diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-27 21:38:13 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-07-06 11:44:45 -0400 |
commit | d92c50f6d75ae980b0d130134112a33e1584724c (patch) | |
tree | 324350844b27c46a9e6fe27d0f3f3a70679c36c8 | |
parent | effcbdb12c7ef892f1fd92a745cb33a08ca4ba30 (diff) | |
download | sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.gz sssd-d92c50f6d75ae980b0d130134112a33e1584724c.tar.bz2 sssd-d92c50f6d75ae980b0d130134112a33e1584724c.zip |
AD: Add AD auth and chpass providers
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
-rw-r--r-- | src/providers/ad/ad_common.c | 64 | ||||
-rw-r--r-- | src/providers/ad/ad_common.h | 7 | ||||
-rw-r--r-- | src/providers/ad/ad_init.c | 85 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 4 |
4 files changed, 159 insertions, 1 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 92cd40ec..d8f8aff6 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -598,3 +598,67 @@ ad_set_search_bases(struct sdap_options *id_opts) done: return ret; } + +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts) +{ + errno_t ret; + struct dp_option *krb5_options; + const char *ad_servers; + const char *krb5_realm; + + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Get krb5 options */ + ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path, + ad_def_krb5_opts, KRB5_OPTS, + &krb5_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Could not read Kerberos options from the configuration\n")); + goto done; + } + + ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER); + + /* Force the krb5_servers to match the ad_servers */ + ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + ("Option %s set to %s\n", + krb5_options[KRB5_KDC].opt_name, + ad_servers)); + + /* Set krb5 realm */ + /* Set the Kerberos Realm for GSSAPI */ + krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); + if (!krb5_realm) { + /* Should be impossible, this is set in ad_get_common_options() */ + DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n")); + ret = EINVAL; + goto done; + } + + /* Force the kerberos realm to match the AD_KRB5_REALM (which may have + * been upper-cased in ad_common_options() + */ + ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + ("Option %s set to %s\n", + krb5_options[KRB5_REALM].opt_name, + krb5_realm)); + + + *_opts = talloc_steal(mem_ctx, krb5_options); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index fefb67b6..d34f498a 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -60,7 +60,7 @@ struct ad_options { /* Auth and chpass Provider */ struct dp_option *auth; - struct ad_auth_ctx *auth_ctx; + struct krb5_ctx *auth_ctx; }; errno_t @@ -81,5 +81,10 @@ ad_get_id_options(struct ad_options *ad_opts, struct confdb_ctx *cdb, const char *conf_path, struct sdap_options **_opts); +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts); #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index da659da2..89101a5b 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -31,6 +31,7 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_idmap.h" #include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_init_shared.h" #include "providers/ad/ad_id.h" struct ad_options *ad_options = NULL; @@ -176,6 +177,90 @@ done: return ret; } +int +sssm_ad_auth_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + errno_t ret; + struct krb5_ctx *krb5_auth_ctx = NULL; + + if (!ad_options) { + ret = common_ad_init(bectx); + if (ret != EOK) { + return ret; + } + } + + if (ad_options->auth_ctx) { + /* Already initialized */ + *ops = &ad_auth_ops; + *pvt_data = ad_options->auth_ctx; + return EOK; + } + + krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx); + if (!krb5_auth_ctx) { + ret = ENOMEM; + goto done; + } + + krb5_auth_ctx->service = ad_options->service->krb5_service; + + ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx, + &krb5_auth_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Could not determine Kerberos options\n")); + goto done; + } + + ret = krb5_child_init(krb5_auth_ctx, bectx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Could not initialize krb5_child settings: [%s]\n", + strerror(ret))); + goto done; + } + + ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx); + *ops = &ad_auth_ops; + *pvt_data = ad_options->auth_ctx; + +done: + if (ret != EOK) { + talloc_free(krb5_auth_ctx); + } + return ret; +} + +int +sssm_ad_chpass_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + errno_t ret; + + if (!ad_options) { + ret = common_ad_init(bectx); + if (ret != EOK) { + return ret; + } + } + + if (ad_options->auth_ctx) { + /* Already initialized */ + *ops = &ad_chpass_ops; + *pvt_data = ad_options->auth_ctx; + return EOK; + } + + ret = sssm_ad_auth_init(bectx, ops, pvt_data); + *ops = &ad_chpass_ops; + ad_options->auth_ctx = *pvt_data; + return ret; +} + static void ad_shutdown(struct be_req *req) { diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index ec4fc050..589b866b 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -173,4 +173,8 @@ errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm); errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, const char *username, const char **_upn); +int sssm_krb5_auth_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_auth_data); + #endif /* __KRB5_COMMON_H__ */ |