summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2013-04-24 20:26:40 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-03 19:59:40 +0200
commitb24e4bec819b29f1ec8e77083d4e7610c5dd9c77 (patch)
tree393b76738d8cd9cd4f5b463e37ff96421a839e74 /src
parente3db994ddc8eda225c4cc3c90e9c0bd82281faf6 (diff)
downloadsssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.tar.gz
sssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.tar.xz
sssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.zip
SUDO: IPA provider
This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733
Diffstat (limited to 'src')
-rwxr-xr-xsrc/config/SSSDConfigTest.py4
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf21
-rw-r--r--src/man/sssd-sudo.5.xml30
-rw-r--r--src/providers/ipa/ipa_common.h5
-rw-r--r--src/providers/ipa/ipa_init.c24
-rw-r--r--src/providers/ipa/ipa_sudo.c55
6 files changed, 110 insertions, 29 deletions
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6ae458b1a..9c0e34e64 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -715,8 +715,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
domain = SSSDConfig.SSSDDomain('sssd', self.schema)
control_provider_dict = {
- 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session',
- 'hostid', 'subdomains'],
+ 'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs',
+ 'session', 'hostid', 'subdomains'],
'ad': ['id', 'auth', 'access', 'chpass'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index e88e32b1a..e6f1bb0a8 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -194,3 +194,24 @@ ipa_selinux_usermap_uuid = str, None, false
[provider/ipa/subdomains]
ipa_subdomains_search_base = str, None, false
+
+[provider/ipa/sudo]
+ldap_sudo_search_base = str, None, false
+ldap_sudo_full_refresh_interval = int, None, false
+ldap_sudo_smart_refresh_interval = int, None, false
+ldap_sudo_use_host_filter = bool, None, false
+ldap_sudo_hostnames = str, None, false
+ldap_sudo_ip = str, None, false
+ldap_sudo_include_netgroups = bool, None, false
+ldap_sudo_include_regexp = bool, None, false
+ldap_sudorule_object_class = str, None, false
+ldap_sudorule_name = str, None, false
+ldap_sudorule_command = str, None, false
+ldap_sudorule_host = str, None, false
+ldap_sudorule_user = str, None, false
+ldap_sudorule_option = str, None, false
+ldap_sudorule_runasuser = str, None, false
+ldap_sudorule_runasgroup = str, None, false
+ldap_sudorule_notbefore = str, None, false
+ldap_sudorule_notafter = str, None, false
+ldap_sudorule_order = str, None, false
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
index fec81533d..361fdb7b2 100644
--- a/src/man/sssd-sudo.5.xml
+++ b/src/man/sssd-sudo.5.xml
@@ -89,33 +89,9 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
</programlisting>
</para>
<para>
- The following example illustrates setting up SSSD to download
- sudo rules from an IPA server. It is necessary to use the LDAP
- provider and set appropriate connection parameters to authenticate
- correctly against the IPA server, because SSSD does not have native
- support of IPA provider for sudo yet.
- </para>
- <para>
-<programlisting>
-[sssd]
-config_file_version = 2
-services = nss, pam, sudo
-domains = EXAMPLE
-
-[domain/EXAMPLE]
-id_provider = ipa
-ipa_domain = example.com
-ipa_server = ipa.example.com
-ldap_tls_cacert = /etc/ipa/ca.crt
-
-sudo_provider = ldap
-ldap_uri = ldap://ipa.example.com
-ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
-ldap_sasl_mech = GSSAPI
-ldap_sasl_authid = host/hostname.example.com
-ldap_sasl_realm = EXAMPLE.COM
-krb5_server = ipa.example.com
-</programlisting>
+ When the SSSD is configured to use the IPA provider, the sudo
+ provider is automatically enabled. The sudo search base
+ is configured to use the compat tree (ou=sudoers,$DC).
</para>
</refsect1>
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index ae1c91731..d5c10a518 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -180,4 +180,9 @@ int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
struct ipa_options *options,
struct ipa_service **_service);
+int ipa_sudo_init(struct be_ctx *be_ctx,
+ struct ipa_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data);
+
#endif /* _IPA_COMMON_H_ */
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index b65a6cea1..0e9fe0dd1 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -526,3 +526,27 @@ int sssm_ipa_subdomains_init(struct be_ctx *bectx,
return EOK;
}
+
+int sssm_ipa_sudo_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+#ifdef BUILD_SUDO
+ struct ipa_id_ctx *id_ctx;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing IPA sudo handler\n"));
+
+ ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n"));
+ return ret;
+ }
+
+ return ipa_sudo_init(bectx, id_ctx, ops, pvt_data);
+#else
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Sudo init handler called but SSSD is "
+ "built without sudo support, ignoring\n"));
+ return EOK;
+#endif
+}
diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c
new file mode 100644
index 000000000..726b11685
--- /dev/null
+++ b/src/providers/ipa/ipa_sudo.c
@@ -0,0 +1,55 @@
+/*
+ SSSD
+
+ IPA Provider Initialization functions
+
+ Authors:
+ Lukas Slebodnik <lslebodn@redhat.com>
+
+ Copyright (C) 2013 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/ipa/ipa_common.h"
+#include "providers/ldap/sdap_sudo.h"
+
+int ipa_sudo_init(struct be_ctx *be_ctx,
+ struct ipa_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ int ret;
+ struct ipa_options *ipa_options;
+ struct sdap_options *ldap_options;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo IPA back end\n"));
+
+ /*
+ * SDAP_SUDO_SEARCH_BASE has already been initialized in
+ * function ipa_get_id_options
+ */
+ ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize LDAP SUDO [%d]: %s\n",
+ ret, strerror(ret)));
+ return ret;
+ }
+
+ ipa_options = id_ctx->ipa_options;
+ ldap_options = id_ctx->sdap_id_ctx->opts;
+
+ ipa_options->id->sudorule_map = ldap_options->sudorule_map;
+ return EOK;
+}