diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2015-11-25 12:32:25 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-01-19 14:33:21 +0100 |
| commit | 0f04241fc90f134af0272eb0999e75fb6749b595 (patch) | |
| tree | 6f455b73af4950f45dde89e60ca55a94895805c4 | |
| parent | a6dd4a6c55773e81490dcafd61d4b9782705e9bf (diff) | |
| download | sssd-0f04241fc90f134af0272eb0999e75fb6749b595.tar.gz sssd-0f04241fc90f134af0272eb0999e75fb6749b595.tar.xz sssd-0f04241fc90f134af0272eb0999e75fb6749b595.zip | |
IPA SUDO: choose between IPA and LDAP schema
This patch implement logic to choose between IPA and LDAP schema. From
this point the sudo support in IPA is removed if sudo search base is
not set specifically, it will be brought back in furter patches.
Resolves:
https://fedorahosted.org/sssd/ticket/1108
Reviewed-by: Sumit Bose <sbose@redhat.com>
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 38 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_sudo.c | 108 |
2 files changed, 88 insertions, 58 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2940a42cc..90be42751 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -311,44 +311,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, if (ret != EOK) goto done; if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE)) { -#if 0 - ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); - if (ret != EOK) { - goto done; - } -#else - /* We don't yet have support for the representation - * of sudo in IPA. For now, we need to point at the - * compat tree - */ - value = talloc_asprintf(tmpctx, "ou=SUDOers,%s", basedn); - if (!value) { - ret = ENOMEM; - goto done; - } - - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE, - value); - if (ret != EOK) { - goto done; - } -#endif - - DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", - ipa_opts->id->basic[SDAP_SUDO_SEARCH_BASE].opt_name, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE)); - } - ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE, - &ipa_opts->id->sdom->sudo_search_bases); - if (ret != EOK) goto done; - - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE)) { value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn); if (!value) { diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c index 4863aa559..3d159b3ac 100644 --- a/src/providers/ipa/ipa_sudo.c +++ b/src/providers/ipa/ipa_sudo.c @@ -1,12 +1,8 @@ /* - SSSD - - IPA Provider Initialization functions - Authors: - Lukas Slebodnik <lslebodn@redhat.com> + Pavel Březina <pbrezina@redhat.com> - Copyright (C) 2013 Red Hat + Copyright (C) 2015 Red Hat This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,31 +21,103 @@ #include "providers/ipa/ipa_common.h" #include "providers/ldap/sdap_sudo.h" +enum sudo_schema { + SUDO_SCHEMA_IPA, + SUDO_SCHEMA_LDAP +}; + +static errno_t +ipa_sudo_choose_schema(struct dp_option *ipa_opts, + struct dp_option *sdap_opts, + enum sudo_schema *_schema) +{ + TALLOC_CTX *tmp_ctx; + char *ipa_search_base; + char *search_base; + char *basedn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, dp_opt_get_string(ipa_opts, + IPA_KRB5_REALM), &basedn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain basedn\n"); + goto done; + } + + ipa_search_base = talloc_asprintf(tmp_ctx, "cn=sudo,%s", basedn); + if (ipa_search_base == NULL) { + ret = ENOMEM; + goto done; + } + + search_base = dp_opt_get_string(sdap_opts, SDAP_SUDO_SEARCH_BASE); + if (search_base == NULL) { + ret = dp_opt_set_string(sdap_opts, SDAP_SUDO_SEARCH_BASE, + ipa_search_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + sdap_opts[SDAP_SUDO_SEARCH_BASE].opt_name, ipa_search_base); + + search_base = ipa_search_base; + } + + /* Use IPA schema only if search base is cn=sudo,$dc. */ + if (strcmp(ipa_search_base, search_base) == 0) { + *_schema = SUDO_SCHEMA_IPA; + } else { + *_schema = SUDO_SCHEMA_LDAP; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + int ipa_sudo_init(struct be_ctx *be_ctx, struct ipa_id_ctx *id_ctx, struct bet_ops **ops, void **pvt_data) { - int ret; - struct ipa_options *ipa_options; - struct sdap_options *ldap_options; + enum sudo_schema schema; + errno_t ret; - DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo IPA back end\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo back end\n"); - /* - * SDAP_SUDO_SEARCH_BASE has already been initialized in - * function ipa_get_id_options - */ - ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + ret = ipa_sudo_choose_schema(id_ctx->ipa_options->basic, + id_ctx->ipa_options->id->basic, + &schema); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n", - ret, strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to choose sudo schema [%d]: %s\n", + ret, sss_strerror(ret)); return ret; } - ipa_options = id_ctx->ipa_options; - ldap_options = id_ctx->sdap_id_ctx->opts; + switch (schema) { + case SUDO_SCHEMA_IPA: + DEBUG(SSSDBG_TRACE_FUNC, "Using IPA schema for sudo\n"); + break; + case SUDO_SCHEMA_LDAP: + DEBUG(SSSDBG_TRACE_FUNC, "Using LDAP schema for sudo\n"); + ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize sudo provider" + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } - ipa_options->id->sudorule_map = ldap_options->sudorule_map; return EOK; } |