diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2013-04-24 20:26:40 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-05-03 19:59:40 +0200 |
commit | b24e4bec819b29f1ec8e77083d4e7610c5dd9c77 (patch) | |
tree | 393b76738d8cd9cd4f5b463e37ff96421a839e74 /src | |
parent | e3db994ddc8eda225c4cc3c90e9c0bd82281faf6 (diff) | |
download | sssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.tar.gz sssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.tar.xz sssd-b24e4bec819b29f1ec8e77083d4e7610c5dd9c77.zip |
SUDO: IPA provider
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
Diffstat (limited to 'src')
-rwxr-xr-x | src/config/SSSDConfigTest.py | 4 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 21 | ||||
-rw-r--r-- | src/man/sssd-sudo.5.xml | 30 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 5 | ||||
-rw-r--r-- | src/providers/ipa/ipa_init.c | 24 | ||||
-rw-r--r-- | src/providers/ipa/ipa_sudo.c | 55 |
6 files changed, 110 insertions, 29 deletions
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6ae458b1a..9c0e34e64 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -715,8 +715,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): domain = SSSDConfig.SSSDDomain('sssd', self.schema) control_provider_dict = { - 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session', - 'hostid', 'subdomains'], + 'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs', + 'session', 'hostid', 'subdomains'], 'ad': ['id', 'auth', 'access', 'chpass'], 'local': ['id', 'auth', 'chpass'], 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index e88e32b1a..e6f1bb0a8 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -194,3 +194,24 @@ ipa_selinux_usermap_uuid = str, None, false [provider/ipa/subdomains] ipa_subdomains_search_base = str, None, false + +[provider/ipa/sudo] +ldap_sudo_search_base = str, None, false +ldap_sudo_full_refresh_interval = int, None, false +ldap_sudo_smart_refresh_interval = int, None, false +ldap_sudo_use_host_filter = bool, None, false +ldap_sudo_hostnames = str, None, false +ldap_sudo_ip = str, None, false +ldap_sudo_include_netgroups = bool, None, false +ldap_sudo_include_regexp = bool, None, false +ldap_sudorule_object_class = str, None, false +ldap_sudorule_name = str, None, false +ldap_sudorule_command = str, None, false +ldap_sudorule_host = str, None, false +ldap_sudorule_user = str, None, false +ldap_sudorule_option = str, None, false +ldap_sudorule_runasuser = str, None, false +ldap_sudorule_runasgroup = str, None, false +ldap_sudorule_notbefore = str, None, false +ldap_sudorule_notafter = str, None, false +ldap_sudorule_order = str, None, false diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml index fec81533d..361fdb7b2 100644 --- a/src/man/sssd-sudo.5.xml +++ b/src/man/sssd-sudo.5.xml @@ -89,33 +89,9 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com </programlisting> </para> <para> - The following example illustrates setting up SSSD to download - sudo rules from an IPA server. It is necessary to use the LDAP - provider and set appropriate connection parameters to authenticate - correctly against the IPA server, because SSSD does not have native - support of IPA provider for sudo yet. - </para> - <para> -<programlisting> -[sssd] -config_file_version = 2 -services = nss, pam, sudo -domains = EXAMPLE - -[domain/EXAMPLE] -id_provider = ipa -ipa_domain = example.com -ipa_server = ipa.example.com -ldap_tls_cacert = /etc/ipa/ca.crt - -sudo_provider = ldap -ldap_uri = ldap://ipa.example.com -ldap_sudo_search_base = ou=sudoers,dc=example,dc=com -ldap_sasl_mech = GSSAPI -ldap_sasl_authid = host/hostname.example.com -ldap_sasl_realm = EXAMPLE.COM -krb5_server = ipa.example.com -</programlisting> + When the SSSD is configured to use the IPA provider, the sudo + provider is automatically enabled. The sudo search base + is configured to use the compat tree (ou=sudoers,$DC). </para> </refsect1> diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index ae1c91731..d5c10a518 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -180,4 +180,9 @@ int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, struct ipa_options *options, struct ipa_service **_service); +int ipa_sudo_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data); + #endif /* _IPA_COMMON_H_ */ diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index b65a6cea1..0e9fe0dd1 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -526,3 +526,27 @@ int sssm_ipa_subdomains_init(struct be_ctx *bectx, return EOK; } + +int sssm_ipa_sudo_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ +#ifdef BUILD_SUDO + struct ipa_id_ctx *id_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing IPA sudo handler\n")); + + ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n")); + return ret; + } + + return ipa_sudo_init(bectx, id_ctx, ops, pvt_data); +#else + DEBUG(SSSDBG_MINOR_FAILURE, ("Sudo init handler called but SSSD is " + "built without sudo support, ignoring\n")); + return EOK; +#endif +} diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c new file mode 100644 index 000000000..726b11685 --- /dev/null +++ b/src/providers/ipa/ipa_sudo.c @@ -0,0 +1,55 @@ +/* + SSSD + + IPA Provider Initialization functions + + Authors: + Lukas Slebodnik <lslebodn@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_sudo.h" + +int ipa_sudo_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + struct ipa_options *ipa_options; + struct sdap_options *ldap_options; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo IPA back end\n")); + + /* + * SDAP_SUDO_SEARCH_BASE has already been initialized in + * function ipa_get_id_options + */ + ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize LDAP SUDO [%d]: %s\n", + ret, strerror(ret))); + return ret; + } + + ipa_options = id_ctx->ipa_options; + ldap_options = id_ctx->sdap_id_ctx->opts; + + ipa_options->id->sudorule_map = ldap_options->sudorule_map; + return EOK; +} |