diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-12 12:17:08 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-28 20:20:59 +0200 |
commit | eceefd520802efe356d413a13247c5f68d8e27c8 (patch) | |
tree | 14f520294b333301469dec188fe047a19e047608 | |
parent | d064fef06dcbcb5f6c1be03e286b1a3433d6dfd7 (diff) | |
download | sssd-eceefd520802efe356d413a13247c5f68d8e27c8.tar.gz sssd-eceefd520802efe356d413a13247c5f68d8e27c8.tar.bz2 sssd-eceefd520802efe356d413a13247c5f68d8e27c8.zip |
Add now options ldap_min_id and ldap_max_id
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 2 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 21 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 2 |
7 files changed, 33 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 4d7629e1..1bc4f1bf 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -309,6 +309,8 @@ option_strings = { 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), + 'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'), + 'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'), # [provider/ldap/auth] 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 870cf20f..eb239664 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -117,6 +117,8 @@ ldap_idmap_default_domain_sid = str, None, false ldap_groups_use_matching_rule_in_chain = bool, None, false ldap_initgroups_use_matching_rule_in_chain = bool, None, false ldap_rfc2307_fallback_to_local_users = bool, None, false +ldap_min_id = int, None, false +ldap_max_id = int, None, false [provider/ldap/auth] ldap_pwd_policy = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index fd29650e..12e91524 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1434,6 +1434,27 @@ </varlistentry> <varlistentry> + <term>ldap_min_id, ldap_max_id (interger)</term> + <listitem> + <para> + In contrast to the SID based ID mapping which is + used if ldap_id_mapping is set to true the allowed + ID range for ldap_user_uid_number and + ldap_group_gid_number is unbound. In a setup with + sub/trusted-domains this might lead to ID + collisions. To avoid collisions ldap_min_id and + ldap_max_id can be set to restrict the allowed + range for the IDs which are read directly from the + server. Sub-domains can then pick other ranges to + map IDs. + </para> + <para> + Default: not set (both options are set to 0) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_sasl_mech (string)</term> <listitem> <para> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index ba03c232..2c60b761 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -124,6 +124,8 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 6246f589..139008b1 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -148,6 +148,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 6857d4ca..a6c821f3 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -115,6 +115,8 @@ struct dp_option default_basic_opts[] = { { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 6f10efa4..9fbe04b6 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -219,6 +219,8 @@ enum sdap_basic_opt { SDAP_AD_MATCHING_RULE_INITGROUPS, SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS, SDAP_DISABLE_RANGE_RETRIEVAL, + SDAP_MIN_ID, + SDAP_MAX_ID, SDAP_OPTS_BASIC /* opts counter */ }; |