From 03b859510dc13a13a456ca4aa94c0561a0e9684c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 18 Nov 2015 15:29:58 +0100 Subject: AD: Add autofs provider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek Reviewed-by: Pavel Březina --- Makefile.am | 5 ++++ src/config/SSSDConfigTest.py | 3 +- src/config/etc/sssd.api.d/sssd-ad.conf | 9 ++++++ src/man/sssd-ad.5.xml | 14 ++++++++-- src/man/sssd.conf.5.xml | 9 ++++++ src/providers/ad/ad_autofs.c | 50 ++++++++++++++++++++++++++++++++++ src/providers/ad/ad_common.c | 31 +++++++++++++++++++++ src/providers/ad/ad_common.h | 9 ++++++ src/providers/ad/ad_init.c | 24 ++++++++++++++++ 9 files changed, 150 insertions(+), 4 deletions(-) create mode 100644 src/providers/ad/ad_autofs.c diff --git a/Makefile.am b/Makefile.am index 848f70e48..d7a6f2952 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3028,6 +3028,11 @@ libsss_ad_la_SOURCES += \ src/providers/ad/ad_sudo.c endif +if BUILD_AUTOFS +libsss_ad_la_SOURCES += \ + src/providers/ad/ad_autofs.c +endif + libsss_ad_la_CFLAGS = \ $(AM_CFLAGS) \ $(OPENLDAP_CFLAGS) \ diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 681d8be96..e518c7565 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -753,7 +753,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): control_provider_dict = { 'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs', 'session', 'hostid', 'subdomains'], - 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'subdomains'], + 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs', + 'subdomains'], 'local': ['id', 'auth', 'chpass'], 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], 'krb5': ['auth', 'access', 'chpass'], diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index b636d9310..5eb546caa 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -173,3 +173,12 @@ ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false ldap_sudorule_notafter = str, None, false ldap_sudorule_order = str, None, false + +[provider/ad/autofs] +ldap_autofs_map_master_name = str, None, false +ldap_autofs_map_object_class = str, None, false +ldap_autofs_map_name = str, None, false +ldap_autofs_entry_object_class = str, None, false +ldap_autofs_entry_key = str, None, false +ldap_autofs_entry_value = str, None, false +ldap_autofs_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 127e96582..d2f74cfce 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -60,9 +60,9 @@ However, it is neither necessary nor recommended to set these - options. The AD provider can also be used as an access, chpass and - sudo provider. No configuration of the access provider is required - on the client side. + options. The AD provider can also be used as an access, chpass, + sudo and autofs provider. No configuration of the access provider + is required on the client side. By default, the AD provider will map UID and GID values from the @@ -928,6 +928,14 @@ ldap_account_expire_policy = ad all the connection parameters (such as LDAP URIs and encryption details) manually. + + When the autofs provider is set to ad, the RFC2307 + schema attribute mapping (nisMap, nisObject, ...) is used, + because these attributes are included the default Active + Directory schema. + + + diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 030485cd7..88a28dd91 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1959,6 +1959,15 @@ pam_account_expired_message = Account expired, please call help desk. 5 for more information on configuring IPA. + + ad to load maps stored in an AD + server. See + + sssd-ad + 5 + for more information on configuring + the AD provider. + none disables autofs explicitly. diff --git a/src/providers/ad/ad_autofs.c b/src/providers/ad/ad_autofs.c new file mode 100644 index 000000000..7d4ed34b5 --- /dev/null +++ b/src/providers/ad/ad_autofs.c @@ -0,0 +1,50 @@ +/* + SSSD + + AD autofs Provider Initialization functions + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ad/ad_common.h" +#include "providers/ldap/sdap_autofs.h" + +int ad_autofs_init(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs AD back end\n"); + + ret = sdap_autofs_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = ad_get_autofs_options(id_ctx->ad_options, be_ctx->cdb, + be_ctx->conf_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 52284a5f3..4f8223879 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1019,6 +1019,37 @@ ad_get_id_options(struct ad_options *ad_opts, return EOK; } +errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path) +{ + errno_t ret; + + /* autofs maps */ + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ad_opts->id->autofs_mobject_map); + if (ret != EOK) { + return ret; + } + + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ad_opts->id->autofs_entry_map); + if (ret != EOK) { + return ret; + } + + return EOK; +} + errno_t ad_set_search_bases(struct sdap_options *id_opts) { diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index de6ffbff7..49e97b0be 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -132,6 +132,10 @@ ad_get_id_options(struct ad_options *ad_opts, const char *conf_path, struct sdap_options **_opts); errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path); +errno_t ad_get_auth_options(TALLOC_CTX *mem_ctx, struct ad_options *ad_opts, struct be_ctx *bectx, @@ -170,4 +174,9 @@ int ad_sudo_init(struct be_ctx *be_ctx, struct bet_ops **ops, void **pvt_data); +int ad_autofs_init(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data); + #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index 5f30b6ea8..72ce5536b 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -580,3 +580,27 @@ int sssm_ad_sudo_init(struct be_ctx *bectx, return EOK; #endif } + +int sssm_ad_autofs_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ +#ifdef BUILD_AUTOFS + struct ad_id_ctx *id_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n"); + + ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ad_id_init failed.\n"); + return ret; + } + + return ad_autofs_init(bectx, id_ctx, ops, pvt_data); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n"); + return EOK; +#endif +} -- cgit