summaryrefslogtreecommitdiff
path: root/src/providers/ipa
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-06-07 11:28:35 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-10 21:03:01 +0200
commit14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch)
tree5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/ipa
parent7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff)
downloadsssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.bz2
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
Diffstat (limited to 'src/providers/ipa')
-rw-r--r--src/providers/ipa/ipa_common.c35
-rw-r--r--src/providers/ipa/ipa_opts.h2
2 files changed, 25 insertions, 12 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 76da6c1e..67137409 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
dp_opt_get_string(ipa_opts->auth, KRB5_REALM)));
}
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ipa_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = ipa_opts->auth;
ret = EOK;
@@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
talloc_zfree(service->sdap->sockaddr);
service->sdap->sockaddr = talloc_steal(service, sockaddr);
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(1, ("sss_escape_ip_address failed.\n"));
- talloc_free(tmp_ctx);
- return;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(1, ("sss_escape_ip_address failed.\n"));
+ talloc_free(tmp_ctx);
+ return;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
talloc_free(tmp_ctx);
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4dfa72db..fe81ed11 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};