summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/ldap_init.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ldap/ldap_init.c')
-rw-r--r--src/providers/ldap/ldap_init.c780
1 files changed, 456 insertions, 324 deletions
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index cfd68d9b9..566924cbc 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -32,31 +32,10 @@
#include "providers/fail_over_srv.h"
#include "providers/be_refresh.h"
-static void sdap_shutdown(struct be_req *req);
-
-/* Id Handler */
-struct bet_ops sdap_id_ops = {
- .handler = sdap_account_info_handler,
- .finalize = sdap_shutdown,
- .check_online = sdap_check_online
-};
-
-/* Auth Handler */
-struct bet_ops sdap_auth_ops = {
- .handler = sdap_pam_auth_handler,
- .finalize = sdap_shutdown
-};
-
-/* Chpass Handler */
-struct bet_ops sdap_chpass_ops = {
- .handler = sdap_pam_chpass_handler,
- .finalize = sdap_shutdown
-};
-
-/* Access Handler */
-struct bet_ops sdap_access_ops = {
- .handler = sdap_pam_access_handler,
- .finalize = sdap_shutdown
+struct ldap_init_ctx {
+ struct sdap_options *options;
+ struct sdap_id_ctx *id_ctx;
+ struct sdap_auth_ctx *auth_ctx;
};
/* Please use this only for short lists */
@@ -85,259 +64,193 @@ errno_t check_order_list_for_duplicates(char **list,
return EOK;
}
-static int ldap_id_init_internal(struct be_ctx *bectx,
- struct bet_ops **ops,
- void **pvt_data)
+static errno_t ldap_init_auth_ctx(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ struct sdap_id_ctx *id_ctx,
+ struct sdap_options *options,
+ struct sdap_auth_ctx **_auth_ctx)
{
- struct sdap_id_ctx *ctx = NULL;
- const char *urls;
- const char *backup_urls;
- const char *dns_service_name;
- const char *sasl_mech;
- struct sdap_service *sdap_service;
- struct sdap_options *opts = NULL;
- int ret;
-
- /* If we're already set up, just return that */
- if(bectx->bet_info[BET_ID].mod_name &&
- strcmp("ldap", bectx->bet_info[BET_ID].mod_name) == 0) {
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Re-using sdap_id_ctx for this provider\n");
- *ops = bectx->bet_info[BET_ID].bet_ops;
- *pvt_data = bectx->bet_info[BET_ID].pvt_bet_data;
- return EOK;
- }
+ struct sdap_auth_ctx *auth_ctx;
- ret = ldap_get_options(bectx, bectx->domain, bectx->cdb,
- bectx->conf_path, &opts);
- if (ret != EOK) {
- goto done;
+ auth_ctx = talloc(mem_ctx, struct sdap_auth_ctx);
+ if (auth_ctx == NULL) {
+ return ENOMEM;
}
- dns_service_name = dp_opt_get_string(opts->basic,
- SDAP_DNS_SERVICE_NAME);
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Service name for discovery set to %s\n", dns_service_name);
+ auth_ctx->be = be_ctx;
+ auth_ctx->opts = options;
+ auth_ctx->service = id_ctx->conn->service;
+ auth_ctx->chpass_service = NULL;
- urls = dp_opt_get_string(opts->basic, SDAP_URI);
- backup_urls = dp_opt_get_string(opts->basic, SDAP_BACKUP_URI);
+ *_auth_ctx = auth_ctx;
- ret = sdap_service_init(bectx, bectx, "LDAP",
- dns_service_name, urls, backup_urls,
- &sdap_service);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize failover service!\n");
- goto done;
- }
+ return EOK;
+}
- ctx = sdap_id_ctx_new(bectx, bectx, sdap_service);
- if (!ctx) {
- ret = ENOMEM;
- goto done;
+static errno_t init_chpass_service(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ struct sdap_options *opts,
+ struct sdap_service **_chpass_service)
+{
+ errno_t ret;
+ const char *urls;
+ const char *backup_urls;
+ const char *dns_service_name;
+ struct sdap_service *chpass_service;
+
+ dns_service_name = dp_opt_get_string(opts->basic,
+ SDAP_CHPASS_DNS_SERVICE_NAME);
+ if (dns_service_name != NULL) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Service name for chpass discovery set to %s\n",
+ dns_service_name);
}
- ctx->opts = talloc_steal(ctx, opts);
- sasl_mech = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_MECH);
- if (sasl_mech && strcasecmp(sasl_mech, "GSSAPI") == 0) {
- if (dp_opt_get_bool(ctx->opts->basic, SDAP_KRB5_KINIT)) {
- ret = sdap_gssapi_init(ctx, ctx->opts->basic,
- ctx->be, ctx->conn->service,
- &ctx->krb5_service);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sdap_gssapi_init failed [%d][%s].\n",
- ret, strerror(ret));
- goto done;
- }
+ urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_URI);
+ backup_urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_BACKUP_URI);
+
+ if (urls != NULL || backup_urls != NULL || dns_service_name != NULL) {
+ ret = sdap_service_init(mem_ctx,
+ be_ctx,
+ "LDAP_CHPASS",
+ dns_service_name,
+ urls,
+ backup_urls,
+ &chpass_service);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize failover service!\n");
+ return ret;
}
+ } else {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
+ "using ldap_uri.\n");
+ chpass_service = NULL;
}
- ret = setup_tls_config(ctx->opts->basic);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n",
- ret, strerror(ret));
- goto done;
- }
+ *_chpass_service = chpass_service;
+ return EOK;
+}
- /* Set up the ID mapping object */
- ret = sdap_idmap_init(ctx, ctx, &ctx->opts->idmap_ctx);
- if (ret != EOK) goto done;
+static errno_t get_access_order_list(TALLOC_CTX *mem_ctx,
+ const char *order,
+ char ***_order_list)
+{
+ errno_t ret;
+ char **order_list;
+ int order_list_len;
- ret = sdap_setup_child();
+ ret = split_on_separator(mem_ctx, order, ',', true, true,
+ &order_list, &order_list_len);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "setup_child failed [%d][%s].\n",
- ret, strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "split_on_separator failed.\n");
goto done;
}
- /* setup SRV lookup plugin */
- ret = be_fo_set_dns_srv_lookup_plugin(bectx, NULL);
+ ret = check_order_list_for_duplicates(order_list, false);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
- "[%d]: %s\n", ret, strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "check_order_list_for_duplicates failed.\n");
goto done;
}
- /* setup periodical refresh of expired records */
- ret = sdap_refresh_init(bectx->refresh_ctx, ctx);
- if (ret != EOK && ret != EEXIST) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
- "will not work [%d]: %s\n", ret, strerror(ret));
+ if (order_list_len > LDAP_ACCESS_LAST) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Currently only [%d] different access rules are supported.\n",
+ LDAP_ACCESS_LAST);
+ ret = EINVAL;
+ goto done;
}
- *ops = &sdap_id_ops;
- *pvt_data = ctx;
- ret = EOK;
+ *_order_list = order_list;
done:
if (ret != EOK) {
- talloc_free(opts);
- talloc_free(ctx);
+ talloc_free(order_list);
}
+
return ret;
}
-int sssm_ldap_id_init(struct be_ctx *bectx,
- struct bet_ops **ops,
- void **pvt_data)
+static errno_t check_expire_policy(struct sdap_options *opts)
{
- int ret;
- struct sdap_id_ctx *ctx = NULL;
-
- ret = ldap_id_init_internal(bectx, ops, (void **) &ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "ldap_id_init_internal failed [%d][%s].\n",
- ret, strerror(ret));
- goto done;
- }
-
- ret = ldap_id_setup_tasks(ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "sdap_id_setup_tasks failed [%d][%s].\n",
- ret, strerror(ret));
- goto done;
+ const char *expire_policy;
+ bool matched_policy = false;
+ const char *policies[] = {LDAP_ACCOUNT_EXPIRE_SHADOW,
+ LDAP_ACCOUNT_EXPIRE_AD,
+ LDAP_ACCOUNT_EXPIRE_NDS,
+ LDAP_ACCOUNT_EXPIRE_RHDS,
+ LDAP_ACCOUNT_EXPIRE_IPA,
+ LDAP_ACCOUNT_EXPIRE_389DS,
+ NULL};
+
+ expire_policy = dp_opt_get_cstring(opts->basic,
+ SDAP_ACCOUNT_EXPIRE_POLICY);
+ if (expire_policy == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Warning: LDAP access rule 'expire' is set, "
+ "but no ldap_account_expire_policy configured. "
+ "All domain users will be denied access.\n");
+ return EOK;
}
- *pvt_data = ctx;
- ret = EOK;
-
-done:
- if (ret != EOK) {
- talloc_free(ctx);
+ for (unsigned i = 0; policies[i] != NULL; i++) {
+ if (strcasecmp(expire_policy, policies[i]) == 0) {
+ matched_policy = true;
+ break;
+ }
}
- return ret;
-}
-
-int sssm_ldap_auth_init(struct be_ctx *bectx,
- struct bet_ops **ops,
- void **pvt_data)
-{
- void *data;
- struct sdap_id_ctx *id_ctx;
- struct sdap_auth_ctx *ctx;
- int ret;
- ret = ldap_id_init_internal(bectx, ops, &data);
- if (ret == EOK) {
- id_ctx = talloc_get_type(data, struct sdap_id_ctx);
-
- ctx = talloc(bectx, struct sdap_auth_ctx);
- if (!ctx) return ENOMEM;
-
- ctx->be = bectx;
- ctx->opts = id_ctx->opts;
- ctx->service = id_ctx->conn->service;
- ctx->chpass_service = NULL;
-
- *ops = &sdap_auth_ops;
- *pvt_data = ctx;
+ if (matched_policy == false) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unsupported LDAP account expire policy [%s].\n",
+ expire_policy);
+ return EINVAL;
}
- return ret;
+ return EOK;
}
-int sssm_ldap_chpass_init(struct be_ctx *bectx,
- struct bet_ops **ops,
- void **pvt_data)
+static errno_t get_access_filter(TALLOC_CTX *mem_ctx,
+ struct sdap_options *opts,
+ const char **_filter)
{
- int ret;
- void *data;
- struct sdap_auth_ctx *ctx = NULL;
- const char *urls;
- const char *backup_urls;
- const char *dns_service_name;
-
- ret = sssm_ldap_auth_init(bectx, ops, &data);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ldap_auth_init failed.\n");
- goto done;
- }
-
- ctx = talloc_get_type(data, struct sdap_auth_ctx);
+ const char *filter;
- dns_service_name = dp_opt_get_string(ctx->opts->basic,
- SDAP_CHPASS_DNS_SERVICE_NAME);
- if (dns_service_name) {
- DEBUG(SSSDBG_TRACE_LIBS,
- "Service name for chpass discovery set to %s\n",
- dns_service_name);
+ filter = dp_opt_get_cstring(opts->basic, SDAP_ACCESS_FILTER);
+ if (filter == NULL) {
+ /* It's okay if this is NULL. In that case we will simply act
+ * like the 'deny' provider.
+ */
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Warning: LDAP access rule 'filter' is set, "
+ "but no ldap_access_filter configured. "
+ "All domain users will be denied access.\n");
+ return EOK;
}
- urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_URI);
- backup_urls = dp_opt_get_string(ctx->opts->basic, SDAP_CHPASS_BACKUP_URI);
- if (!urls && !backup_urls && !dns_service_name) {
- DEBUG(SSSDBG_TRACE_ALL,
- "ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
- "using ldap_uri.\n");
- ctx->chpass_service = NULL;
- } else {
- ret = sdap_service_init(ctx, ctx->be, "LDAP_CHPASS", dns_service_name,
- urls, backup_urls, &ctx->chpass_service);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to initialize failover service!\n");
- goto done;
- }
+ filter = sdap_get_access_filter(mem_ctx, filter);
+ if (filter == NULL) {
+ return ENOMEM;
}
+ *_filter = filter;
- *ops = &sdap_chpass_ops;
- *pvt_data = ctx;
- ret = EOK;
-
-done:
- if (ret != EOK) {
- talloc_free(ctx);
- }
- return ret;
+ return EOK;
}
-int sssm_ldap_access_init(struct be_ctx *bectx,
- struct bet_ops **ops,
- void **pvt_data)
+static errno_t set_access_rules(TALLOC_CTX *mem_ctx,
+ struct sdap_access_ctx *access_ctx,
+ struct sdap_options *opts)
{
- int ret;
- struct sdap_access_ctx *access_ctx;
- const char *filter;
+ errno_t ret;
+ char **order_list = NULL;
const char *order;
- char **order_list;
- int order_list_len;
size_t c;
- const char *dummy;
-
- access_ctx = talloc_zero(bectx, struct sdap_access_ctx);
- if(access_ctx == NULL) {
- ret = ENOMEM;
- goto done;
- }
- ret = ldap_id_init_internal(bectx, ops, (void **)&access_ctx->id_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "ldap_id_init_internal failed.\n");
- goto done;
- }
+ /* To make sure that in case of failure it's safe to be freed */
+ access_ctx->filter = NULL;
order = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
SDAP_ACCESS_ORDER);
@@ -347,73 +260,28 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
order = "filter";
}
- ret = split_on_separator(access_ctx, order, ',', true, true,
- &order_list, &order_list_len);
+ ret = get_access_order_list(mem_ctx, order, &order_list);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "split_on_separator failed.\n");
- goto done;
- }
-
- ret = check_order_list_for_duplicates(order_list, false);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "check_order_list_for_duplicates failed.\n");
- goto done;
- }
-
- if (order_list_len > LDAP_ACCESS_LAST) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Currently only [%d] different access rules are supported.\n",
- LDAP_ACCESS_LAST);
- ret = EINVAL;
+ "get_access_order_list failed: [%d][%s].\n",
+ ret, sss_strerror(ret));
goto done;
}
for (c = 0; order_list[c] != NULL; c++) {
+
if (strcasecmp(order_list[c], LDAP_ACCESS_FILTER_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_FILTER;
-
- filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
- SDAP_ACCESS_FILTER);
- if (filter == NULL) {
- /* It's okay if this is NULL. In that case we will simply act
- * like the 'deny' provider.
- */
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Warning: LDAP access rule 'filter' is set, "
- "but no ldap_access_filter configured. "
- "All domain users will be denied access.\n");
- } else {
- access_ctx->filter = sdap_get_access_filter(access_ctx,
- filter);
- if (access_ctx->filter == NULL) {
- ret = ENOMEM;
- goto done;
- }
+ if (get_access_filter(mem_ctx, opts, &access_ctx->filter) != EOK) {
+ goto done;
}
+
} else if (strcasecmp(order_list[c], LDAP_ACCESS_EXPIRE_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE;
-
- dummy = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
- SDAP_ACCOUNT_EXPIRE_POLICY);
- if (dummy == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Warning: LDAP access rule 'expire' is set, "
- "but no ldap_account_expire_policy configured. "
- "All domain users will be denied access.\n");
- } else {
- if (strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_SHADOW) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_AD) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_NDS) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_RHDS) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_IPA) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_389DS) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Unsupported LDAP account expire policy [%s].\n",
- dummy);
- ret = EINVAL;
- goto done;
- }
+ if (check_expire_policy(opts) != EOK) {
+ goto done;
}
+
} else if (strcasecmp(order_list[c], LDAP_ACCESS_SERVICE_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_SERVICE;
} else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) {
@@ -441,75 +309,327 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
access_ctx->access_rule[c] = LDAP_ACCESS_EMPTY;
if (c == 0) {
DEBUG(SSSDBG_FATAL_FAILURE, "Warning: access_provider=ldap set, "
- "but ldap_access_order is empty. "
- "All domain users will be denied access.\n");
+ "but ldap_access_order is empty. "
+ "All domain users will be denied access.\n");
+ }
+
+done:
+ talloc_free(order_list);
+ if (ret != EOK) {
+ talloc_zfree(access_ctx->filter);
+ }
+ return ret;
+}
+
+static errno_t get_sdap_service(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ struct sdap_options *opts,
+ struct sdap_service **_sdap_service)
+{
+ errno_t ret;
+ const char *urls;
+ const char *backup_urls;
+ const char *dns_service_name;
+ struct sdap_service *sdap_service;
+
+ urls = dp_opt_get_string(opts->basic, SDAP_URI);
+ backup_urls = dp_opt_get_string(opts->basic, SDAP_BACKUP_URI);
+ dns_service_name = dp_opt_get_string(opts->basic, SDAP_DNS_SERVICE_NAME);
+ if (dns_service_name != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Service name for discovery set to %s\n", dns_service_name);
+ }
+
+ ret = sdap_service_init(mem_ctx, be_ctx, "LDAP",
+ dns_service_name,
+ urls,
+ backup_urls,
+ &sdap_service);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ *_sdap_service = sdap_service;
+ return EOK;
+}
+
+static bool should_call_gssapi_init(struct sdap_options *opts)
+{
+ const char *sasl_mech;
+
+ sasl_mech = dp_opt_get_string(opts->basic, SDAP_SASL_MECH);
+ if (sasl_mech == NULL) {
+ return false;
+ }
+
+ if (strcasecmp(sasl_mech, "GSSAPI") != 0) {
+ return false;
+ }
+
+ if (dp_opt_get_bool(opts->basic, SDAP_KRB5_KINIT) == false) {
+ return false;
+ }
+
+ return true;
+}
+
+static errno_t ldap_init_misc(struct be_ctx *be_ctx,
+ struct sdap_options *options,
+ struct sdap_id_ctx *id_ctx)
+{
+ errno_t ret;
+
+ if (should_call_gssapi_init(options)) {
+ ret = sdap_gssapi_init(id_ctx, options->basic, be_ctx,
+ id_ctx->conn->service, &id_ctx->krb5_service);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_gssapi_init failed [%d][%s].\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+
+ ret = setup_tls_config(options->basic);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ /* Setup the ID mapping object */
+ ret = sdap_idmap_init(id_ctx, id_ctx, &options->idmap_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not initialize ID mapping. In case ID mapping properties "
+ "changed on the server, please remove the SSSD database\n");
+ return ret;
+ }
+
+ ret = ldap_id_setup_tasks(id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ return ret;
+ }
+
+ ret = sdap_setup_child();
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ /* Setup SRV lookup plugin */
+ ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ return ret;
+ }
+
+ /* Setup periodical refresh of expired records */
+ ret = sdap_refresh_init(be_ctx->refresh_ctx, id_ctx);
+ if (ret != EOK && ret != EEXIST) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh will not work "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ }
+
+ return EOK;
+}
+
+errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ struct data_provider *provider,
+ const char *module_name,
+ void **_module_data)
+{
+ struct sdap_service *sdap_service;
+ struct ldap_init_ctx *init_ctx;
+ errno_t ret;
+
+ init_ctx = talloc_zero(mem_ctx, struct ldap_init_ctx);
+ if (init_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ /* Always initialize options since it is needed everywhere. */
+ ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb,
+ be_ctx->conf_path, &init_ctx->options);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ /* Always initialize id_ctx since it is needed everywhere. */
+ ret = get_sdap_service(init_ctx, be_ctx, init_ctx->options, &sdap_service);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize failover service "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ init_ctx->id_ctx = sdap_id_ctx_new(init_ctx, be_ctx, sdap_service);
+ if (init_ctx->id_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP ID context\n");
+ ret = ENOMEM;
+ goto done;
}
- *ops = &sdap_access_ops;
- *pvt_data = access_ctx;
+ init_ctx->id_ctx->opts = init_ctx->options;
+
+ /* Setup miscellaneous things. */
+ ret = ldap_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init LDAP module "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ /* Initialize auth_ctx only if one of the target is enabled. */
+ if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) {
+ ret = ldap_init_auth_ctx(init_ctx, be_ctx, init_ctx->id_ctx,
+ init_ctx->options, &init_ctx->auth_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+
+ *_module_data = init_ctx;
ret = EOK;
done:
if (ret != EOK) {
- talloc_free(access_ctx);
+ talloc_free(init_ctx);
}
+
return ret;
}
-int sssm_ldap_sudo_init(struct be_ctx *be_ctx,
- struct bet_ops **ops,
- void **pvt_data)
+errno_t sssm_ldap_id_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
{
-#ifdef BUILD_SUDO
+ struct ldap_init_ctx *init_ctx;
struct sdap_id_ctx *id_ctx;
- void *data;
- int ret;
- ret = ldap_id_init_internal(be_ctx, ops, &data);
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+ id_ctx = init_ctx->id_ctx;
+
+ dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER,
+ sdap_account_info_handler_send, sdap_account_info_handler_recv, id_ctx,
+ struct sdap_id_ctx, struct be_acct_req, struct dp_reply_std);
+
+ dp_set_method(dp_methods, DPM_CHECK_ONLINE,
+ sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx,
+ struct sdap_id_ctx, void, struct dp_reply_std);
+
+ return EOK;
+}
+
+errno_t sssm_ldap_auth_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
+{
+ struct ldap_init_ctx *init_ctx;
+ struct sdap_auth_ctx *auth_ctx;
+
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+ auth_ctx = init_ctx->auth_ctx;
+
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
+ sdap_pam_auth_handler_send, sdap_pam_auth_handler_recv, auth_ctx,
+ struct sdap_auth_ctx, struct pam_data, struct pam_data *);
+
+ return EOK;
+}
+
+errno_t sssm_ldap_chpass_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
+{
+ struct ldap_init_ctx *init_ctx;
+ struct sdap_auth_ctx *auth_ctx;
+ errno_t ret;
+
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+ auth_ctx = init_ctx->auth_ctx;
+
+ ret = init_chpass_service(auth_ctx, be_ctx, init_ctx->options,
+ &auth_ctx->chpass_service);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init LDAP ID provider [%d]: %s\n",
- ret, strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize chpass service "
+ "[%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
- id_ctx = talloc_get_type(data, struct sdap_id_ctx);
- if (!id_ctx) {
- DEBUG(SSSDBG_CRIT_FAILURE, "No ID provider?\n");
- return EIO;
- }
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
+ sdap_pam_chpass_handler_send, sdap_pam_chpass_handler_recv, auth_ctx,
+ struct sdap_auth_ctx, struct pam_data, struct pam_data *);
- return sdap_sudo_init(be_ctx, id_ctx, ops, pvt_data);
-#else
- DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
- "built without sudo support, ignoring\n");
return EOK;
-#endif
}
-int sssm_ldap_autofs_init(struct be_ctx *be_ctx,
- struct bet_ops **ops,
- void **pvt_data)
+errno_t sssm_ldap_access_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
{
-#ifdef BUILD_AUTOFS
- struct sdap_id_ctx *id_ctx;
- void *data;
- int ret;
+ struct ldap_init_ctx *init_ctx;
+ struct sdap_access_ctx *access_ctx;
+ errno_t ret;
+
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+
+ access_ctx = talloc_zero(mem_ctx, struct sdap_access_ctx);
+ if(access_ctx == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
- ret = ldap_id_init_internal(be_ctx, ops, &data);
+ access_ctx->id_ctx = init_ctx->id_ctx;
+
+ ret = set_access_rules(access_ctx, access_ctx, access_ctx->id_ctx->opts);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init LDAP ID provider [%d]: %s\n",
- ret, strerror(ret));
- return ret;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "set_access_rules failed: [%d][%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
}
- id_ctx = talloc_get_type(data, struct sdap_id_ctx);
- if (!id_ctx) {
- DEBUG(SSSDBG_CRIT_FAILURE, "No ID provider?\n");
- return EIO;
+ dp_set_method(dp_methods, DPM_ACCESS_HANDLER,
+ sdap_pam_access_handler_send, sdap_pam_access_handler_recv, access_ctx,
+ struct sdap_access_ctx, struct pam_data, struct pam_data *);
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ talloc_free(access_ctx);
}
- return sdap_autofs_init(be_ctx, id_ctx, ops, pvt_data);
+ return ret;
+}
+
+errno_t sssm_ldap_autofs_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
+{
+#ifdef BUILD_AUTOFS
+ struct ldap_init_ctx *init_ctx;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP autofs handler\n");
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+
+ return sdap_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
#else
DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
"built without autofs support, ignoring\n");
@@ -517,9 +637,21 @@ int sssm_ldap_autofs_init(struct be_ctx *be_ctx,
#endif
}
-static void sdap_shutdown(struct be_req *req)
+errno_t sssm_ldap_sudo_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
{
- /* TODO: Clean up any internal data */
- sdap_handler_done(req, DP_ERR_OK, EOK, NULL);
-}
+#ifdef BUILD_SUDO
+ struct ldap_init_ctx *init_ctx;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP sudo handler\n");
+ init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
+ return sdap_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
+#else
+ DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
+ "built without sudo support, ignoring\n");
+ return EOK;
+#endif
+}
generated by cgit (git 2.34.1) at 2025-09-12 09:08:07 +0000