diff options
-rw-r--r-- | server/man/sssd-ldap.5.xml | 21 | ||||
-rw-r--r-- | server/providers/ldap/ldap_auth.c | 2 | ||||
-rw-r--r-- | server/providers/ldap/ldap_id.c | 35 | ||||
-rw-r--r-- | server/providers/ldap/sdap.c | 1 | ||||
-rw-r--r-- | server/providers/ldap/sdap_async.c | 18 | ||||
-rw-r--r-- | server/providers/ldap/sdap_async.h | 1 |
6 files changed, 69 insertions, 9 deletions
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 85122092..385a299a 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -72,6 +72,27 @@ </varlistentry> <varlistentry> + <term>defaultAuthtokType (string)</term> + <listitem> + <para> + The type of the authentication token of the + default bind DN. So far "password" is the only + supported value. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>defaultAuthtok (string)</term> + <listitem> + <para> + The authentication token of the default bind DN. + So far only a clear text password is supported. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>userSearchBase (string)</term> <listitem> <para> diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index f0b12a0a..47ed0f0d 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -256,7 +256,7 @@ static void auth_get_user_dn_done(struct tevent_req *subreq) } subreq = sdap_auth_send(state, state->ev, state->sh, - state->dn, state->password); + state->dn, "password", state->password); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c index 3008f9be..bb65cd44 100644 --- a/server/providers/ldap/ldap_id.c +++ b/server/providers/ldap/ldap_id.c @@ -115,17 +115,23 @@ struct sdap_id_connect_state { struct tevent_context *ev; struct sdap_id_ctx *ctx; bool use_start_tls; + char *defaultBindDn; + char *defaultAuthtokType; + char *defaultAuthtok; struct sdap_handle *sh; }; static void sdap_id_connect_done(struct tevent_req *subreq); -static void sdap_id_anon_bind_done(struct tevent_req *subreq); +static void sdap_id_bind_done(struct tevent_req *subreq); struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_id_ctx *ctx, - bool use_start_tls) + bool use_start_tls, + char *defaultBindDn, + char *defaultAuthtokType, + char *defaultAuthtok) { struct tevent_req *req, *subreq; struct sdap_id_connect_state *state; @@ -136,6 +142,9 @@ struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx, state->ev = ev; state->ctx = ctx; state->use_start_tls = use_start_tls; + state->defaultBindDn = defaultBindDn; + state->defaultAuthtokType = defaultAuthtokType; + state->defaultAuthtok = defaultAuthtok; subreq = sdap_connect_send(state, ev, ctx->opts, use_start_tls); if (!subreq) { @@ -163,16 +172,17 @@ static void sdap_id_connect_done(struct tevent_req *subreq) } /* TODO: use authentication (SASL/GSSAPI) when necessary */ - subreq = sdap_auth_send(state, state->ev, state->sh, NULL, NULL); + subreq = sdap_auth_send(state, state->ev, state->sh, state->defaultBindDn, + state->defaultAuthtokType, state->defaultAuthtok); if (!subreq) { tevent_req_error(req, ENOMEM); return; } - tevent_req_set_callback(subreq, sdap_id_anon_bind_done, req); + tevent_req_set_callback(subreq, sdap_id_bind_done, req); } -static void sdap_id_anon_bind_done(struct tevent_req *subreq) +static void sdap_id_bind_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -282,7 +292,10 @@ static struct tevent_req *users_get_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; @@ -439,7 +452,10 @@ static struct tevent_req *groups_get_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; @@ -571,7 +587,10 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c index 9c957ff2..0b16db43 100644 --- a/server/providers/ldap/sdap.c +++ b/server/providers/ldap/sdap.c @@ -233,6 +233,7 @@ static int sdap_parse_entry(TALLOC_CTX *memctx, goto fail; } + DEBUG(9, ("OriginalDN: [%s].\n", str)); ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str); if (ret) goto fail; if (_dn) { diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index b2e0fb21..b71b61f2 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -728,11 +728,17 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_handle *sh, const char *user_dn, + const char *authtok_type, const char *password) { struct tevent_req *req, *subreq; struct sdap_auth_state *state; + if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) { + DEBUG(1,("Authentication token type [%s] is not supported")); + return NULL; + } + req = tevent_req_create(memctx, &state, struct sdap_auth_state); if (!req) return NULL; @@ -884,6 +890,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, ret = sysdb_attrs_get_el(state->attrs, opts->user_map[SDAP_AT_USER_UID].sys_name, &el); if (ret) goto fail; + if (el->num_values == 0) { + DEBUG(1, ("no uid provided for user [%s] in domain [%s].\n", name, + dom->name)); + ret = EINVAL; + goto fail; + } errno = 0; l = strtol((const char *)el->values[0].data, NULL, 0); if (errno) { @@ -895,6 +907,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, ret = sysdb_attrs_get_el(state->attrs, opts->user_map[SDAP_AT_USER_GID].sys_name, &el); if (ret) goto fail; + if (el->num_values == 0) { + DEBUG(1, ("no gid provided for user [%s] in domain [%s].\n", name, + dom->name)); + ret = EINVAL; + goto fail; + } errno = 0; l = strtol((const char *)el->values[0].data, NULL, 0); if (errno) { diff --git a/server/providers/ldap/sdap_async.h b/server/providers/ldap/sdap_async.h index 1cf00d47..0cb0b907 100644 --- a/server/providers/ldap/sdap_async.h +++ b/server/providers/ldap/sdap_async.h @@ -56,6 +56,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_handle *sh, const char *user_dn, + const char *authtok_type, const char *password); int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result); |