summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2011-12-07 17:20:47 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-12-16 14:46:17 -0500
commit10b6b1fc57bb7c2edb4cfd0a0038303bd33722bc (patch)
tree3c5d97cdebe0a8b7e53e60d65d32dd4d0a0f1735
parent88c5d362804244a5a74785b94018ddf887094553 (diff)
downloadsssd-10b6b1fc57bb7c2edb4cfd0a0038303bd33722bc.tar.gz
sssd-10b6b1fc57bb7c2edb4cfd0a0038303bd33722bc.tar.bz2
sssd-10b6b1fc57bb7c2edb4cfd0a0038303bd33722bc.zip
SUDO Integration - LDAP configuration options
-rw-r--r--src/providers/ipa/ipa_common.c39
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_common.c73
-rw-r--r--src/providers/ldap/ldap_common.h5
-rw-r--r--src/providers/ldap/sdap.c14
-rw-r--r--src/providers/ldap/sdap.h20
6 files changed, 150 insertions, 3 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index f437580a..4f90b185 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -60,6 +60,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_group_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_group_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING },
{ "ldap_group_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_schema", DP_OPT_STRING, { "ipa_v1" }, NULL_STRING },
{ "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
{ "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
@@ -465,6 +466,44 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
if (ret != EOK) goto done;
if (NULL == dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SUDO_SEARCH_BASE)) {
+#if 0
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+#else
+ /* We don't yet have support for the native representation
+ * of sudo in IPA. For now, we need to point at the
+ * compat tree
+ */
+ value = talloc_asprintf(tmpctx, "ou=SUDOers,%s", basedn);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = dp_opt_set_string(ipa_opts->id->basic,
+ SDAP_SUDO_SEARCH_BASE,
+ value);
+ if (ret != EOK) {
+ goto done;
+ }
+#endif
+
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_SUDO_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SUDO_SEARCH_BASE)));
+ }
+ ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic,
+ SDAP_SUDO_SEARCH_BASE,
+ &ipa_opts->id->sudo_search_bases);
+ if (ret != EOK) goto done;
+
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic,
SDAP_NETGROUP_SEARCH_BASE)) {
value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn);
if (!value) {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index f7ab5efd..577e3e19 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 55
+#define IPA_OPTS_BASIC_TEST 56
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index dc55f6ec..71921963 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -26,6 +26,7 @@
#include "providers/fail_over.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/krb5/krb5_common.h"
+#include "db/sysdb_sudo.h"
#include "util/sss_krb5.h"
#include "util/crypto/sss_crypto.h"
@@ -49,6 +50,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_group_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_group_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING },
{ "ldap_group_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_schema", DP_OPT_STRING, { "rfc2307" }, NULL_STRING },
{ "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
{ "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
@@ -214,6 +216,20 @@ struct sdap_attr_map netgroup_map[] = {
{ "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
};
+struct sdap_attr_map native_sudorule_map[] = {
+ { "ldap_sudorule_object_class", "sudoRole", SYSDB_SUDO_CACHE_AT_OC, NULL },
+ { "ldap_sudorule_name", "cn", SYSDB_SUDO_CACHE_AT_CN, NULL },
+ { "ldap_sudorule_command", "sudoCommand", SYSDB_SUDO_CACHE_AT_COMMAND, NULL },
+ { "ldap_sudorule_host", "sudoHost", SYSDB_SUDO_CACHE_AT_HOST, NULL },
+ { "ldap_sudorule_user", "sudoUser", SYSDB_SUDO_CACHE_AT_USER, NULL },
+ { "ldap_sudorule_option", "sudoOption", SYSDB_SUDO_CACHE_AT_OPTION, NULL },
+ { "ldap_sudorule_runasuser", "sudoRunAsUser", SYSDB_SUDO_CACHE_AT_RUNASUSER, NULL },
+ { "ldap_sudorule_runasgroup", "sudoRunAsGroup", SYSDB_SUDO_CACHE_AT_RUNASGROUP, NULL },
+ { "ldap_sudorule_notbefore", "sudoNotBefore", SYSDB_SUDO_CACHE_AT_NOTBEFORE, NULL },
+ { "ldap_sudorule_notafter", "sudoNotAfter", SYSDB_SUDO_CACHE_AT_NOTAFTER, NULL },
+ { "ldap_sudorule_order", "sudoOrder", SYSDB_SUDO_CACHE_AT_ORDER, NULL }
+};
+
int ldap_get_options(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
const char *conf_path,
@@ -255,7 +271,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
/* Handle search bases */
search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);
if (search_base != NULL) {
- /* set user/group/netgroup search bases if they are not */
+ /* set user/group/netgroup/sudo search bases if they are not */
for (o = 0; search_base_options[o] != -1; o++) {
if (NULL == dp_opt_get_string(opts->basic, search_base_options[o])) {
ret = dp_opt_set_string(opts->basic, search_base_options[o],
@@ -496,6 +512,58 @@ done:
return ret;
}
+int ldap_get_sudo_options(TALLOC_CTX *memctx,
+ struct confdb_ctx *cdb,
+ const char *conf_path,
+ struct sdap_options *opts)
+{
+ const char *search_base;
+ int ret;
+
+ /* search base */
+ search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);
+ if (search_base != NULL) {
+ /* set sudo search bases if they are not */
+ if (dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE) == NULL) {
+ ret = dp_opt_set_string(opts->basic, SDAP_SUDO_SEARCH_BASE,
+ search_base);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not set SUDO search base"
+ "to default value\n"));
+ return ret;
+ }
+
+ DEBUG(SSSDBG_FUNC_DATA, ("Option %s set to %s\n",
+ opts->basic[SDAP_SUDO_SEARCH_BASE].opt_name,
+ dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));
+ }
+ } else {
+ /* FIXME: try to discover it later */
+ DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n"));
+ return ENOENT;
+ }
+
+ ret = sdap_parse_search_base(opts, opts->basic,
+ SDAP_SUDO_SEARCH_BASE,
+ &opts->sudo_search_bases);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not parse SUDO search base\n"));
+ return ret;
+ }
+
+ /* attrs map */
+ ret = sdap_get_map(opts, cdb, conf_path,
+ native_sudorule_map,
+ SDAP_OPTS_SUDO,
+ &opts->sudorule_map);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not get SUDO attribute map\n"));
+ return ret;
+ }
+
+ return EOK;
+}
+
errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx,
struct dp_option *opts, int class,
struct sdap_search_base ***_search_bases)
@@ -531,6 +599,9 @@ errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx,
case SDAP_NETGROUP_SEARCH_BASE:
class_name = "NETGROUP";
break;
+ case SDAP_SUDO_SEARCH_BASE:
+ class_name = "SUDO";
+ break;
default:
DEBUG(SSSDBG_CONF_SETTINGS,
("Unknown search base type: [%d]\n", class));
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index e937cf2c..844f605f 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -115,6 +115,11 @@ int ldap_get_options(TALLOC_CTX *memctx,
const char *conf_path,
struct sdap_options **_opts);
+int ldap_get_sudo_options(TALLOC_CTX *memctx,
+ struct confdb_ctx *cdb,
+ const char *conf_path,
+ struct sdap_options *opts);
+
int ldap_id_enumerate_set_timer(struct sdap_id_ctx *ctx, struct timeval tv);
int ldap_id_cleanup_set_timer(struct sdap_id_ctx *ctx, struct timeval tv);
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index afaa87f5..3ca2e286 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -709,6 +709,9 @@ static errno_t sdap_set_search_base(struct sdap_options *opts,
case SDAP_NETGROUP_SEARCH_BASE:
bases = &opts->netgroup_search_bases;
break;
+ case SDAP_SUDO_SEARCH_BASE:
+ bases = &opts->sudo_search_bases;
+ break;
default:
return EINVAL;
}
@@ -740,7 +743,8 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!opts->search_bases
||!opts->user_search_bases
|| !opts->group_search_bases
- || !opts->netgroup_search_bases) {
+ || !opts->netgroup_search_bases
+ || !opts->sudo_search_bases) {
naming_context = get_naming_context(opts->basic, rootdse);
if (naming_context == NULL) {
DEBUG(1, ("get_naming_context failed.\n"));
@@ -781,6 +785,14 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (ret != EOK) goto done;
}
+ /* Sudo */
+ if (!opts->sudo_search_bases) {
+ ret = sdap_set_search_base(opts,
+ SDAP_SUDO_SEARCH_BASE,
+ naming_context);
+ if (ret != EOK) goto done;
+ }
+
ret = EOK;
done:
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index f08200c9..da328d27 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -164,6 +164,7 @@ enum sdap_basic_opt {
SDAP_GROUP_SEARCH_BASE,
SDAP_GROUP_SEARCH_SCOPE,
SDAP_GROUP_SEARCH_FILTER,
+ SDAP_SUDO_SEARCH_BASE,
SDAP_SCHEMA,
SDAP_OFFLINE_TIMEOUT,
SDAP_FORCE_UPPER_CASE_REALM,
@@ -282,6 +283,22 @@ enum sdap_netgroup_attrs {
SDAP_OPTS_NETGROUP /* attrs counter */
};
+enum sdap_sudorule_attrs {
+ SDAP_OC_SUDORULE = 0,
+ SDAP_AT_SUDO_NAME,
+ SDAP_AT_SUDO_COMMAND,
+ SDAP_AT_SUDO_HOST,
+ SDAP_AT_SUDO_USER,
+ SDAP_AT_SUDO_OPTION,
+ SDAP_AT_SUDO_RUNASUSER,
+ SDAP_AT_SUDO_RUNASGROUP,
+ SDAP_AT_SUDO_NOTBEFORE,
+ SDAP_AT_SUDO_NOTAFTER,
+ SDAP_AT_SUDO_ORDER,
+
+ SDAP_OPTS_SUDO /* attrs counter */
+};
+
struct sdap_attr_map {
const char *opt_name;
const char *def_name;
@@ -302,6 +319,8 @@ struct sdap_options {
struct sdap_attr_map *group_map;
struct sdap_attr_map *netgroup_map;
struct sdap_attr_map *host_map;
+ /* FIXME - should this go to a special struct to avoid mixing with name-service-switch maps? */
+ struct sdap_attr_map *sudorule_map;
/* supported schema types */
enum schema_type {
@@ -315,6 +334,7 @@ struct sdap_options {
struct sdap_search_base **user_search_bases;
struct sdap_search_base **group_search_bases;
struct sdap_search_base **netgroup_search_bases;
+ struct sdap_search_base **sudo_search_bases;
};
struct sdap_server_opts {