summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ldap')
-rw-r--r--src/providers/ldap/ldap_auth.c19
-rw-r--r--src/providers/ldap/ldap_common.c10
-rw-r--r--src/providers/ldap/ldap_common.h1
-rw-r--r--src/providers/ldap/ldap_init.c21
-rw-r--r--src/providers/ldap/sdap.h2
5 files changed, 47 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 5a85fe910..2d66b1d66 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -450,6 +450,7 @@ struct auth_state {
struct sdap_auth_ctx *ctx;
const char *username;
struct dp_opt_blob password;
+ struct sdap_service *sdap_service;
struct sdap_handle *sh;
@@ -470,7 +471,8 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_auth_ctx *ctx,
const char *username,
- struct dp_opt_blob password)
+ struct dp_opt_blob password,
+ bool try_chpass_service)
{
struct tevent_req *req;
struct auth_state *state;
@@ -490,6 +492,12 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
state->username = username;
state->password = password;
state->srv = NULL;
+ if (try_chpass_service && ctx->chpass_service != NULL &&
+ ctx->chpass_service->name != NULL) {
+ state->sdap_service = ctx->chpass_service;
+ } else {
+ state->sdap_service = ctx->service;
+ }
if (!auth_get_server(req)) goto fail;
@@ -511,7 +519,7 @@ static struct tevent_req *auth_get_server(struct tevent_req *req)
next_req = be_resolve_server_send(state,
state->ev,
state->ctx->be,
- state->ctx->service->name);
+ state->sdap_service->name);
if (!next_req) {
DEBUG(1, ("be_resolve_server_send failed.\n"));
return NULL;
@@ -539,7 +547,7 @@ static void auth_resolve_done(struct tevent_req *subreq)
}
subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
- state->ctx->service->uri, true);
+ state->sdap_service->uri, true);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -743,7 +751,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
authtok.data = (uint8_t *)state->password;
authtok.length = strlen(state->password);
subreq = auth_send(breq, breq->be_ctx->ev,
- ctx, state->username, authtok);
+ ctx, state->username, authtok, true);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
@@ -950,7 +958,8 @@ void sdap_pam_auth_handler(struct be_req *breq)
state->password.length = pd->authtok_size;
subreq = auth_send(breq, breq->be_ctx->ev, ctx,
- state->username, state->password);
+ state->username, state->password,
+ pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_pam_auth_done, state);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index dc012262d..4242a7e45 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -74,7 +74,9 @@ struct dp_option default_basic_opts[] = {
{ "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER },
{ "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_account_expire_policy", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }
+ { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
+ { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
struct sdap_attr_map generic_attr_map[] = {
@@ -688,6 +690,12 @@ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
/* now for each URI add a new server to the failover service */
for (i = 0; list[i]; i++) {
if (be_fo_is_srv_identifier(list[i])) {
+ if (!dns_service_name) {
+ DEBUG(0, ("Missing DNS service name for service [%s].\n",
+ service_name));
+ ret = EINVAL;
+ goto done;
+ }
srv_user_data = talloc_strdup(service, dns_service_name);
if (!srv_user_data) {
ret = ENOMEM;
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index d24a9839e..f1af8fc7e 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -65,6 +65,7 @@ struct sdap_auth_ctx {
struct sdap_options *opts;
struct fo_service *fo_service;
struct sdap_service *service;
+ struct sdap_service *chpass_service;
};
void sdap_check_online(struct be_req *breq);
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index d6407c419..58c12d081 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -212,6 +212,27 @@ int sssm_ldap_auth_init(struct be_ctx *bectx,
goto done;
}
+ dns_service_name = dp_opt_get_string(ctx->opts->basic,
+ SDAP_CHPASS_DNS_SERVICE_NAME);
+ if (dns_service_name) {
+ DEBUG(7, ("Service name for chpass discovery set to %s\n",
+ dns_service_name));
+ }
+
+ urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_URI);
+ if (!urls && !dns_service_name) {
+ DEBUG(9, ("ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
+ "using ldap_uri.\n"));
+ ctx->chpass_service = NULL;
+ } else {
+ ret = sdap_service_init(ctx, ctx->be, "LDAP_CHPASS", dns_service_name,
+ urls, &ctx->chpass_service);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to initialize failover service!\n"));
+ goto done;
+ }
+ }
+
ret = setup_tls_config(ctx->opts->basic);
if (ret != EOK) {
DEBUG(1, ("setup_tls_config failed [%d][%s].\n",
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 4d52d5b3a..5c4f4a548 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -184,6 +184,8 @@ enum sdap_basic_opt {
SDAP_DEREF,
SDAP_ACCOUNT_EXPIRE_POLICY,
SDAP_ACCESS_ORDER,
+ SDAP_CHPASS_URI,
+ SDAP_CHPASS_DNS_SERVICE_NAME,
SDAP_OPTS_BASIC /* opts counter */
};