summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf7
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf8
-rw-r--r--src/config/upgrade_config.py7
-rw-r--r--src/man/sssd-ldap.5.xml91
-rw-r--r--src/providers/ipa/ipa_common.c35
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_common.c40
-rw-r--r--src/providers/ldap/sdap.h13
8 files changed, 199 insertions, 4 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index ac681710..88ff0f05 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -70,6 +70,13 @@ ldap_group_member = str, None, false
ldap_group_uuid = str, None, false
ldap_group_modify_timestamp = str, None, false
ldap_force_upper_case_realm = bool, None, false
+ldap_netgroup_search_base = str, None, false
+ldap_netgroup_object_class = str, None, false
+ldap_netgroup_name = str, None, false
+ldap_netgroup_member = str, None, false
+ldap_netgroup_triple = str, None, false
+ldap_netgroup_uuid = str, None, false
+ldap_netgroup_modify_timestamp = str, None, false
[provider/ipa/auth]
krb5_ccachedir = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 7f0c3606..38c75b2e 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -63,6 +63,14 @@ ldap_group_member = str, None, false
ldap_group_uuid = str, None, false
ldap_group_modify_timestamp = str, None, false
ldap_force_upper_case_realm = bool, None, false
+ldap_netgroup_search_base = str, None, false
+ldap_netgroup_object_class = str, None, false
+ldap_netgroup_name = str, None, false
+ldap_netgroup_member = str, None, false
+ldap_netgroup_triple = str, None, false
+ldap_netgroup_uuid = str, None, false
+ldap_netgroup_modify_timestamp = str, None, false
+
[provider/ldap/auth]
ldap_pwd_policy = str, None, false
diff --git a/src/config/upgrade_config.py b/src/config/upgrade_config.py
index ff22b489..62ffe527 100644
--- a/src/config/upgrade_config.py
+++ b/src/config/upgrade_config.py
@@ -193,6 +193,13 @@ class SSSDConfigFile(SSSDChangeConf):
'ldap_stale_time' : 'stale_time',
'ldap_opt_timeout' : 'opt_timeout',
'ldap_tls_reqcert' : 'tls_reqcert',
+ 'ldap_netgroup_search_base' : 'netgroupSearchBase',
+ 'ldap_netgroup_object_class' : 'netgroupObjectClass',
+ 'ldap_netgroup_name' : 'netgroupName',
+ 'ldap_netgroup_member' : 'netgroupMember',
+ 'ldap_netgroup_triple' : 'netgroupTriple',
+ 'ldap_netgroup_uuid' : 'netgroupUUID',
+ 'ldap_netgroup_modify_timestamp' : 'netgroupModifyTimestamp',
}
krb5_kw = { 'krb5_kdcip' : 'krb5KDCIP',
'krb5_realm' : 'krb5REALM',
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9fb8f6bb..646ef4cf 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -578,6 +578,97 @@
</varlistentry>
<varlistentry>
+ <term>ldap_netgroup_search_base (string)</term>
+ <listitem>
+ <para>
+ An optional base DN to restrict netgroup searches
+ to a specific subtree.
+ </para>
+ <para>
+ Default: the value of
+ <emphasis>ldap_search_base</emphasis>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_object_class (string)</term>
+ <listitem>
+ <para>
+ The object class of a netgroup entry in LDAP.
+ </para>
+ <para>
+ Default: nisNetgroup
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_name (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that corresponds to
+ the netgroup name.
+ </para>
+ <para>
+ Default: cn
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_member (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the names of
+ the netgroup's members.
+ </para>
+ <para>
+ Default: memberNisNetgroup
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_triple (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the (host, user,
+ domain) netgroup triples.
+ </para>
+ <para>
+ Default: nisNetgroupTriple
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_uuid (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the UUID/GUID of
+ an LDAP netgroup object.
+ </para>
+ <para>
+ Default: nsUniqueId
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_netgroup_modify_timestamp (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains timestamp of the
+ last modification of the parent object.
+ </para>
+ <para>
+ Default: modifyTimestamp
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_search_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index dea1a73f..2acd72a6 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -73,7 +73,8 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
{ "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING },
{ "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER },
- { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
struct sdap_attr_map ipa_attr_map[] = {
@@ -117,6 +118,15 @@ struct sdap_attr_map ipa_group_map[] = {
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
};
+struct sdap_attr_map ipa_netgroup_map[] = {
+ { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL },
+ { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL },
+ { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL },
+ { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL },
+ { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
+};
+
struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -334,6 +344,20 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
SDAP_GROUP_SEARCH_BASE)));
}
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_NETGROUP_SEARCH_BASE)) {
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_NETGROUP_SEARCH_BASE)));
+ }
+
ret = sdap_get_map(ipa_opts->id, cdb, conf_path,
ipa_attr_map,
SDAP_AT_GENERAL,
@@ -360,6 +384,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
goto done;
}
+ ret = sdap_get_map(ipa_opts->id,
+ cdb, conf_path,
+ ipa_netgroup_map,
+ SDAP_OPTS_NETGROUP,
+ &ipa_opts->id->netgroup_map);
+ if (ret != EOK) {
+ goto done;
+ }
+
ret = EOK;
*_opts = ipa_opts->id;
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 1638f2a8..144ebf0c 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 36
+#define IPA_OPTS_BASIC_TEST 37
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 87fd43a1..6925e694 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -69,7 +69,8 @@ struct dp_option default_basic_opts[] = {
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
{ "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING },
{ "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER },
- { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
};
struct sdap_attr_map generic_attr_map[] = {
@@ -161,6 +162,16 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
};
+struct sdap_attr_map netgroup_map[] = {
+ { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL },
+ { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL },
+ { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL },
+ { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL },
+ /* FIXME: this is 389ds specific */
+ { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
+};
+
int ldap_get_options(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
const char *conf_path,
@@ -169,6 +180,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
struct sdap_attr_map *default_attr_map;
struct sdap_attr_map *default_user_map;
struct sdap_attr_map *default_group_map;
+ struct sdap_attr_map *default_netgroup_map;
struct sdap_options *opts;
char *schema;
const char *pwd_policy;
@@ -187,7 +199,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
goto done;
}
- /* set user/group search bases if they are not */
+ /* set user/group/netgroup search bases if they are not */
if (NULL == dp_opt_get_string(opts->basic, SDAP_USER_SEARCH_BASE)) {
ret = dp_opt_set_string(opts->basic, SDAP_USER_SEARCH_BASE,
dp_opt_get_string(opts->basic,
@@ -212,6 +224,18 @@ int ldap_get_options(TALLOC_CTX *memctx,
dp_opt_get_string(opts->basic, SDAP_GROUP_SEARCH_BASE)));
}
+ if (NULL == dp_opt_get_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE)) {
+ ret = dp_opt_set_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE,
+ dp_opt_get_string(opts->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ opts->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name,
+ dp_opt_get_string(opts->basic, SDAP_NETGROUP_SEARCH_BASE)));
+ }
+
pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY);
if (pwd_policy == NULL) {
DEBUG(1, ("Missing password policy, this may not happen.\n"));
@@ -287,24 +311,28 @@ int ldap_get_options(TALLOC_CTX *memctx,
default_attr_map = generic_attr_map;
default_user_map = rfc2307_user_map;
default_group_map = rfc2307_group_map;
+ default_netgroup_map = netgroup_map;
} else
if (strcasecmp(schema, "rfc2307bis") == 0) {
opts->schema_type = SDAP_SCHEMA_RFC2307BIS;
default_attr_map = generic_attr_map;
default_user_map = rfc2307bis_user_map;
default_group_map = rfc2307bis_group_map;
+ default_netgroup_map = netgroup_map;
} else
if (strcasecmp(schema, "IPA") == 0) {
opts->schema_type = SDAP_SCHEMA_IPA_V1;
default_attr_map = gen_ipa_attr_map;
default_user_map = rfc2307bis_user_map;
default_group_map = rfc2307bis_group_map;
+ default_netgroup_map = netgroup_map;
} else
if (strcasecmp(schema, "AD") == 0) {
opts->schema_type = SDAP_SCHEMA_AD;
default_attr_map = gen_ad_attr_map;
default_user_map = rfc2307bis_user_map;
default_group_map = rfc2307bis_group_map;
+ default_netgroup_map = netgroup_map;
} else {
DEBUG(0, ("Unrecognized schema type: %s\n", schema));
ret = EINVAL;
@@ -335,6 +363,14 @@ int ldap_get_options(TALLOC_CTX *memctx,
goto done;
}
+ ret = sdap_get_map(opts, cdb, conf_path,
+ default_netgroup_map,
+ SDAP_OPTS_NETGROUP,
+ &opts->netgroup_map);
+ if (ret != EOK) {
+ goto done;
+ }
+
ret = EOK;
*_opts = opts;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 2b4318e6..bb50db8e 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -176,6 +176,7 @@ enum sdap_basic_opt {
SDAP_DNS_SERVICE_NAME,
SDAP_KRB5_TICKET_LIFETIME,
SDAP_ACCESS_FILTER,
+ SDAP_NETGROUP_SEARCH_BASE,
SDAP_OPTS_BASIC /* opts counter */
};
@@ -233,6 +234,17 @@ enum sdap_group_attrs {
SDAP_OPTS_GROUP /* attrs counter */
};
+enum sdap_netgroup_attrs {
+ SDAP_OC_NETGROUP = 0,
+ SDAP_AT_NETGROUP_NAME,
+ SDAP_AT_NETGROUP_MEMBER,
+ SDAP_AT_NETGROUP_TRIPLE,
+ SDAP_AT_NETGROUP_UUID,
+ SDAP_AT_NETGROUP_MODSTAMP,
+
+ SDAP_OPTS_NETGROUP /* attrs counter */
+};
+
struct sdap_attr_map {
const char *opt_name;
const char *def_name;
@@ -245,6 +257,7 @@ struct sdap_options {
struct sdap_attr_map *gen_map;
struct sdap_attr_map *user_map;
struct sdap_attr_map *group_map;
+ struct sdap_attr_map *netgroup_map;
/* supported schema types */
enum schema_type {