diff options
| author | Sumit Bose <sbose@redhat.com> | 2010-04-19 11:59:09 +0200 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-05-26 15:14:40 -0400 |
| commit | 02e38eae1b9cb5df2036a707dafd86f6047c17de (patch) | |
| tree | 970b10c1df9bfe101a3d84ec1ff87dedd5364186 /src/providers/ipa | |
| parent | 06c03627c81a5252420931383a68eb67ba551667 (diff) | |
| download | sssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.tar.gz sssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.tar.bz2 sssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.zip | |
Add support for delayed kinit if offline
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 9 |
3 files changed, 12 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2ef674e7..a8b14d36 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -124,7 +124,8 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER }, { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } }; int ipa_get_options(TALLOC_CTX *memctx, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index f59a7d7b..9678e0ce 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -40,7 +40,7 @@ struct ipa_service { /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_KRB5_OPTS_TEST 9 +#define IPA_KRB5_OPTS_TEST 10 enum ipa_basic_opt { IPA_DOMAIN = 0, diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 2f0ccf0f..0e72b1fa 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -272,6 +272,15 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } + if (dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { + ret = init_delayed_online_authentication(krb5_auth_ctx, bectx, + bectx->ev); + if (ret != EOK) { + DEBUG(1, ("init_delayed_online_authentication failed.\n")); + goto done; + } + } + ret = check_and_export_options(krb5_auth_ctx->opts, bectx->domain); if (ret != EOK) { DEBUG(1, ("check_and_export_opts failed.\n")); |