diff options
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 7 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 8 | ||||
-rw-r--r-- | src/config/upgrade_config.py | 7 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 91 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 35 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 40 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 13 |
8 files changed, 199 insertions, 4 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index ac681710..88ff0f05 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -70,6 +70,13 @@ ldap_group_member = str, None, false ldap_group_uuid = str, None, false ldap_group_modify_timestamp = str, None, false ldap_force_upper_case_realm = bool, None, false +ldap_netgroup_search_base = str, None, false +ldap_netgroup_object_class = str, None, false +ldap_netgroup_name = str, None, false +ldap_netgroup_member = str, None, false +ldap_netgroup_triple = str, None, false +ldap_netgroup_uuid = str, None, false +ldap_netgroup_modify_timestamp = str, None, false [provider/ipa/auth] krb5_ccachedir = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 7f0c3606..38c75b2e 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -63,6 +63,14 @@ ldap_group_member = str, None, false ldap_group_uuid = str, None, false ldap_group_modify_timestamp = str, None, false ldap_force_upper_case_realm = bool, None, false +ldap_netgroup_search_base = str, None, false +ldap_netgroup_object_class = str, None, false +ldap_netgroup_name = str, None, false +ldap_netgroup_member = str, None, false +ldap_netgroup_triple = str, None, false +ldap_netgroup_uuid = str, None, false +ldap_netgroup_modify_timestamp = str, None, false + [provider/ldap/auth] ldap_pwd_policy = str, None, false diff --git a/src/config/upgrade_config.py b/src/config/upgrade_config.py index ff22b489..62ffe527 100644 --- a/src/config/upgrade_config.py +++ b/src/config/upgrade_config.py @@ -193,6 +193,13 @@ class SSSDConfigFile(SSSDChangeConf): 'ldap_stale_time' : 'stale_time', 'ldap_opt_timeout' : 'opt_timeout', 'ldap_tls_reqcert' : 'tls_reqcert', + 'ldap_netgroup_search_base' : 'netgroupSearchBase', + 'ldap_netgroup_object_class' : 'netgroupObjectClass', + 'ldap_netgroup_name' : 'netgroupName', + 'ldap_netgroup_member' : 'netgroupMember', + 'ldap_netgroup_triple' : 'netgroupTriple', + 'ldap_netgroup_uuid' : 'netgroupUUID', + 'ldap_netgroup_modify_timestamp' : 'netgroupModifyTimestamp', } krb5_kw = { 'krb5_kdcip' : 'krb5KDCIP', 'krb5_realm' : 'krb5REALM', diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 9fb8f6bb..646ef4cf 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -578,6 +578,97 @@ </varlistentry> <varlistentry> + <term>ldap_netgroup_search_base (string)</term> + <listitem> + <para> + An optional base DN to restrict netgroup searches + to a specific subtree. + </para> + <para> + Default: the value of + <emphasis>ldap_search_base</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_object_class (string)</term> + <listitem> + <para> + The object class of a netgroup entry in LDAP. + </para> + <para> + Default: nisNetgroup + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_name (string)</term> + <listitem> + <para> + The LDAP attribute that corresponds to + the netgroup name. + </para> + <para> + Default: cn + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_member (string)</term> + <listitem> + <para> + The LDAP attribute that contains the names of + the netgroup's members. + </para> + <para> + Default: memberNisNetgroup + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_triple (string)</term> + <listitem> + <para> + The LDAP attribute that contains the (host, user, + domain) netgroup triples. + </para> + <para> + Default: nisNetgroupTriple + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_uuid (string)</term> + <listitem> + <para> + The LDAP attribute that contains the UUID/GUID of + an LDAP netgroup object. + </para> + <para> + Default: nsUniqueId + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_netgroup_modify_timestamp (string)</term> + <listitem> + <para> + The LDAP attribute that contains timestamp of the + last modification of the parent object. + </para> + <para> + Default: modifyTimestamp + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_search_timeout (integer)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index dea1a73f..2acd72a6 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -73,7 +73,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, - { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; struct sdap_attr_map ipa_attr_map[] = { @@ -117,6 +118,15 @@ struct sdap_attr_map ipa_group_map[] = { { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } }; +struct sdap_attr_map ipa_netgroup_map[] = { + { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL }, + { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL }, + { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } +}; + struct dp_option ipa_def_krb5_opts[] = { { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -334,6 +344,20 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, SDAP_GROUP_SEARCH_BASE))); } + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_NETGROUP_SEARCH_BASE)) { + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + DEBUG(6, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_NETGROUP_SEARCH_BASE))); + } + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, ipa_attr_map, SDAP_AT_GENERAL, @@ -360,6 +384,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, goto done; } + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_netgroup_map, + SDAP_OPTS_NETGROUP, + &ipa_opts->id->netgroup_map); + if (ret != EOK) { + goto done; + } + ret = EOK; *_opts = ipa_opts->id; diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 1638f2a8..144ebf0c 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 36 +#define IPA_OPTS_BASIC_TEST 37 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 87fd43a1..6925e694 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -69,7 +69,8 @@ struct dp_option default_basic_opts[] = { { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, - { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, }; struct sdap_attr_map generic_attr_map[] = { @@ -161,6 +162,16 @@ struct sdap_attr_map rfc2307bis_group_map[] = { { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } }; +struct sdap_attr_map netgroup_map[] = { + { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL }, + /* FIXME: this is 389ds specific */ + { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL }, + { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } +}; + int ldap_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -169,6 +180,7 @@ int ldap_get_options(TALLOC_CTX *memctx, struct sdap_attr_map *default_attr_map; struct sdap_attr_map *default_user_map; struct sdap_attr_map *default_group_map; + struct sdap_attr_map *default_netgroup_map; struct sdap_options *opts; char *schema; const char *pwd_policy; @@ -187,7 +199,7 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } - /* set user/group search bases if they are not */ + /* set user/group/netgroup search bases if they are not */ if (NULL == dp_opt_get_string(opts->basic, SDAP_USER_SEARCH_BASE)) { ret = dp_opt_set_string(opts->basic, SDAP_USER_SEARCH_BASE, dp_opt_get_string(opts->basic, @@ -212,6 +224,18 @@ int ldap_get_options(TALLOC_CTX *memctx, dp_opt_get_string(opts->basic, SDAP_GROUP_SEARCH_BASE))); } + if (NULL == dp_opt_get_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE)) { + ret = dp_opt_set_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE, + dp_opt_get_string(opts->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + DEBUG(6, ("Option %s set to %s\n", + opts->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name, + dp_opt_get_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE))); + } + pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY); if (pwd_policy == NULL) { DEBUG(1, ("Missing password policy, this may not happen.\n")); @@ -287,24 +311,28 @@ int ldap_get_options(TALLOC_CTX *memctx, default_attr_map = generic_attr_map; default_user_map = rfc2307_user_map; default_group_map = rfc2307_group_map; + default_netgroup_map = netgroup_map; } else if (strcasecmp(schema, "rfc2307bis") == 0) { opts->schema_type = SDAP_SCHEMA_RFC2307BIS; default_attr_map = generic_attr_map; default_user_map = rfc2307bis_user_map; default_group_map = rfc2307bis_group_map; + default_netgroup_map = netgroup_map; } else if (strcasecmp(schema, "IPA") == 0) { opts->schema_type = SDAP_SCHEMA_IPA_V1; default_attr_map = gen_ipa_attr_map; default_user_map = rfc2307bis_user_map; default_group_map = rfc2307bis_group_map; + default_netgroup_map = netgroup_map; } else if (strcasecmp(schema, "AD") == 0) { opts->schema_type = SDAP_SCHEMA_AD; default_attr_map = gen_ad_attr_map; default_user_map = rfc2307bis_user_map; default_group_map = rfc2307bis_group_map; + default_netgroup_map = netgroup_map; } else { DEBUG(0, ("Unrecognized schema type: %s\n", schema)); ret = EINVAL; @@ -335,6 +363,14 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } + ret = sdap_get_map(opts, cdb, conf_path, + default_netgroup_map, + SDAP_OPTS_NETGROUP, + &opts->netgroup_map); + if (ret != EOK) { + goto done; + } + ret = EOK; *_opts = opts; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 2b4318e6..bb50db8e 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -176,6 +176,7 @@ enum sdap_basic_opt { SDAP_DNS_SERVICE_NAME, SDAP_KRB5_TICKET_LIFETIME, SDAP_ACCESS_FILTER, + SDAP_NETGROUP_SEARCH_BASE, SDAP_OPTS_BASIC /* opts counter */ }; @@ -233,6 +234,17 @@ enum sdap_group_attrs { SDAP_OPTS_GROUP /* attrs counter */ }; +enum sdap_netgroup_attrs { + SDAP_OC_NETGROUP = 0, + SDAP_AT_NETGROUP_NAME, + SDAP_AT_NETGROUP_MEMBER, + SDAP_AT_NETGROUP_TRIPLE, + SDAP_AT_NETGROUP_UUID, + SDAP_AT_NETGROUP_MODSTAMP, + + SDAP_OPTS_NETGROUP /* attrs counter */ +}; + struct sdap_attr_map { const char *opt_name; const char *def_name; @@ -245,6 +257,7 @@ struct sdap_options { struct sdap_attr_map *gen_map; struct sdap_attr_map *user_map; struct sdap_attr_map *group_map; + struct sdap_attr_map *netgroup_map; /* supported schema types */ enum schema_type { |