diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-22 12:53:17 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-30 14:09:02 +0200 |
commit | 6324eaf1fb321c41ca9883966118df6d45259b7e (patch) | |
tree | a6f7ec1250cb69a187824ecd7600e01507659343 | |
parent | 82843754193b177275ce16f2901edac2060a3998 (diff) | |
download | sssd-6324eaf1fb321c41ca9883966118df6d45259b7e.tar.gz sssd-6324eaf1fb321c41ca9883966118df6d45259b7e.tar.xz sssd-6324eaf1fb321c41ca9883966118df6d45259b7e.zip |
CONFDB: Introduce SSSD domain type to distinguish POSIX and application domains
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new option that allows to distinguish domains that do contain
POSIX users and groups and those that don't. The POSIX domains are the
default. The non-POSIX domains are selected by selecting an
"application" type domain.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-rw-r--r-- | src/confdb/confdb.c | 18 | ||||
-rw-r--r-- | src/confdb/confdb.h | 15 | ||||
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 2 | ||||
-rw-r--r-- | src/config/cfg_rules.ini | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 33 | ||||
-rw-r--r-- | src/util/domain_info_utils.c | 14 | ||||
-rw-r--r-- | src/util/util.h | 1 |
9 files changed, 85 insertions, 1 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index d82fd98ee..70a1eb7b2 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1367,6 +1367,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } + domain->type = DOM_TYPE_POSIX; + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_TYPE, + CONFDB_DOMAIN_TYPE_POSIX); + if (tmp != NULL) { + if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_POSIX) == 0) { + domain->type = DOM_TYPE_POSIX; + } else if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_APP) == 0) { + domain->type = DOM_TYPE_APPLICATION; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value %s for [%s]\n", tmp, CONFDB_DOMAIN_TYPE); + goto done; + } + } + ret = get_entry_as_uint32(res->msgs[0], &domain->subdomain_refresh_interval, CONFDB_DOMAIN_SUBDOMAIN_REFRESH, 14400); if (ret != EOK || domain->subdomain_refresh_interval == 0) { @@ -1444,7 +1460,7 @@ int confdb_get_domains(struct confdb_ctx *cdb, if (ret) { DEBUG(SSSDBG_FATAL_FAILURE, "Error (%d [%s]) retrieving domain [%s], skipping!\n", - ret, sss_strerror(ret), domlist[i]); + ret, sss_strerror(ret), domlist[i]); continue; } diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 56a603652..a4046610f 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -209,6 +209,9 @@ #define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout" #define CONFDB_DOMAIN_SUBDOMAIN_INHERIT "subdomain_inherit" #define CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT "cached_auth_timeout" +#define CONFDB_DOMAIN_TYPE "domain_type" +#define CONFDB_DOMAIN_TYPE_POSIX "posix" +#define CONFDB_DOMAIN_TYPE_APP "application" /* Local Provider */ #define CONFDB_LOCAL_DEFAULT_SHELL "default_shell" @@ -261,11 +264,23 @@ enum sss_domain_state { DOM_INCONSISTENT, }; +/** Whether the domain only supports looking up POSIX entries */ +enum sss_domain_type { + /** This is the default domain type. It resolves only entries + * with the full POSIX set of attributes + */ + DOM_TYPE_POSIX, + /** In this mode, entries are typically resolved only by name */ + DOM_TYPE_APPLICATION, +}; + /** * Data structure storing all of the basic features * of a domain. */ struct sss_domain_info { + enum sss_domain_type type; + char *name; char *conn_name; char *provider; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 0edc3ea84..070994bcd 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -148,6 +148,7 @@ option_strings = { 'selinux_provider' : _('SELinux provider'), # [domain] + 'domain_type' : _('Whether the domain is usable by the OS or by applications'), 'min_id' : _('Minimum user ID'), 'max_id' : _('Maximum user ID'), 'enumerate' : _('Enable enumerating all users/groups'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6899bf8ae..9b3175962 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -510,6 +510,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'debug', 'debug_level', 'debug_timestamps', + 'domain_type', 'min_id', 'max_id', 'timeout', @@ -878,6 +879,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'debug', 'debug_level', 'debug_timestamps', + 'domain_type', 'min_id', 'max_id', 'timeout', diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 41efcea55..3c857236e 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -311,6 +311,7 @@ option = subdomains_provider option = selinux_provider # Options available to all domains +option = domain_type option = min_id option = max_id option = timeout diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 6965028e1..a38b24208 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -129,6 +129,7 @@ selinux_provider = str, None, false [domain] # Options available to all domains description = str, None, false +domain_type = str, None, false debug = int, None, false debug_level = int, None, false debug_timestamps = bool, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 4fe13b85d..9abcff84a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1512,6 +1512,39 @@ pam_account_locked_message = Account locked, please contact help desk. <quote>[domain/<replaceable>NAME</replaceable>]</quote> <variablelist> <varlistentry> + <term>domain_type (string)</term> + <listitem> + <para> + Specifies whether the domain is meant to be used + by POSIX-aware clients such as the Name Service Switch + or by applications that do not need POSIX data to be + present or generated. Only objects from POSIX domains + are available to the operating system interfaces and + utilities. + </para> + <para> + Allowed values for this option are <quote>posix</quote> + and <quote>application</quote>. + </para> + <para> + POSIX domains are reachable by all services. Application + domains are only reachable from the InfoPipe responder (see + <citerefentry> + <refentrytitle>sssd-ifp</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>) and the PAM responder. + </para> + <para> + NOTE: The application domains are currently well tested with + <quote>id_provider=ldap</quote> only. + </para> + <para> + Default: posix + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>min_id,max_id (integer)</term> <listitem> <para> diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index a7f118842..2af7852f0 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -885,3 +885,17 @@ char *subdomain_create_conf_path(TALLOC_CTX *mem_ctx, subdomain->parent->name, subdomain->name); } + +const char *sss_domain_type_str(struct sss_domain_info *dom) +{ + if (dom == NULL) { + return "BUG: Invalid domain"; + } + switch (dom->type) { + case DOM_TYPE_POSIX: + return "POSIX"; + case DOM_TYPE_APPLICATION: + return "Application"; + } + return "Unknown"; +} diff --git a/src/util/util.h b/src/util/util.h index 2170c5fb7..436550f50 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom); void sss_domain_set_state(struct sss_domain_info *dom, enum sss_domain_state state); bool is_email_from_domain(const char *email, struct sss_domain_info *dom); +const char *sss_domain_type_str(struct sss_domain_info *dom); struct sss_domain_info* sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, |