summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2012-02-03 22:29:47 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-02-07 00:26:57 +0100
commitaf5a58fc3811af8521721f731d8234d983042cea (patch)
tree612316c32255519ee2145e71f5bca8f259ebe34b /src
parent34c78b745eb349eef2b0f13ef2b722632aebe619 (diff)
downloadsssd-af5a58fc3811af8521721f731d8234d983042cea.tar.gz
sssd-af5a58fc3811af8521721f731d8234d983042cea.tar.bz2
sssd-af5a58fc3811af8521721f731d8234d983042cea.zip
LDAP: Add support for SSH user public keys
Diffstat (limited to 'src')
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/db/sysdb.h2
-rw-r--r--src/man/Makefile.am5
-rw-r--r--src/man/sssd-ldap.5.xml10
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ldap/ldap_common.c6
-rw-r--r--src/providers/ldap/sdap.c20
-rw-r--r--src/providers/ldap/sdap.h1
10 files changed, 44 insertions, 6 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 00ce5b79..71769f57 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -221,6 +221,7 @@ option_strings = {
'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'),
'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'),
'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'),
+ 'ldap_user_ssh_public_key' : _('SSH public key attribute'),
'ldap_group_search_base' : _('Base DN for group lookups'),
# not used # 'ldap_group_search_scope' : _('Scope of group lookups'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index fae99631..00a71ab4 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -74,6 +74,7 @@ ldap_user_shadow_flag = str, None, false
ldap_user_krb_last_pwd_change = str, None, false
ldap_user_krb_password_expiration = str, None, false
ldap_pwd_attribute = str, None, false
+ldap_user_ssh_public_key = str, None, false
ldap_group_search_base = str, None, false
ldap_group_search_scope = str, None, false
ldap_group_search_filter = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 57f7688c..4fa7ed0b 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -75,6 +75,7 @@ ldap_ns_account_lock = str, None, false
ldap_user_nds_login_disabled = str, None, false
ldap_user_nds_login_expiration_time = str, None, false
ldap_user_nds_login_allowed_time_map = str, None, false
+ldap_user_ssh_public_key = str, None, false
ldap_group_search_base = str, None, false
ldap_group_search_scope = str, None, false
ldap_group_search_filter = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index a74c9d43..e9a89606 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -114,6 +114,8 @@
#define SYSDB_USN "entryUSN"
#define SYSDB_HIGH_USN "highestUSN"
+#define SYSDB_SSH_PUBKEY "sshPublicKey"
+
#define SYSDB_NEXTID_FILTER "("SYSDB_NEXTID"=*)"
#define SYSDB_UC "objectclass="SYSDB_USER_CLASS
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index f0faf690..31b5652f 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -15,7 +15,10 @@ endif
if BUILD_AUTOFS
AUTOFS_CONDS = ;with_autofs
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)
+if BUILD_SSH
+SSH_CONDS = ;with_ssh
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)
#Special Rules:
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index a145e388..8e1f35e4 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -578,6 +578,16 @@
</listitem>
</varlistentry>
+ <varlistentry condition="with_ssh">
+ <term>ldap_user_ssh_public_key (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the user's SSH
+ public keys.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ldap_force_upper_case_realm (boolean)</term>
<listitem>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 615cdcaa..2f987c20 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -152,7 +152,8 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
- { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+ { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+ { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }
};
struct sdap_attr_map ipa_group_map[] = {
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index ce884838..c92eb282 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -151,7 +151,8 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
- { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+ { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+ { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }
};
struct sdap_attr_map rfc2307_group_map[] = {
@@ -198,7 +199,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
- { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }
+ { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
+ { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }
};
struct sdap_attr_map rfc2307bis_group_map[] = {
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 1f97f554..3ac19498 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -20,6 +20,7 @@
*/
#include "util/util.h"
+#include "util/crypto/sss_crypto.h"
#include "confdb/confdb.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap.h"
@@ -101,6 +102,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
int a, i, ret;
const char *name;
bool store;
+ bool base64;
lerrno = 0;
ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
@@ -171,6 +173,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
}
}
while (str) {
+ base64 = false;
if (map) {
for (a = 1; a < attrs_num; a++) {
/* check if this attr is valid with the chosen schema */
@@ -182,6 +185,9 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
if (a < attrs_num) {
store = true;
name = map[a].sys_name;
+ if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) {
+ base64 = true;
+ }
} else {
store = false;
name = NULL;
@@ -217,8 +223,18 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
goto fail;
}
for (i = 0; vals[i]; i++) {
- v.data = (uint8_t *)vals[i]->bv_val;
- v.length = vals[i]->bv_len;
+ if (base64) {
+ v.data = (uint8_t *)sss_base64_encode(attrs,
+ (uint8_t *)vals[i]->bv_val, vals[i]->bv_len);
+ if (!v.data) {
+ ret = ENOMEM;
+ goto fail;
+ }
+ v.length = strlen((const char *)v.data);
+ } else {
+ v.data = (uint8_t *)vals[i]->bv_val;
+ v.length = vals[i]->bv_len;
+ }
ret = sysdb_attrs_add_val(attrs, name, &v);
if (ret) goto fail;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 2a63ea83..5d423846 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -256,6 +256,7 @@ enum sdap_user_attrs {
SDAP_AT_NDS_LOGIN_DISABLED,
SDAP_AT_NDS_LOGIN_EXPIRATION_TIME,
SDAP_AT_NDS_LOGIN_ALLOWED_TIME_MAP,
+ SDAP_AT_USER_SSH_PUBLIC_KEY,
SDAP_OPTS_USER /* attrs counter */
};