summaryrefslogtreecommitdiffstats
path: root/server/providers/ipa
diff options
context:
space:
mode:
Diffstat (limited to 'server/providers/ipa')
-rw-r--r--server/providers/ipa/ipa_common.c79
-rw-r--r--server/providers/ipa/ipa_common.h7
-rw-r--r--server/providers/ipa/ipa_init.c157
3 files changed, 133 insertions, 110 deletions
diff --git a/server/providers/ipa/ipa_common.c b/server/providers/ipa/ipa_common.c
index 799ac2f9..6dba10c8 100644
--- a/server/providers/ipa/ipa_common.c
+++ b/server/providers/ipa/ipa_common.c
@@ -104,6 +104,15 @@ struct sdap_id_map ipa_group_map[] = {
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
};
+struct dp_option ipa_def_krb5_opts[] = {
+ { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
+ { "krb5_ccname_tmpl", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
+ { "krb5_changepw_princ", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
+ { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
+};
+
int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn)
{
const char *s;
@@ -317,3 +326,73 @@ done:
return ret;
}
+/* the following preprocessor code is used to keep track of
+ * the options in the krb5 module, so that if they change and ipa
+ * is not updated correspondingly this will trigger a build error */
+#if KRB5_OPTS > 6
+#error There are krb5 options not accounted for
+#endif
+
+int ipa_get_auth_options(TALLOC_CTX *memctx,
+ struct confdb_ctx *cdb,
+ const char *conf_path,
+ struct ipa_options *ipa_opts,
+ struct dp_option **_opts)
+{
+ int ret;
+ int i;
+ TALLOC_CTX *tmpctx;
+ struct dp_option *opts;
+ char *value;
+
+ tmpctx = talloc_new(memctx);
+ if (!tmpctx) {
+ return ENOMEM;
+ }
+
+ opts = talloc_zero(memctx, struct dp_option);
+ if (opts == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = dp_copy_options(ipa_opts, ipa_def_krb5_opts,
+ KRB5_OPTS, &opts);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ value = dp_opt_get_string(ipa_opts->basic, IPA_SERVER);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = dp_opt_set_string(opts, KRB5_KDC, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+
+ value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ for (i = 0; value[i]; i++) {
+ value[i] = toupper(value[i]);
+ }
+ ret = dp_opt_set_string(opts, KRB5_REALM, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ *_opts = opts;
+ ret = EOK;
+
+done:
+ talloc_zfree(tmpctx);
+ if (ret != EOK) {
+ talloc_zfree(opts);
+ }
+ return ret;
+}
diff --git a/server/providers/ipa/ipa_common.h b/server/providers/ipa/ipa_common.h
index 80f5294a..f7d3ab8c 100644
--- a/server/providers/ipa/ipa_common.h
+++ b/server/providers/ipa/ipa_common.h
@@ -25,6 +25,7 @@
#include "util/util.h"
#include "confdb/confdb.h"
#include "providers/ldap/ldap_common.h"
+#include "providers/krb5/krb5_common.h"
enum ipa_basic_opt {
IPA_DOMAIN = 0,
@@ -58,4 +59,10 @@ int ipa_get_id_options(TALLOC_CTX *memctx,
struct ipa_options *ipa_opts,
struct sdap_options **_opts);
+int ipa_get_auth_options(TALLOC_CTX *memctx,
+ struct confdb_ctx *cdb,
+ const char *conf_path,
+ struct ipa_options *ipa_opts,
+ struct dp_option **_opts);
+
#endif /* _IPA_COMMON_H_ */
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 9cdcf4b0..0c2eb2a7 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -25,6 +25,8 @@
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
+#include <fcntl.h>
+
#include "providers/ipa/ipa_common.h"
#include "providers/krb5/krb5_auth.h"
@@ -100,141 +102,76 @@ done:
int sssm_ipa_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
- void **pvt_auth_data)
+ void **pvt_data)
{
struct krb5_ctx *ctx = NULL;
- struct tevent_signal *sige;
- struct stat stat_buf;
- char *value = NULL;
- int int_value;
int ret;
+ struct tevent_signal *sige;
+ unsigned v;
+ FILE *debug_filep;
+
+ if (!ipa_options) {
+ ipa_get_options(bectx, bectx->cdb,
+ bectx->conf_path,
+ bectx->domain, &ipa_options);
+ }
+ if (!ipa_options) {
+ return ENOMEM;
+ }
ctx = talloc_zero(bectx, struct krb5_ctx);
if (!ctx) {
- DEBUG(1, ("talloc failed.\n"));
return ENOMEM;
}
- ctx->action = INIT_PW;
-
- ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_KDCIP, NULL, &value);
+ ret = ipa_get_auth_options(ctx, bectx->cdb,
+ bectx->conf_path,
+ ipa_options, &ctx->opts);
if (ret != EOK) {
- goto fail;
+ goto done;
}
- if (value == NULL) {
- DEBUG(2, ("Missing krb5KDCIP, authentication might fail.\n"));
- } else {
- ret = setenv(SSSD_KRB5_KDC, value, 1);
- if (ret != EOK) {
- DEBUG(2, ("setenv %s failed, authentication might fail.\n",
- SSSD_KRB5_KDC));
- }
+ ret = check_and_export_options(ctx->opts, bectx->domain);
+ if (ret != EOK) {
+ DEBUG(1, ("check_and_export_opts failed.\n"));
+ goto done;
}
- ctx->kdcip = value;
- ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_REALM, NULL, &value);
- if (ret != EOK) {
- goto fail;
+ sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO,
+ krb5_child_sig_handler, NULL);
+ if (sige == NULL) {
+ DEBUG(1, ("tevent_add_signal failed.\n"));
+ ret = ENOMEM;
+ goto done;
}
- if (value == NULL) {
- DEBUG(4, ("Missing krb5REALM authentication might fail.\n"));
- } else {
- ret = setenv(SSSD_KRB5_REALM, value, 1);
+ if (debug_to_file != 0) {
+ ret = open_debug_file_ex("krb5_child", &debug_filep);
if (ret != EOK) {
- DEBUG(2, ("setenv %s failed, authentication might fail.\n",
- SSSD_KRB5_REALM));
+ DEBUG(0, ("Error setting up logging (%d) [%s]\n",
+ ret, strerror(ret)));
+ goto done;
}
- }
- ctx->realm = value;
- ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_CCACHEDIR, "/tmp", &value);
- if (ret != EOK) {
- goto fail;
- }
-
- ret = lstat(value, &stat_buf);
- if (ret != EOK) {
- DEBUG(1, ("lstat for [%s] failed: [%d][%s].\n",
- value, errno, strerror(errno)));
- goto fail;
- }
- if (!S_ISDIR(stat_buf.st_mode)) {
- DEBUG(1, ("Value of krb5ccache_dir [%s] is not a directory.\n",
- value));
- goto fail;
- }
- ctx->ccache_dir = value;
-
- ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_CCNAME_TMPL,
- "FILE:%d/krb5cc_%U_XXXXXX",
- &value);
- if (ret != EOK) {
- goto fail;
- }
-
- if (value[0] != '/' && strncmp(value, "FILE:", 5) != 0) {
- DEBUG(1, ("Currently only file based credential caches are supported "
- "and krb5ccname_template must start with '/' or 'FILE:'\n"));
- goto fail;
- }
- ctx->ccname_template = value;
-
- ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_CHANGEPW_PRINC,
- "kadmin/changepw",
- &value);
- if (ret != EOK) {
- goto fail;
- }
-
- if (strchr(value, '@') == NULL) {
- value = talloc_asprintf_append(value, "@%s", ctx->realm);
- if (value == NULL) {
- DEBUG(7, ("talloc_asprintf_append failed.\n"));
- goto fail;
+ ctx->child_debug_fd = fileno(debug_filep);
+ if (ctx->child_debug_fd == -1) {
+ DEBUG(0, ("fileno failed [%d][%s]\n", errno, strerror(errno)));
+ ret = errno;
+ goto done;
}
- }
- ctx->changepw_principle = value;
-
- ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, ctx->changepw_principle, 1);
- if (ret != EOK) {
- DEBUG(2, ("setenv %s failed, password change might fail.\n",
- SSSD_KRB5_CHANGEPW_PRINCIPLE));
- }
-
- ret = confdb_get_int(bectx->cdb, ctx, bectx->conf_path,
- CONFDB_KRB5_AUTH_TIMEOUT, 15, &int_value);
- if (ret != EOK) {
- goto fail;
- }
- if (int_value <= 0) {
- DEBUG(4, ("krb5auth_timeout has to be a positive value.\n"));
- goto fail;
- }
- ctx->auth_timeout = int_value;
-
-/* TODO: set options */
- sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO,
- krb5_child_sig_handler, NULL);
- if (sige == NULL) {
- DEBUG(1, ("tevent_add_signal failed.\n"));
- ret = ENOMEM;
- goto fail;
+ v = fcntl(ctx->child_debug_fd, F_GETFD, 0);
+ fcntl(ctx->child_debug_fd, F_SETFD, v & ~FD_CLOEXEC);
}
*ops = &ipa_auth_ops;
- *pvt_auth_data = ctx;
- return EOK;
+ *pvt_data = ctx;
+ ret = EOK;
-fail:
- talloc_free(ctx);
+done:
+ if (ret != EOK) {
+ talloc_free(ctx);
+ }
return ret;
}