From 4f3fd1fb264a7eaf3a9d062d49e071b0d17e4deb Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Sat, 21 Apr 2012 09:31:36 -0400 Subject: LDAP: Allow setting a default domain for id-mapping slice 0 --- src/config/SSSDConfig.py | 2 ++ src/config/etc/sssd.api.d/sssd-ipa.conf | 2 ++ src/config/etc/sssd.api.d/sssd-ldap.conf | 2 ++ src/providers/ipa/ipa_opts.h | 2 ++ src/providers/ldap/ldap_opts.h | 2 ++ src/providers/ldap/sdap.h | 2 ++ src/providers/ldap/sdap_idmap.c | 36 ++++++++++++++++++++++++++++++++ 7 files changed, 48 insertions(+) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index bdbb90214..b9c484fe5 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -265,6 +265,8 @@ option_strings = { 'ldap_idmap_range_max' : _('Upper bound for ID-mapping'), 'ldap_idmap_range_size' : _('Number of IDs for each slice when ID-mapping'), 'ldap_idmap_autorid_compat' : _('Use autorid-compatible algorithm for ID-mapping'), + 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'), + 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), # [provider/ldap/auth] 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 0447d0c45..ac375075b 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -114,6 +114,8 @@ ldap_idmap_range_min = int, None, false ldap_idmap_range_max = int, None, false ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false +ldap_idmap_default_domain = str, None, false +ldap_idmap_default_domain_sid = str, None, false [provider/ipa/auth] krb5_ccachedir = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 1ea1c948b..2768366b3 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -108,6 +108,8 @@ ldap_idmap_range_min = int, None, false ldap_idmap_range_max = int, None, false ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false +ldap_idmap_default_domain = str, None, false +ldap_idmap_default_domain_sid = str, None, false [provider/ldap/auth] ldap_pwd_policy = str, None, false diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index ee9ff15f3..1fe78183e 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -118,6 +118,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000100000LL }, NULL_NUMBER }, { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 8b8ea25c6..646c54ecb 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -100,6 +100,8 @@ struct dp_option default_basic_opts[] = { { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000100000LL }, NULL_NUMBER }, { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 7c55ad5a0..2de4a5cb9 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -215,6 +215,8 @@ enum sdap_basic_opt { SDAP_IDMAP_UPPER, SDAP_IDMAP_RANGESIZE, SDAP_IDMAP_AUTORID_COMPAT, + SDAP_IDMAP_DEFAULT_DOMAIN, + SDAP_IDMAP_DEFAULT_DOMAIN_SID, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c index 24e7ef371..02e3d0eac 100644 --- a/src/providers/ldap/sdap_idmap.c +++ b/src/providers/ldap/sdap_idmap.c @@ -129,6 +129,42 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx, goto done; } } + } else { + /* This is the first time we're setting up id-mapping + * Store the default domain as slice 0 + */ + dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN); + if (!dom_name) { + /* If it's not explicitly specified, use the SSSD domain name */ + dom_name = idmap_ctx->id_ctx->be->domain->name; + ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_DEFAULT_DOMAIN, + dom_name); + if (ret != EOK) goto done; + } + + sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID); + if (sid_str) { + /* Set the default domain as slice 0 */ + ret = sdap_idmap_add_domain(idmap_ctx, dom_name, + sid_str, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Could not add domain [%s][%s][%u] to ID map: [%s]\n", + dom_name, sid_str, 0, strerror(ret))); + goto done; + } + } else { + if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) { + /* In autorid compatibility mode, we MUST have a slice 0 */ + DEBUG(SSSDBG_FATAL_FAILURE, + ("Autorid compatibility mode selected, but %s is not set\n", + idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name)); + ret = EINVAL; + goto done; + } + /* Otherwise, we'll just fall back to hash values as they are seen */ + } } *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx); -- cgit