summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/man/sssd-ldap.5.xml21
-rw-r--r--server/providers/ldap/ldap_auth.c2
-rw-r--r--server/providers/ldap/ldap_id.c35
-rw-r--r--server/providers/ldap/sdap.c1
-rw-r--r--server/providers/ldap/sdap_async.c18
-rw-r--r--server/providers/ldap/sdap_async.h1
6 files changed, 69 insertions, 9 deletions
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index 85122092..385a299a 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -72,6 +72,27 @@
</varlistentry>
<varlistentry>
+ <term>defaultAuthtokType (string)</term>
+ <listitem>
+ <para>
+ The type of the authentication token of the
+ default bind DN. So far "password" is the only
+ supported value.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>defaultAuthtok (string)</term>
+ <listitem>
+ <para>
+ The authentication token of the default bind DN.
+ So far only a clear text password is supported.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>userSearchBase (string)</term>
<listitem>
<para>
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index f0b12a0a..47ed0f0d 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -256,7 +256,7 @@ static void auth_get_user_dn_done(struct tevent_req *subreq)
}
subreq = sdap_auth_send(state, state->ev, state->sh,
- state->dn, state->password);
+ state->dn, "password", state->password);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c
index 3008f9be..bb65cd44 100644
--- a/server/providers/ldap/ldap_id.c
+++ b/server/providers/ldap/ldap_id.c
@@ -115,17 +115,23 @@ struct sdap_id_connect_state {
struct tevent_context *ev;
struct sdap_id_ctx *ctx;
bool use_start_tls;
+ char *defaultBindDn;
+ char *defaultAuthtokType;
+ char *defaultAuthtok;
struct sdap_handle *sh;
};
static void sdap_id_connect_done(struct tevent_req *subreq);
-static void sdap_id_anon_bind_done(struct tevent_req *subreq);
+static void sdap_id_bind_done(struct tevent_req *subreq);
struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_id_ctx *ctx,
- bool use_start_tls)
+ bool use_start_tls,
+ char *defaultBindDn,
+ char *defaultAuthtokType,
+ char *defaultAuthtok)
{
struct tevent_req *req, *subreq;
struct sdap_id_connect_state *state;
@@ -136,6 +142,9 @@ struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx,
state->ev = ev;
state->ctx = ctx;
state->use_start_tls = use_start_tls;
+ state->defaultBindDn = defaultBindDn;
+ state->defaultAuthtokType = defaultAuthtokType;
+ state->defaultAuthtok = defaultAuthtok;
subreq = sdap_connect_send(state, ev, ctx->opts, use_start_tls);
if (!subreq) {
@@ -163,16 +172,17 @@ static void sdap_id_connect_done(struct tevent_req *subreq)
}
/* TODO: use authentication (SASL/GSSAPI) when necessary */
- subreq = sdap_auth_send(state, state->ev, state->sh, NULL, NULL);
+ subreq = sdap_auth_send(state, state->ev, state->sh, state->defaultBindDn,
+ state->defaultAuthtokType, state->defaultAuthtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
}
- tevent_req_set_callback(subreq, sdap_id_anon_bind_done, req);
+ tevent_req_set_callback(subreq, sdap_id_bind_done, req);
}
-static void sdap_id_anon_bind_done(struct tevent_req *subreq)
+static void sdap_id_bind_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
@@ -282,7 +292,10 @@ static struct tevent_req *users_get_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false);
+ subreq = sdap_id_connect_send(state, ev, ctx, false,
+ ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -439,7 +452,10 @@ static struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false);
+ subreq = sdap_id_connect_send(state, ev, ctx, false,
+ ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value);
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -571,7 +587,10 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
/* FIXME: add option to decide if tls should be used
* or SASL/GSSAPI, etc ... */
- subreq = sdap_id_connect_send(state, ev, ctx, false);
+ subreq = sdap_id_connect_send(state, ev, ctx, false,
+ ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value,
+ ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value);
if (!subreq) {
ret = ENOMEM;
goto fail;
diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c
index 9c957ff2..0b16db43 100644
--- a/server/providers/ldap/sdap.c
+++ b/server/providers/ldap/sdap.c
@@ -233,6 +233,7 @@ static int sdap_parse_entry(TALLOC_CTX *memctx,
goto fail;
}
+ DEBUG(9, ("OriginalDN: [%s].\n", str));
ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str);
if (ret) goto fail;
if (_dn) {
diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c
index b2e0fb21..b71b61f2 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -728,11 +728,17 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_handle *sh,
const char *user_dn,
+ const char *authtok_type,
const char *password)
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
+ if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) {
+ DEBUG(1,("Authentication token type [%s] is not supported"));
+ return NULL;
+ }
+
req = tevent_req_create(memctx, &state, struct sdap_auth_state);
if (!req) return NULL;
@@ -884,6 +890,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx,
ret = sysdb_attrs_get_el(state->attrs,
opts->user_map[SDAP_AT_USER_UID].sys_name, &el);
if (ret) goto fail;
+ if (el->num_values == 0) {
+ DEBUG(1, ("no uid provided for user [%s] in domain [%s].\n", name,
+ dom->name));
+ ret = EINVAL;
+ goto fail;
+ }
errno = 0;
l = strtol((const char *)el->values[0].data, NULL, 0);
if (errno) {
@@ -895,6 +907,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx,
ret = sysdb_attrs_get_el(state->attrs,
opts->user_map[SDAP_AT_USER_GID].sys_name, &el);
if (ret) goto fail;
+ if (el->num_values == 0) {
+ DEBUG(1, ("no gid provided for user [%s] in domain [%s].\n", name,
+ dom->name));
+ ret = EINVAL;
+ goto fail;
+ }
errno = 0;
l = strtol((const char *)el->values[0].data, NULL, 0);
if (errno) {
diff --git a/server/providers/ldap/sdap_async.h b/server/providers/ldap/sdap_async.h
index 1cf00d47..0cb0b907 100644
--- a/server/providers/ldap/sdap_async.h
+++ b/server/providers/ldap/sdap_async.h
@@ -56,6 +56,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_handle *sh,
const char *user_dn,
+ const char *authtok_type,
const char *password);
int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result);