diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-02-21 16:34:45 +0100 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-02-27 19:14:15 +0100 |
commit | 78bb3676fe8326e0fe2b60daad8bf524e4625d4e (patch) | |
tree | 180f873e99228f72b5cfdfbb58cf7b5e1ab240ee /src/confdb | |
parent | eed5bc53a0c823276523d32e76bc1c264db3837e (diff) | |
download | sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.gz sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.xz sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.zip |
MONITOR: Enable an implicit files domain if one is not configured
If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
implicit SSSD files domain is added
* this domain is always first in the list
The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
Resolves:
https://pagure.io/SSSD/sssd/issue/3112
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/confdb')
-rw-r--r-- | src/confdb/confdb.c | 182 | ||||
-rw-r--r-- | src/confdb/confdb.h | 4 |
2 files changed, 186 insertions, 0 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index c7afd683d..d82fd98ee 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1643,3 +1643,185 @@ done: talloc_free(tmp_ctx); return ret; } + +#ifdef ADD_FILES_DOMAIN +static int confdb_has_files_domain(struct confdb_ctx *cdb) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_dn *dn = NULL; + struct ldb_result *res = NULL; + static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL }; + const char *id_provider = NULL; + int ret; + unsigned int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + for (i = 0; i < res->count; i++) { + id_provider = ldb_msg_find_attr_as_string(res->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); + if (id_provider == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The object [%s] doesn't have a id_provider\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); + ret = EINVAL; + goto done; + } + + if (strcasecmp(id_provider, "files") == 0) { + break; + } + } + + ret = i < res->count ? EOK : ENOENT; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int create_files_domain(struct confdb_ctx *cdb, + const char *name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *cdb_path = NULL; + const char *val[2] = { NULL, NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (cdb_path == NULL) { + ret = ENOMEM; + goto done; + } + + val[0] = "files"; + ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int activate_files_domain(struct confdb_ctx *cdb, + const char *name) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *monitor_domlist; + const char *domlist[2] = { NULL, NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = confdb_get_string(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + NULL, + &monitor_domlist); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } + + if (monitor_domlist != NULL) { + domlist[0] = talloc_asprintf(tmp_ctx, "%s,%s", name, monitor_domlist); + if (domlist[0] == NULL) { + ret = ENOMEM; + goto done; + } + } else { + domlist[0] = name; + } + + ret = confdb_add_param(cdb, true, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + domlist); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot extend the domain list [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} +#endif /* ADD_FILES_DOMAIN */ + +int confdb_ensure_files_domain(struct confdb_ctx *cdb, + const char *implicit_files_dom_name) +{ +#ifndef ADD_FILES_DOMAIN + return EOK; +#else + errno_t ret; + bool enable_files; + + ret = confdb_get_bool(cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ENABLE_FILES_DOM, + true, &enable_files); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot get the value of %s assuming true\n", + CONFDB_MONITOR_ENABLE_FILES_DOM); + return ret; + } + + if (enable_files == false) { + DEBUG(SSSDBG_CONF_SETTINGS, "The implicit files domain is disabled\n"); + return EOK; + } + + ret = confdb_has_files_domain(cdb); + if (ret == EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, "The files domain is already enabled\n"); + return EOK; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up the files domain\n"); + return ret; + } + + /* ENOENT, so let's add a files domain */ + ret = create_files_domain(cdb, implicit_files_dom_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add an implicit files domain\n"); + return ret; + } + + return activate_files_domain(cdb, implicit_files_dom_name); +#endif /* ADD_FILES_DOMAIN */ +} diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 353dfd0a9..89b89bf0d 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -73,6 +73,7 @@ #define CONFDB_MONITOR_USER_RUNAS "user" #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification" #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink" +#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain" /* Both monitor and domains */ #define CONFDB_NAME_REGEX "re_expression" @@ -373,6 +374,9 @@ int confdb_get_domain(struct confdb_ctx *cdb, int confdb_get_domains(struct confdb_ctx *cdb, struct sss_domain_info **domains); +int confdb_ensure_files_domain(struct confdb_ctx *cdb, + const char *implicit_files_dom_name); + /** * Get a null-terminated linked-list of all domain names * @param[in] mem_ctx The parent memory context for the value list |