diff options
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 19 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 10 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/ldap_init.c | 21 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 2 |
5 files changed, 47 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 5a85fe910..2d66b1d66 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -450,6 +450,7 @@ struct auth_state { struct sdap_auth_ctx *ctx; const char *username; struct dp_opt_blob password; + struct sdap_service *sdap_service; struct sdap_handle *sh; @@ -470,7 +471,8 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_auth_ctx *ctx, const char *username, - struct dp_opt_blob password) + struct dp_opt_blob password, + bool try_chpass_service) { struct tevent_req *req; struct auth_state *state; @@ -490,6 +492,12 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, state->username = username; state->password = password; state->srv = NULL; + if (try_chpass_service && ctx->chpass_service != NULL && + ctx->chpass_service->name != NULL) { + state->sdap_service = ctx->chpass_service; + } else { + state->sdap_service = ctx->service; + } if (!auth_get_server(req)) goto fail; @@ -511,7 +519,7 @@ static struct tevent_req *auth_get_server(struct tevent_req *req) next_req = be_resolve_server_send(state, state->ev, state->ctx->be, - state->ctx->service->name); + state->sdap_service->name); if (!next_req) { DEBUG(1, ("be_resolve_server_send failed.\n")); return NULL; @@ -539,7 +547,7 @@ static void auth_resolve_done(struct tevent_req *subreq) } subreq = sdap_connect_send(state, state->ev, state->ctx->opts, - state->ctx->service->uri, true); + state->sdap_service->uri, true); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -743,7 +751,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) authtok.data = (uint8_t *)state->password; authtok.length = strlen(state->password); subreq = auth_send(breq, breq->be_ctx->ev, - ctx, state->username, authtok); + ctx, state->username, authtok, true); if (!subreq) goto done; tevent_req_set_callback(subreq, sdap_auth4chpass_done, state); @@ -950,7 +958,8 @@ void sdap_pam_auth_handler(struct be_req *breq) state->password.length = pd->authtok_size; subreq = auth_send(breq, breq->be_ctx->ev, ctx, - state->username, state->password); + state->username, state->password, + pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false); if (!subreq) goto done; tevent_req_set_callback(subreq, sdap_pam_auth_done, state); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index dc012262d..4242a7e45 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -74,7 +74,9 @@ struct dp_option default_basic_opts[] = { { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_account_expire_policy", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING } + { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }, + { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; struct sdap_attr_map generic_attr_map[] = { @@ -688,6 +690,12 @@ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, /* now for each URI add a new server to the failover service */ for (i = 0; list[i]; i++) { if (be_fo_is_srv_identifier(list[i])) { + if (!dns_service_name) { + DEBUG(0, ("Missing DNS service name for service [%s].\n", + service_name)); + ret = EINVAL; + goto done; + } srv_user_data = talloc_strdup(service, dns_service_name); if (!srv_user_data) { ret = ENOMEM; diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index d24a9839e..f1af8fc7e 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -65,6 +65,7 @@ struct sdap_auth_ctx { struct sdap_options *opts; struct fo_service *fo_service; struct sdap_service *service; + struct sdap_service *chpass_service; }; void sdap_check_online(struct be_req *breq); diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index d6407c419..58c12d081 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -212,6 +212,27 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, goto done; } + dns_service_name = dp_opt_get_string(ctx->opts->basic, + SDAP_CHPASS_DNS_SERVICE_NAME); + if (dns_service_name) { + DEBUG(7, ("Service name for chpass discovery set to %s\n", + dns_service_name)); + } + + urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_URI); + if (!urls && !dns_service_name) { + DEBUG(9, ("ldap_chpass_uri and ldap_chpass_dns_service_name not set, " + "using ldap_uri.\n")); + ctx->chpass_service = NULL; + } else { + ret = sdap_service_init(ctx, ctx->be, "LDAP_CHPASS", dns_service_name, + urls, &ctx->chpass_service); + if (ret != EOK) { + DEBUG(1, ("Failed to initialize failover service!\n")); + goto done; + } + } + ret = setup_tls_config(ctx->opts->basic); if (ret != EOK) { DEBUG(1, ("setup_tls_config failed [%d][%s].\n", diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 4d52d5b3a..5c4f4a548 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -184,6 +184,8 @@ enum sdap_basic_opt { SDAP_DEREF, SDAP_ACCOUNT_EXPIRE_POLICY, SDAP_ACCESS_ORDER, + SDAP_CHPASS_URI, + SDAP_CHPASS_DNS_SERVICE_NAME, SDAP_OPTS_BASIC /* opts counter */ }; |