summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf2
-rw-r--r--src/providers/ipa/ipa_opts.h2
-rw-r--r--src/providers/ldap/ldap_opts.h2
-rw-r--r--src/providers/ldap/sdap.h2
-rw-r--r--src/providers/ldap/sdap_idmap.c36
7 files changed, 48 insertions, 0 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index bdbb9021..b9c484fe 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -265,6 +265,8 @@ option_strings = {
'ldap_idmap_range_max' : _('Upper bound for ID-mapping'),
'ldap_idmap_range_size' : _('Number of IDs for each slice when ID-mapping'),
'ldap_idmap_autorid_compat' : _('Use autorid-compatible algorithm for ID-mapping'),
+ 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'),
+ 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'),
# [provider/ldap/auth]
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 0447d0c4..ac375075 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -114,6 +114,8 @@ ldap_idmap_range_min = int, None, false
ldap_idmap_range_max = int, None, false
ldap_idmap_range_size = int, None, false
ldap_idmap_autorid_compat = bool, None, false
+ldap_idmap_default_domain = str, None, false
+ldap_idmap_default_domain_sid = str, None, false
[provider/ipa/auth]
krb5_ccachedir = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 1ea1c948..2768366b 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -108,6 +108,8 @@ ldap_idmap_range_min = int, None, false
ldap_idmap_range_max = int, None, false
ldap_idmap_range_size = int, None, false
ldap_idmap_autorid_compat = bool, None, false
+ldap_idmap_default_domain = str, None, false
+ldap_idmap_default_domain_sid = str, None, false
[provider/ldap/auth]
ldap_pwd_policy = str, None, false
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index ee9ff15f..1fe78183 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -118,6 +118,8 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000100000LL }, NULL_NUMBER },
{ "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
{ "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 8b8ea25c..646c54ec 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -100,6 +100,8 @@ struct dp_option default_basic_opts[] = {
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000100000LL }, NULL_NUMBER },
{ "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
{ "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 7c55ad5a..2de4a5cb 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -215,6 +215,8 @@ enum sdap_basic_opt {
SDAP_IDMAP_UPPER,
SDAP_IDMAP_RANGESIZE,
SDAP_IDMAP_AUTORID_COMPAT,
+ SDAP_IDMAP_DEFAULT_DOMAIN,
+ SDAP_IDMAP_DEFAULT_DOMAIN_SID,
SDAP_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 24e7ef37..02e3d0ea 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -129,6 +129,42 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx,
goto done;
}
}
+ } else {
+ /* This is the first time we're setting up id-mapping
+ * Store the default domain as slice 0
+ */
+ dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN);
+ if (!dom_name) {
+ /* If it's not explicitly specified, use the SSSD domain name */
+ dom_name = idmap_ctx->id_ctx->be->domain->name;
+ ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic,
+ SDAP_IDMAP_DEFAULT_DOMAIN,
+ dom_name);
+ if (ret != EOK) goto done;
+ }
+
+ sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID);
+ if (sid_str) {
+ /* Set the default domain as slice 0 */
+ ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
+ sid_str, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Could not add domain [%s][%s][%u] to ID map: [%s]\n",
+ dom_name, sid_str, 0, strerror(ret)));
+ goto done;
+ }
+ } else {
+ if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) {
+ /* In autorid compatibility mode, we MUST have a slice 0 */
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Autorid compatibility mode selected, but %s is not set\n",
+ idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name));
+ ret = EINVAL;
+ goto done;
+ }
+ /* Otherwise, we'll just fall back to hash values as they are seen */
+ }
}
*_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx);