diff options
-rw-r--r-- | src/providers/ipa/ipa_common.c | 38 | ||||
-rw-r--r-- | src/providers/ipa/ipa_sudo.c | 108 |
2 files changed, 88 insertions, 58 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2940a42cc..90be42751 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -311,44 +311,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, if (ret != EOK) goto done; if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE)) { -#if 0 - ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); - if (ret != EOK) { - goto done; - } -#else - /* We don't yet have support for the representation - * of sudo in IPA. For now, we need to point at the - * compat tree - */ - value = talloc_asprintf(tmpctx, "ou=SUDOers,%s", basedn); - if (!value) { - ret = ENOMEM; - goto done; - } - - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE, - value); - if (ret != EOK) { - goto done; - } -#endif - - DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", - ipa_opts->id->basic[SDAP_SUDO_SEARCH_BASE].opt_name, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE)); - } - ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, - SDAP_SUDO_SEARCH_BASE, - &ipa_opts->id->sdom->sudo_search_bases); - if (ret != EOK) goto done; - - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE)) { value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn); if (!value) { diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c index 4863aa559..3d159b3ac 100644 --- a/src/providers/ipa/ipa_sudo.c +++ b/src/providers/ipa/ipa_sudo.c @@ -1,12 +1,8 @@ /* - SSSD - - IPA Provider Initialization functions - Authors: - Lukas Slebodnik <lslebodn@redhat.com> + Pavel Březina <pbrezina@redhat.com> - Copyright (C) 2013 Red Hat + Copyright (C) 2015 Red Hat This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,31 +21,103 @@ #include "providers/ipa/ipa_common.h" #include "providers/ldap/sdap_sudo.h" +enum sudo_schema { + SUDO_SCHEMA_IPA, + SUDO_SCHEMA_LDAP +}; + +static errno_t +ipa_sudo_choose_schema(struct dp_option *ipa_opts, + struct dp_option *sdap_opts, + enum sudo_schema *_schema) +{ + TALLOC_CTX *tmp_ctx; + char *ipa_search_base; + char *search_base; + char *basedn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, dp_opt_get_string(ipa_opts, + IPA_KRB5_REALM), &basedn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain basedn\n"); + goto done; + } + + ipa_search_base = talloc_asprintf(tmp_ctx, "cn=sudo,%s", basedn); + if (ipa_search_base == NULL) { + ret = ENOMEM; + goto done; + } + + search_base = dp_opt_get_string(sdap_opts, SDAP_SUDO_SEARCH_BASE); + if (search_base == NULL) { + ret = dp_opt_set_string(sdap_opts, SDAP_SUDO_SEARCH_BASE, + ipa_search_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + sdap_opts[SDAP_SUDO_SEARCH_BASE].opt_name, ipa_search_base); + + search_base = ipa_search_base; + } + + /* Use IPA schema only if search base is cn=sudo,$dc. */ + if (strcmp(ipa_search_base, search_base) == 0) { + *_schema = SUDO_SCHEMA_IPA; + } else { + *_schema = SUDO_SCHEMA_LDAP; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + int ipa_sudo_init(struct be_ctx *be_ctx, struct ipa_id_ctx *id_ctx, struct bet_ops **ops, void **pvt_data) { - int ret; - struct ipa_options *ipa_options; - struct sdap_options *ldap_options; + enum sudo_schema schema; + errno_t ret; - DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo IPA back end\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo back end\n"); - /* - * SDAP_SUDO_SEARCH_BASE has already been initialized in - * function ipa_get_id_options - */ - ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + ret = ipa_sudo_choose_schema(id_ctx->ipa_options->basic, + id_ctx->ipa_options->id->basic, + &schema); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n", - ret, strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to choose sudo schema [%d]: %s\n", + ret, sss_strerror(ret)); return ret; } - ipa_options = id_ctx->ipa_options; - ldap_options = id_ctx->sdap_id_ctx->opts; + switch (schema) { + case SUDO_SCHEMA_IPA: + DEBUG(SSSDBG_TRACE_FUNC, "Using IPA schema for sudo\n"); + break; + case SUDO_SCHEMA_LDAP: + DEBUG(SSSDBG_TRACE_FUNC, "Using LDAP schema for sudo\n"); + ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize sudo provider" + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } - ipa_options->id->sudorule_map = ldap_options->sudorule_map; return EOK; } |