summaryrefslogtreecommitdiff
path: root/src/providers/ipa
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-07-12 15:19:02 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-07-19 13:47:05 +0200
commit52ae806bd17c3c00d70bd1aed437f10f5ae51a1c (patch)
treee96db99e43762ded9201f9c0e1f7bef44a01fe10 /src/providers/ipa
parentb4486ce81fefae716549959eaa82612dac63cbe5 (diff)
downloadsssd-52ae806bd17c3c00d70bd1aed437f10f5ae51a1c.tar.gz
sssd-52ae806bd17c3c00d70bd1aed437f10f5ae51a1c.tar.bz2
sssd-52ae806bd17c3c00d70bd1aed437f10f5ae51a1c.zip
IPA: warn if full_name_format is customized in server mode
https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.
Diffstat (limited to 'src/providers/ipa')
-rw-r--r--src/providers/ipa/ipa_subdomains.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 7910e246..a09f07ac 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1118,6 +1118,23 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
return EOK;
}
+ /* The IPA code relies on the default FQDN format to unparse user
+ * names. Warn loudly if the full_name_format was customized on the
+ * IPA server
+ */
+ if ((strcmp(be_ctx->domain->names->fq_fmt,
+ CONFDB_DEFAULT_FULL_NAME_FORMAT) != 0)
+ && (strcmp(be_ctx->domain->names->fq_fmt,
+ CONFDB_DEFAULT_FULL_NAME_FORMAT_OLD) != 0)) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("%s is set to a non-default value [%s] " \
+ "lookups of subdomain users will likely fail!\n",
+ CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt));
+ sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \
+ "lookups of subdomain users will likely fail!\n",
+ CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt);
+ /* Attempt to continue */
+ }
+
realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM);
if (realm == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, ("No Kerberos realm for IPA?\n"));