diff options
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 13 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_child.c | 11 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.h | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 18 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_private.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_child_helpers.c | 9 | ||||
-rw-r--r-- | src/util/util.h | 5 |
12 files changed, 57 insertions, 13 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index ef16bb97..9e178f11 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -125,6 +125,7 @@ option_strings = { 'ldap_krb5_keytab' : _('Kerberos service keytab'), 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), 'ldap_referrals' : _('Follow LDAP referrals'), + 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'), # [provider/ldap/id] 'ldap_search_timeout' : _('Length of time to wait for a search request'), diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index c119e7f3..9b1f14b6 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -569,6 +569,19 @@ </varlistentry> <varlistentry> + <term>ldap_krb5_ticket_lifetime (integer)</term> + <listitem> + <para> + Specifies the lifetime in seconds of the TGT if + GSSAPI is used. + </para> + <para> + Default: 86400 (24 hours) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>krb5_realm (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 03c02367..36811720 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -70,7 +70,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, - { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING } + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, + { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER } }; struct sdap_attr_map ipa_attr_map[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 14bd971e..f59a7d7b 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 33 +#define IPA_OPTS_BASIC_TEST 34 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 6a78ca01..3369d709 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -40,6 +40,7 @@ struct input_buffer { const char *realm_str; const char *princ_str; const char *keytab_name; + krb5_deltat lifetime; }; static errno_t unpack_buffer(uint8_t *buf, size_t size, @@ -86,6 +87,10 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, p += len; } + /* ticket lifetime */ + SAFEALIGN_COPY_INT32_CHECK(&ibuf->lifetime, buf + p, size, &p); + DEBUG(7, ("lifetime: %d\n", ibuf->lifetime)); + return EOK; } @@ -118,6 +123,7 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, const char *realm_str, const char *princ_str, const char *keytab_name, + const krb5_deltat lifetime, const char **ccname_out) { char *ccname; @@ -220,8 +226,7 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_get_init_creds_opt_set_address_list(&options, NULL); krb5_get_init_creds_opt_set_forwardable(&options, 0); krb5_get_init_creds_opt_set_proxiable(&options, 0); - /* set a very short lifetime, we don't keep the ticket around */ - krb5_get_init_creds_opt_set_tkt_life(&options, 300); + krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, &options); @@ -392,7 +397,7 @@ int main(int argc, const char *argv[]) kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->realm_str, ibuf->princ_str, - ibuf->keytab_name, &ccname); + ibuf->keytab_name, ibuf->lifetime, &ccname); if (kerr != EOK) { DEBUG(1, ("ldap_child_get_tgt_sync failed.\n")); /* Do not return, must report failure */ diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 03b2133a..32057184 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -64,7 +64,8 @@ struct dp_option default_basic_opts[] = { { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, - { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING } + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, + { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER } }; struct sdap_attr_map generic_attr_map[] = { diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index a4da43b3..917e6010 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -151,6 +151,7 @@ enum sdap_basic_opt { SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, SDAP_DNS_SERVICE_NAME, + SDAP_KRB5_TICKET_LIFETIME, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 888df6b4..1e52c480 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -65,7 +65,8 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, int timeout, const char *keytab, const char *principal, - const char *realm); + const char *realm, + int lifetime); int sdap_kinit_recv(struct tevent_req *req, enum sdap_result *result); struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index bd8d4e96..2748ed51 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -607,14 +607,21 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, int timeout, const char *keytab, const char *principal, - const char *realm) + const char *realm, + int lifetime) { struct tevent_req *req; struct tevent_req *subreq; struct sdap_kinit_state *state; int ret; - DEBUG(6, ("Attempting kinit (%s, %s, %s)\n", keytab, principal, realm)); + DEBUG(6, ("Attempting kinit (%s, %s, %s, %d)\n", keytab, principal, realm, + lifetime)); + + if (lifetime < 0 || lifetime > INT32_MAX) { + DEBUG(1, ("Ticket lifetime out of range.\n")); + return NULL; + } req = tevent_req_create(memctx, &state, struct sdap_kinit_state); if (!req) return NULL; @@ -629,7 +636,8 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, } } - subreq = sdap_get_tgt_send(state, ev, realm, principal, keytab, timeout); + subreq = sdap_get_tgt_send(state, ev, realm, principal, keytab, lifetime, + timeout); if (!subreq) { talloc_zfree(req); return NULL; @@ -1055,7 +1063,9 @@ static void sdap_cli_kinit_step(struct tevent_req *req) dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), dp_opt_get_string(state->opts->basic, - SDAP_KRB5_REALM)); + SDAP_KRB5_REALM), + dp_opt_get_int(state->opts->basic, + SDAP_KRB5_TICKET_LIFETIME)); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h index c74a7e60..727cee2e 100644 --- a/src/providers/ldap/sdap_async_private.h +++ b/src/providers/ldap/sdap_async_private.h @@ -58,6 +58,7 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, const char *realm_str, const char *princ_str, const char *keytab_name, + int32_t lifetime, int timeout); int sdap_get_tgt_recv(struct tevent_req *req, diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index c61f3cce..b45e4eae 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -137,6 +137,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, const char *realm_str, const char *princ_str, const char *keytab_name, + int32_t lifetime, struct io_buffer **io_buf) { struct io_buffer *buf; @@ -148,7 +149,7 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, return ENOMEM; } - buf->size = 3 * sizeof(uint32_t); + buf->size = 4 * sizeof(uint32_t); if (realm_str) { buf->size += strlen(realm_str); } @@ -194,6 +195,9 @@ static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); } + /* lifetime */ + SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp); + *io_buf = buf; return EOK; } @@ -248,6 +252,7 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, const char *realm_str, const char *princ_str, const char *keytab_name, + int32_t lifetime, int timeout) { struct tevent_req *req, *subreq; @@ -274,7 +279,7 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, /* prepare the data to pass to child */ ret = create_tgt_req_send_buffer(state, - realm_str, princ_str, keytab_name, + realm_str, princ_str, keytab_name, lifetime, &buf); if (ret != EOK) { DEBUG(1, ("create_tgt_req_send_buffer failed.\n")); diff --git a/src/util/util.h b/src/util/util.h index 25e7b6c2..58c51a0a 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -198,6 +198,11 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \ } while(0) +#define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \ + safealign_memcpy(dest, src, sizeof(int32_t), pctr); \ +} while(0) + #include "util/dlinklist.h" /* From debug.c */ |