SUBDOMAINS: Configurable search bases

Added new trusted domain section in the sssd.conf were the search bases for the trusted domain can be specified. Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Michal Židek <mzidek@redhat.com> 2017-03-02 02:47:11 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-03-15 16:28:53 +0100
commit: 231bd1b34023daa3080cf461085e6e4aa7f4d733 (patch)
tree: 433d578274bfcf2da271939a08eb2140130a54c7 /src/providers/ipa/ipa_subdomains_server.c
parent: ebe05e32b5af9b1ee404ebe492e52096d45fb675 (diff)
download: sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.tar.gz
sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.tar.xz
sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.zip
1 files changed, 30 insertions, 7 deletions
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index ddd66bf4f..cb270f50d 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -129,6 +129,8 @@ const char *ipa_trust_dir2str(uint32_t direction)
 
 static struct ad_options *
 ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
+                          struct be_ctx *be_ctx,
+                          const char *subdom_conf_path,
                           const char *forest,
                           const char *forest_realm,
                           struct sss_domain_info *subdom)
@@ -136,9 +138,7 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
     char *keytab;
     char *principal;
     struct ad_options *ad_options;
-    const char *ad_domain;
 
-    ad_domain = subdom->name;
     keytab = forest_keytab(id_ctx, forest);
     principal = subdomain_trust_princ(id_ctx, forest_realm, subdom);
     if (keytab == NULL || principal == NULL) {
@@ -146,7 +146,9 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
     }
 
     ad_options = ad_create_1way_trust_options(id_ctx,
-                                              ad_domain,
+                                              be_ctx->cdb,
+                                              subdom_conf_path,
+                                              subdom,
                                               id_ctx->server_mode->hostname,
                                               keytab,
                                               principal);
@@ -159,32 +161,46 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
     return ad_options;
 }
 
-static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx,
+static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
+                                             struct ipa_id_ctx *id_ctx,
                                              struct sss_domain_info *subdom)
 {
     struct ad_options *ad_options = NULL;
     uint32_t direction;
     const char *forest;
     const char *forest_realm;
+    char *subdom_conf_path;
 
     /* Trusts are only established with forest roots */
     direction = subdom->forest_root->trust_direction;
     forest_realm = subdom->forest_root->realm;
     forest = subdom->forest_root->forest;
 
+    subdom_conf_path = create_subdom_conf_path(id_ctx,
+                                               be_ctx->conf_path,
+                                               subdom->name);
+    if (subdom_conf_path == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n");
+        return NULL;
+    }
+
     if (direction & LSA_TRUST_DIRECTION_OUTBOUND) {
         ad_options = ad_create_2way_trust_options(id_ctx,
+                                                  be_ctx->cdb,
+                                                  subdom_conf_path,
                                                   id_ctx->server_mode->realm,
-                                                  subdom->name,
+                                                  subdom,
                                                   id_ctx->server_mode->hostname,
                                                   NULL);
     } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
-        ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
+        ad_options = ipa_create_1way_trust_ctx(id_ctx, be_ctx,
+                                               subdom_conf_path, forest,
                                                forest_realm, subdom);
     } else {
         DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
         ad_options = NULL;
     }
+    talloc_free(subdom_conf_path);
 
     if (ad_options == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
@@ -214,7 +230,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
     ad_domain = subdom->name;
     DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name);
 
-    ad_options = ipa_ad_options_new(id_ctx, subdom);
+    ad_options = ipa_ad_options_new(be_ctx, id_ctx, subdom);
     if (ad_options == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
         talloc_free(ad_options);
@@ -313,6 +329,13 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
         return EFAULT;
     }
 
+    ret = ad_set_search_bases(ad_options->id);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD search bases\n");
+        talloc_free(ad_options);
+        return ret;
+    }
+
     sdap_inherit_options(subdom->parent->sd_inherit,
                          id_ctx->sdap_id_ctx->opts,
                          ad_id_ctx->sdap_id_ctx->opts);
author	Michal Židek <mzidek@redhat.com>	2017-03-02 02:47:11 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-03-15 16:28:53 +0100
commit	231bd1b34023daa3080cf461085e6e4aa7f4d733 (patch)
tree	433d578274bfcf2da271939a08eb2140130a54c7 /src/providers/ipa/ipa_subdomains_server.c
parent	ebe05e32b5af9b1ee404ebe492e52096d45fb675 (diff)
download	sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.tar.gz sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.tar.xz sssd-231bd1b34023daa3080cf461085e6e4aa7f4d733.zip