diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-07 11:28:35 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-10 21:03:01 +0200 |
| commit | 14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch) | |
| tree | 5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/ipa | |
| parent | 7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff) | |
| download | sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.bz2 sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip | |
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 35 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 |
2 files changed, 25 insertions, 12 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 76da6c1e..67137409 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->auth, KRB5_REALM))); } + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ipa_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ipa_opts->auth[KRB5_USE_KDCINFO].opt_name, + ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = ipa_opts->auth; ret = EOK; @@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) talloc_zfree(service->sdap->sockaddr); service->sdap->sockaddr = talloc_steal(service, sockaddr); - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(1, ("sss_escape_ip_address failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (service->krb5_service->write_kdcinfo) { + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(1, ("sss_escape_ip_address failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 4dfa72db..fe81ed11 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; |