summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-06-05 15:07:10 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-08-01 16:19:42 +0200
commit07b7b76d7cd494cbd26263503ba2732c21819941 (patch)
tree860a74f647b7b1b28fedaf2de808693ae28e8dd4 /src/providers
parentf6cd1236c27817b97db002094b76648d92b55f82 (diff)
downloadsssd-07b7b76d7cd494cbd26263503ba2732c21819941.tar.gz
sssd-07b7b76d7cd494cbd26263503ba2732c21819941.tar.bz2
sssd-07b7b76d7cd494cbd26263503ba2732c21819941.zip
Primary server support: new options in krb5 provider
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ad/ad_opts.h3
-rw-r--r--src/providers/ipa/ipa_opts.h3
-rw-r--r--src/providers/krb5/krb5_common.h2
-rw-r--r--src/providers/krb5/krb5_init.c17
-rw-r--r--src/providers/krb5/krb5_opts.h2
-rw-r--r--src/providers/ldap/ldap_common.c7
-rw-r--r--src/providers/ldap/ldap_opts.h1
-rw-r--r--src/providers/ldap/sdap.h1
8 files changed, 28 insertions, 8 deletions
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 41491ddc..458e7ea4 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -83,6 +83,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
@@ -123,6 +124,7 @@ struct dp_option ad_def_ldap_opts[] = {
struct dp_option ad_def_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -130,6 +132,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4925c599..bf1b7a33 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -96,6 +96,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
@@ -241,6 +242,7 @@ struct sdap_attr_map ipa_selinux_user_map[] = {
struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -248,6 +250,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 337fcf55..51bd2677 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -49,6 +49,7 @@
enum krb5_opts {
KRB5_KDC = 0,
+ KRB5_BACKUP_KDC,
KRB5_REALM,
KRB5_CCACHEDIR,
KRB5_CCNAME_TMPL,
@@ -56,6 +57,7 @@ enum krb5_opts {
KRB5_KEYTAB,
KRB5_VALIDATE,
KRB5_KPASSWD,
+ KRB5_BACKUP_KPASSWD,
KRB5_STORE_PASSWORD_IF_OFFLINE,
KRB5_RENEWABLE_LIFETIME,
KRB5_LIFETIME,
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 60c18a8f..a7b06fdf 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -61,7 +61,9 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
struct krb5_ctx *ctx = NULL;
int ret;
const char *krb5_servers;
+ const char *krb5_backup_servers;
const char *krb5_kpasswd_servers;
+ const char *krb5_backup_kpasswd_servers;
const char *krb5_realm;
const char *errstr;
int errval;
@@ -98,9 +100,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
ctx->opts = krb5_options->opts;
krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
- if (krb5_servers == NULL) {
- DEBUG(SSSDBG_CONF_SETTINGS, ("Missing krb5_server option, using service discovery!\n"));
- }
+ krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
if (krb5_realm == NULL) {
@@ -109,13 +109,22 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
}
ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- NULL, krb5_realm, &ctx->service);
+ krb5_backup_servers, krb5_realm, &ctx->service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
return ret;
}
krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD);
+ krb5_backup_kpasswd_servers = dp_opt_get_string(ctx->opts,
+ KRB5_BACKUP_KPASSWD);
+ if (krb5_kpasswd_servers == NULL && krb5_backup_kpasswd_servers != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("kpasswd server wasn't specified but "
+ "backup kpasswd given. Using it as primary\n"));
+ krb5_kpasswd_servers = krb5_backup_kpasswd_servers;
+ krb5_backup_kpasswd_servers = NULL;
+ }
+
if (krb5_kpasswd_servers == NULL && krb5_servers != NULL) {
DEBUG(0, ("Missing krb5_kpasswd option and KDC set explicitly, "
"will use KDC for pasword change operations!\n"));
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index 9de93b0c..dc9b1764 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -27,6 +27,7 @@
struct dp_option default_krb5_opts[] = {
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -34,6 +35,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 76236743..b9fef086 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1041,6 +1041,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
{
int ret;
const char *krb5_servers;
+ const char *krb5_backup_servers;
const char *krb5_realm;
const char *krb5_opt_realm;
struct krb5_service *service = NULL;
@@ -1050,9 +1051,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
if (tmp_ctx == NULL) return ENOMEM;
krb5_servers = dp_opt_get_string(opts, SDAP_KRB5_KDC);
- if (krb5_servers == NULL) {
- DEBUG(SSSDBG_CONF_SETTINGS, ("Missing krb5_server option, using service discovery!\n"));
- }
+ krb5_backup_servers = dp_opt_get_string(opts, SDAP_KRB5_BACKUP_KDC);
krb5_opt_realm = dp_opt_get_string(opts, SDAP_KRB5_REALM);
if (krb5_opt_realm == NULL) {
@@ -1072,7 +1071,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
}
ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
- NULL, krb5_realm, &service);
+ krb5_backup_servers, krb5_realm, &service);
if (ret != EOK) {
DEBUG(0, ("Failed to init KRB5 failover service!\n"));
goto done;
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 9be6a0f6..4e876bdc 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -76,6 +76,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
{ "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 70b4e6ad..01c33e42 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -194,6 +194,7 @@ enum sdap_basic_opt {
SDAP_KRB5_KEYTAB,
SDAP_KRB5_KINIT,
SDAP_KRB5_KDC,
+ SDAP_KRB5_BACKUP_KDC,
SDAP_KRB5_REALM,
SDAP_KRB5_CANONICALIZE,
SDAP_PWD_POLICY,