summaryrefslogtreecommitdiff
path: root/src/providers/ipa
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-04-19 11:59:09 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-05-26 15:14:40 -0400
commit02e38eae1b9cb5df2036a707dafd86f6047c17de (patch)
tree970b10c1df9bfe101a3d84ec1ff87dedd5364186 /src/providers/ipa
parent06c03627c81a5252420931383a68eb67ba551667 (diff)
downloadsssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.tar.gz
sssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.tar.bz2
sssd-02e38eae1b9cb5df2036a707dafd86f6047c17de.zip
Add support for delayed kinit if offline
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
Diffstat (limited to 'src/providers/ipa')
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ipa/ipa_init.c9
3 files changed, 12 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 2ef674e7..a8b14d36 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -124,7 +124,8 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
- { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index f59a7d7b..9678e0ce 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 9
+#define IPA_KRB5_OPTS_TEST 10
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 2f0ccf0f..0e72b1fa 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -272,6 +272,15 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
goto done;
}
+ if (dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) {
+ ret = init_delayed_online_authentication(krb5_auth_ctx, bectx,
+ bectx->ev);
+ if (ret != EOK) {
+ DEBUG(1, ("init_delayed_online_authentication failed.\n"));
+ goto done;
+ }
+ }
+
ret = check_and_export_options(krb5_auth_ctx->opts, bectx->domain);
if (ret != EOK) {
DEBUG(1, ("check_and_export_opts failed.\n"));