From af5a58fc3811af8521721f731d8234d983042cea Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 3 Feb 2012 22:29:47 +0100 Subject: LDAP: Add support for SSH user public keys --- src/config/SSSDConfig.py | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/db/sysdb.h | 2 ++ src/man/Makefile.am | 5 ++++- src/man/sssd-ldap.5.xml | 10 ++++++++++ src/providers/ipa/ipa_common.c | 3 ++- src/providers/ldap/ldap_common.c | 6 ++++-- src/providers/ldap/sdap.c | 20 ++++++++++++++++++-- src/providers/ldap/sdap.h | 1 + 10 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 00ce5b79d..71769f577 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -221,6 +221,7 @@ option_strings = { 'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'), 'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'), 'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'), + 'ldap_user_ssh_public_key' : _('SSH public key attribute'), 'ldap_group_search_base' : _('Base DN for group lookups'), # not used # 'ldap_group_search_scope' : _('Scope of group lookups'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index fae996312..00a71ab4e 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -74,6 +74,7 @@ ldap_user_shadow_flag = str, None, false ldap_user_krb_last_pwd_change = str, None, false ldap_user_krb_password_expiration = str, None, false ldap_pwd_attribute = str, None, false +ldap_user_ssh_public_key = str, None, false ldap_group_search_base = str, None, false ldap_group_search_scope = str, None, false ldap_group_search_filter = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 57f7688c6..4fa7ed0ba 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -75,6 +75,7 @@ ldap_ns_account_lock = str, None, false ldap_user_nds_login_disabled = str, None, false ldap_user_nds_login_expiration_time = str, None, false ldap_user_nds_login_allowed_time_map = str, None, false +ldap_user_ssh_public_key = str, None, false ldap_group_search_base = str, None, false ldap_group_search_scope = str, None, false ldap_group_search_filter = str, None, false diff --git a/src/db/sysdb.h b/src/db/sysdb.h index a74c9d431..e9a89606b 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -114,6 +114,8 @@ #define SYSDB_USN "entryUSN" #define SYSDB_HIGH_USN "highestUSN" +#define SYSDB_SSH_PUBKEY "sshPublicKey" + #define SYSDB_NEXTID_FILTER "("SYSDB_NEXTID"=*)" #define SYSDB_UC "objectclass="SYSDB_USER_CLASS diff --git a/src/man/Makefile.am b/src/man/Makefile.am index f0faf6900..31b5652fd 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -15,7 +15,10 @@ endif if BUILD_AUTOFS AUTOFS_CONDS = ;with_autofs endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS) +if BUILD_SSH +SSH_CONDS = ;with_ssh +endif +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS) #Special Rules: diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index a145e388f..8e1f35e41 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -578,6 +578,16 @@ + + ldap_user_ssh_public_key (string) + + + The LDAP attribute that contains the user's SSH + public keys. + + + + ldap_force_upper_case_realm (boolean) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 615cdcaa1..2f987c205 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -152,7 +152,8 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, - { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL } + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL } }; struct sdap_attr_map ipa_group_map[] = { diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index ce8848384..c92eb282a 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -151,7 +151,8 @@ struct sdap_attr_map rfc2307_user_map[] = { { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, - { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL } + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL } }; struct sdap_attr_map rfc2307_group_map[] = { @@ -198,7 +199,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = { { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, - { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL } + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL } }; struct sdap_attr_map rfc2307bis_group_map[] = { diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 1f97f554d..3ac19498a 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -20,6 +20,7 @@ */ #include "util/util.h" +#include "util/crypto/sss_crypto.h" #include "confdb/confdb.h" #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap.h" @@ -101,6 +102,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx, int a, i, ret; const char *name; bool store; + bool base64; lerrno = 0; ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); @@ -171,6 +173,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx, } } while (str) { + base64 = false; if (map) { for (a = 1; a < attrs_num; a++) { /* check if this attr is valid with the chosen schema */ @@ -182,6 +185,9 @@ int sdap_parse_entry(TALLOC_CTX *memctx, if (a < attrs_num) { store = true; name = map[a].sys_name; + if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) { + base64 = true; + } } else { store = false; name = NULL; @@ -217,8 +223,18 @@ int sdap_parse_entry(TALLOC_CTX *memctx, goto fail; } for (i = 0; vals[i]; i++) { - v.data = (uint8_t *)vals[i]->bv_val; - v.length = vals[i]->bv_len; + if (base64) { + v.data = (uint8_t *)sss_base64_encode(attrs, + (uint8_t *)vals[i]->bv_val, vals[i]->bv_len); + if (!v.data) { + ret = ENOMEM; + goto fail; + } + v.length = strlen((const char *)v.data); + } else { + v.data = (uint8_t *)vals[i]->bv_val; + v.length = vals[i]->bv_len; + } ret = sysdb_attrs_add_val(attrs, name, &v); if (ret) goto fail; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 2a63ea830..5d4238466 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -256,6 +256,7 @@ enum sdap_user_attrs { SDAP_AT_NDS_LOGIN_DISABLED, SDAP_AT_NDS_LOGIN_EXPIRATION_TIME, SDAP_AT_NDS_LOGIN_ALLOWED_TIME_MAP, + SDAP_AT_USER_SSH_PUBLIC_KEY, SDAP_OPTS_USER /* attrs counter */ }; -- cgit