ipa_options { struct sdap_search_base **host_search_bases; struct sdap_search_base **hbac_search_bases; struct sdap_search_base **selinux_search_bases; + struct sdap_search_base **subdomains_search_bases; struct ipa_service *service; /* id provider */ diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index fca23f349..90acb1082 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -37,6 +37,7 @@ #include "providers/ipa/ipa_dyndns.h" #include "providers/ipa/ipa_session.h" #include "providers/ldap/sdap_access.h" +#include "providers/ipa/ipa_subdomains.h" struct ipa_options *ipa_options = NULL; @@ -74,6 +75,11 @@ struct bet_ops ipa_hostid_ops = { }; #endif +struct bet_ops ipa_subdomains_ops = { + .handler = ipa_subdomains_handler, + .finalize = NULL +}; + int common_ipa_init(struct be_ctx *bectx) { const char *ipa_servers; @@ -513,3 +519,35 @@ int sssm_ipa_autofs_init(struct be_ctx *bectx, return EOK; #endif } + +int sssm_ipa_subdomains_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + struct ipa_subdomains_ctx *subdomains_ctx; + struct ipa_id_ctx *id_ctx; + + subdomains_ctx = talloc_zero(bectx, struct ipa_subdomains_ctx); + if (subdomains_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + return ENOMEM; + } + + ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n")); + goto done; + } + subdomains_ctx->sdap_id_ctx = id_ctx->sdap_id_ctx; + subdomains_ctx->search_bases = id_ctx->ipa_options->subdomains_search_bases; + + *ops = &ipa_subdomains_ops; + *pvt_data = subdomains_ctx; + +done: + if (ret != EOK) { + talloc_free(subdomains_ctx); + } + return ret; +} diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 2cdb8dbb1..20f57fca5 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -38,6 +38,7 @@ struct dp_option ipa_basic_opts[] = { { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ipa_selinux_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_subdomains_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c new file mode 100644 index 000000000..da9785f2c --- /dev/null +++ b/src/providers/ipa/ipa_subdomains.c @@ -0,0 +1,319 @@ +/* + SSSD + + IPA Subdomains Module + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_common.h" + +#define SUBDOMAINS_FILTER "objectclass=ipaNTTrustedDomain" +#define IPA_CN "cn" +#define IPA_FLATNAME "ipaNTFlatName" +#define IPA_SID "ipaNTTrustedDomainSID" + +static void ipa_subdomains_reply(struct be_req *be_req, int dp_err, int result) +{ + be_req->fn(be_req, dp_err, result, NULL); +} + +static errno_t ipa_subdomains_parse_results( + struct be_get_subdomains_req *sd_data, + size_t count, + struct sysdb_attrs **reply) +{ + struct subdomain_info **new_domain_list = NULL; + const char *value; + size_t c; + int ret; + + new_domain_list = talloc_array(sd_data, struct subdomain_info *, count + 1); + if (new_domain_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n")); + return ENOMEM; + } + + for (c = 0; c < count; c++) { + new_domain_list[c] = talloc_zero(new_domain_list, + struct subdomain_info); + if (new_domain_list[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_zero failed.\n")); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + goto done; + } + new_domain_list[c]->name = talloc_strdup(new_domain_list[c], value); + if (new_domain_list[c]->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_FLATNAME, &value); + if (ret == EOK) { + new_domain_list[c]->flat_name = talloc_strdup(new_domain_list[c], + value); + if (new_domain_list[c]->flat_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_SID, &value); + if (ret == EOK) { + new_domain_list[c]->id = talloc_strdup(new_domain_list[c], value); + if (new_domain_list[c]->id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + goto done; + } + } + new_domain_list[c] = NULL; + + ret = EOK; + +done: + if (ret == EOK) { + talloc_free(sd_data->domain_list); + sd_data->domain_list = new_domain_list; + } else { + talloc_free(new_domain_list); + } + + return ret; +} + +struct ipa_subdomains_req_ctx { + struct be_req *be_req; + struct ipa_subdomains_ctx *sd_ctx; + struct sdap_id_op *sdap_op; + struct be_get_subdomains_req *sd_data; + + char *current_filter; + + struct sdap_search_base **search_bases; + int search_base_iter; + + size_t reply_count; + struct sysdb_attrs **reply; +}; + +static void ipa_subdomains_get_conn_done(struct tevent_req *req); +static errno_t ipa_subdomains_handler_next(struct ipa_subdomains_req_ctx *ctx); +static void ipa_subdomains_handler_done(struct tevent_req *req); + +void ipa_subdomains_handler(struct be_req *be_req) +{ + struct tevent_req *req; + struct ipa_subdomains_req_ctx *ctx = NULL; + int ret; + + ctx = talloc(be_req, struct ipa_subdomains_req_ctx); + if (ctx == NULL) { + ret = ENOMEM; + goto fail; + } + + ctx->be_req = be_req; + ctx->sd_ctx = talloc_get_type( + be_req->be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data, + struct ipa_subdomains_ctx); + ctx->sd_data = talloc_get_type(be_req->req_data, + struct be_get_subdomains_req); + + ctx->search_base_iter = 0; + ctx->search_bases = ctx->sd_ctx->search_bases; + ctx->current_filter = NULL; + ctx->reply_count = 0; + ctx->reply = NULL; + + ctx->sdap_op = sdap_id_op_create(ctx, + ctx->sd_ctx->sdap_id_ctx->conn_cache); + if (ctx->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed.\n")); + ret = ENOMEM; + goto fail; + } + + req = sdap_id_op_connect_send(ctx->sdap_op, ctx, &ret); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret))); + goto fail; + } + + tevent_req_set_callback(req, ipa_subdomains_get_conn_done, ctx); + + return; + +fail: + talloc_free(ctx); + ipa_subdomains_reply(be_req, DP_ERR_FATAL, ret); +} + +static void ipa_subdomains_get_conn_done(struct tevent_req *req) +{ + int ret; + int dp_error = DP_ERR_FATAL; + struct be_req *be_req; + struct ipa_subdomains_req_ctx *ctx = tevent_req_callback_data(req, + struct ipa_subdomains_req_ctx); + ret = sdap_id_op_connect_recv(req, &dp_error); + talloc_zfree(req); + if (ret) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("No IPA server is available, cannot get the " + "subdomain list while offline\n")); + +/* FIXME: return saved results ?? */ + } else { + DEBUG(SSSDBG_OP_FAILURE, + ("Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret))); + } + + goto fail; + } + + ret = ipa_subdomains_handler_next(ctx); + if (ret != EOK && ret != EAGAIN) { + goto fail; + } + + return; + +fail: + be_req = ctx->be_req; + talloc_free(ctx); + ipa_subdomains_reply(be_req, dp_error, ret); +} + +static errno_t ipa_subdomains_handler_next(struct ipa_subdomains_req_ctx *ctx) +{ + struct tevent_req *req; + struct sdap_search_base *base; + const char *attrs[] = {"cn", + "ipaNTFlatName", + "ipaNTTrustedDomainSID", + NULL}; + + base = ctx->search_bases[ctx->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_free(ctx->current_filter); + ctx->current_filter = sdap_get_id_specific_filter(ctx, SUBDOMAINS_FILTER, + base->filter); + if (ctx->current_filter == NULL) { + return ENOMEM; + } + + req = sdap_get_generic_send(ctx, ctx->be_req->be_ctx->ev, + ctx->sd_ctx->sdap_id_ctx->opts, + sdap_id_op_handle(ctx->sdap_op), + base->basedn, base->scope, + ctx->current_filter, attrs, NULL, 0, + dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), false); + + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n")); + return ENOMEM; + } + + tevent_req_set_callback(req, ipa_subdomains_handler_done, ctx); + + return EAGAIN; +} + +static void ipa_subdomains_handler_done(struct tevent_req *req) +{ + int ret; + struct be_req *be_req; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + struct ipa_subdomains_req_ctx *ctx = tevent_req_callback_data(req, + struct ipa_subdomains_req_ctx); + + be_req = ctx->be_req; + + ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n")); + goto done; + } + + if (reply_count) { + ctx->reply = talloc_realloc(ctx, ctx->reply, struct sysdb_attrs *, + ctx->reply_count + reply_count); + if (ctx->reply == NULL) { + ret = ENOMEM; + goto done; + } + memcpy(ctx->reply+ctx->reply_count, reply, + reply_count * sizeof(struct sysdb_attrs *)); + ctx->reply_count += reply_count; + } + + ctx->search_base_iter++; + ret = ipa_subdomains_handler_next(ctx); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto done; + } + + ret = ipa_subdomains_parse_results(ctx->sd_data, ctx->reply_count, ctx->reply); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("ipa_subdomains_parse_results request failed.\n")); + goto done; + } + + ret = sysdb_update_subdomains(ctx->sd_ctx->sdap_id_ctx->be->sysdb, + ctx->sd_data->domain_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_update_subdomains failed.\n")); + goto done; + } + + ret = EOK; + +done: + talloc_free(ctx); + ipa_subdomains_reply(be_req, (ret == EOK ? DP_ERR_OK : DP_ERR_FATAL), ret); +} diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h new file mode 100644 index 000000000..be62b1525 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains.h @@ -0,0 +1,39 @@ +/* + SSSD + + IPA Subdomains Module + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _IPA_SUBDOMAINS_H_ +#define _IPA_SUBDOMAINS_H_ + +#include "providers/dp_backend.h" +#include "providers/ldap/ldap_common.h" + +struct ipa_subdomains_ctx { + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_search_base **search_bases; +}; + + +void ipa_subdomains_handler(struct be_req *be_req); + +#endif /* _IPA_SUBDOMAINS_H_ */ |