diff options
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 18 | ||||
-rw-r--r-- | src/db/sysdb.h | 8 | ||||
-rw-r--r-- | src/man/sssd-ipa.5.xml | 89 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 22 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 70 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 23 |
6 files changed, 199 insertions, 31 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 9ea45285..8688dc8d 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -5,6 +5,7 @@ ipa_hostname = str, None, false ipa_dyndns_update = bool, None, false ipa_dyndns_iface = str, None, false ipa_hbac_search_base = str, None, false +ipa_host_search_base = str, None, false ldap_uri = str, None, false ldap_search_base = str, None, false ldap_schema = str, None, false @@ -83,12 +84,17 @@ ldap_group_entry_usn = str, None, false ldap_force_upper_case_realm = bool, None, false ldap_group_nesting_level = int, None, false ldap_netgroup_search_base = str, None, false -ldap_netgroup_object_class = str, None, false -ldap_netgroup_name = str, None, false -ldap_netgroup_member = str, None, false -ldap_netgroup_triple = str, None, false -ldap_netgroup_uuid = str, None, false -ldap_netgroup_modify_timestamp = str, None, false +ipa_netgroup_object_class = str, None, false +ipa_netgroup_name = str, None, false +ipa_netgroup_member = str, None, false +ipa_netgroup_member_of = str, None, false +ipa_netgroup_member_user = str, None, false +ipa_netgroup_member_host = str, None, false +ipa_netgroup_member_ext_host = str, None, false +ipa_netgroup_domain = str, None, false +ipa_netgroup_uuid = str, None, false +ipa_host_object_class = str, None, false +ipa_host_fqdn = str, None, false [provider/ipa/auth] krb5_ccachedir = str, None, false diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 88767d3c..5fc36ab5 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -44,6 +44,7 @@ #define SYSDB_USER_CLASS "user" #define SYSDB_GROUP_CLASS "group" #define SYSDB_NETGROUP_CLASS "netgroup" +#define SYSDB_HOST_CLASS "host" #define SYSDB_NAME "name" #define SYSDB_NAME_ALIAS "nameAlias" @@ -85,7 +86,14 @@ #define SYSDB_NETGROUP_TRIPLE "netgroupTriple" #define SYSDB_ORIG_NETGROUP_MEMBER "originalMemberNisNetgroup" +#define SYSDB_ORIG_NETGROUP_MEMBER_USER "originalMemberUser" +#define SYSDB_ORIG_NETGROUP_MEMBER_HOST "originalMemberHost" +#define SYSDB_ORIG_NETGROUP_EXTERNAL_HOST "originalExternalHost" +#define SYSDB_NETGROUP_DOMAIN "nisDomain" #define SYSDB_NETGROUP_MEMBER "memberNisNetgroup" +#define SYSDB_NETGROUP_MEMBER_USER "memberUser" +#define SYSDB_NETGROUP_MEMBER_HOST "memberHost" +#define SYSDB_NETGROUP_MEMBER_EXTERNAL_HOST "memberExternalHost" #define SYSDB_DESCRIPTION "description" #define SYSDB_CACHEDPWD "cachedPassword" diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 221c9a25..32d691d7 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -48,7 +48,10 @@ <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> - </citerefentry> authentication provider. + </citerefentry> authentication provider with some exceptions described + below. + </para> + <para> However, it is neither necessary nor recommended to set these options. IPA provider can also be used as an access and chpass provider. As an access provider it uses HBAC (host-based access control) rules. Please @@ -235,6 +238,90 @@ </listitem> </varlistentry> + <varlistentry> + <term>ipa_netgroup_member_of (string)</term> + <listitem> + <para> + The LDAP attribute that lists netgroup's + memberships. + </para> + <para> + Default: memberOf + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_netgroup_member_user (string)</term> + <listitem> + <para> + The LDAP attribute that lists system users + and groups that are direct members of the + netgroup. + </para> + <para> + Default: memberUser + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_netgroup_member_host (string)</term> + <listitem> + <para> + The LDAP attribute that lists hosts and host groups + that are direct members of the netgroup. + </para> + <para> + Default: memberHost + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_netgroup_member_ext_host (string)</term> + <listitem> + <para> + The LDAP attribute that lists FQDNs of hosts + and host groups that are members of the netgroup. + </para> + <para> + Default: externalHost + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_netgroup_domain (string)</term> + <listitem> + <para> + The LDAP attribute that contains NIS domain + name of the netgroup. + </para> + <para> + Default: nisDomainName + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ipa_host_object_class (string)</term> + <listitem> + <para> + The object class of a host entry in LDAP. + </para> + <para> + Default: ipaHost + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_host_fqdn (string)</term> + <listitem> + <para> + The LDAP attribute that contains FQDN of the host. + </para> + <para> + Default: fqdn + </para> + </listitem> + </varlistentry> </variablelist> </para> </refsect1> diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 3efc75e2..75bc764e 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -794,6 +794,10 @@ The object class of a netgroup entry in LDAP. </para> <para> + In IPA provider, ipa_netgroup_object_class should + be used instead. + </para> + <para> Default: nisNetgroup </para> </listitem> @@ -807,6 +811,10 @@ the netgroup name. </para> <para> + In IPA provider, ipa_netgroup_name should + be used instead. + </para> + <para> Default: cn </para> </listitem> @@ -820,6 +828,10 @@ the netgroup's members. </para> <para> + In IPA provider, ipa_netgroup_member should + be used instead. + </para> + <para> Default: memberNisNetgroup </para> </listitem> @@ -833,6 +845,9 @@ domain) netgroup triples. </para> <para> + This option is not available in IPA provider. + </para> + <para> Default: nisNetgroupTriple </para> </listitem> @@ -846,6 +861,10 @@ an LDAP netgroup object. </para> <para> + In IPA provider, ipa_netgroup_uuid should + be used instead. + </para> + <para> Default: nsUniqueId </para> </listitem> @@ -859,6 +878,9 @@ last modification of the parent object. </para> <para> + This option is not available in IPA provider. + </para> + <para> Default: modifyTimestamp </para> </listitem> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index a0657822..3e848e32 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,6 +37,7 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING } @@ -154,12 +155,20 @@ struct sdap_attr_map ipa_group_map[] = { }; struct sdap_attr_map ipa_netgroup_map[] = { - { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, - { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, - { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, - { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL }, - { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL }, - { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL } + { "ipa_netgroup_object_class", "ipaNisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ipa_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ipa_netgroup_member", "member", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ipa_netgroup_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ipa_netgroup_member_user", "memberUser", SYSDB_ORIG_NETGROUP_MEMBER_USER, NULL }, + { "ipa_netgroup_member_host", "memberHost", SYSDB_ORIG_NETGROUP_MEMBER_HOST, NULL }, + { "ipa_netgroup_member_ext_host", "externalHost", SYSDB_ORIG_NETGROUP_EXTERNAL_HOST, NULL }, + { "ipa_netgroup_domain", "nisDomainName", SYSDB_NETGROUP_DOMAIN, NULL }, + { "ipa_netgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, +}; + +struct sdap_attr_map ipa_host_map[] = { + { "ipa_host_object_class", "ipaHost", SYSDB_HOST_CLASS, NULL }, + { "ipa_host_fqdn", "fqdn", SYSDB_NAME, NULL }, }; struct dp_option ipa_def_krb5_opts[] = { @@ -453,31 +462,16 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE)) { -#if 0 - ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_SEARCH_BASE)); - if (ret != EOK) { - goto done; - } -#else - /* We don't yet have support for the native representation - * of netgroups in IPA. For now, we need to point at the - * compat tree - */ - value = talloc_asprintf(tmpctx, "cn=ng,cn=compat,%s", basedn); + value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn); if (!value) { ret = ENOMEM; goto done; } - - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_NETGROUP_SEARCH_BASE, + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE, value); if (ret != EOK) { goto done; } -#endif DEBUG(6, ("Option %s set to %s\n", ipa_opts->id->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name, @@ -489,6 +483,25 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, &ipa_opts->id->netgroup_search_bases); if (ret != EOK) goto done; + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_HOST_SEARCH_BASE)) { + ret = dp_opt_set_string(ipa_opts->basic, IPA_HOST_SEARCH_BASE, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + + DEBUG(6, ("Option %s set to %s\n", + ipa_opts->basic[IPA_HOST_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_HOST_SEARCH_BASE))); + } + ret = sdap_parse_search_base(ipa_opts->basic, ipa_opts->basic, + IPA_HOST_SEARCH_BASE, + &ipa_opts->host_search_bases); + if (ret != EOK) goto done; + value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF); if (value != NULL) { ret = deref_string_to_val(value, &i); @@ -527,12 +540,21 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, ret = sdap_get_map(ipa_opts->id, cdb, conf_path, ipa_netgroup_map, - SDAP_OPTS_NETGROUP, + IPA_OPTS_NETGROUP, &ipa_opts->id->netgroup_map); if (ret != EOK) { goto done; } + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_host_map, + IPA_OPTS_HOST, + &ipa_opts->id->host_map); + if (ret != EOK) { + goto done; + } + ret = EOK; *_opts = ipa_opts->id; diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 40c5e532..5b959c8c 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -49,6 +49,7 @@ enum ipa_basic_opt { IPA_DYNDNS_UPDATE, IPA_DYNDNS_IFACE, IPA_HBAC_SEARCH_BASE, + IPA_HOST_SEARCH_BASE, IPA_KRB5_REALM, IPA_HBAC_REFRESH, IPA_HBAC_DENY_METHOD, @@ -56,6 +57,27 @@ enum ipa_basic_opt { IPA_OPTS_BASIC /* opts counter */ }; +enum ipa_netgroup_attrs { + IPA_OC_NETGROUP = 0, + IPA_AT_NETGROUP_NAME, + IPA_AT_NETGROUP_MEMBER, + IPA_AT_NETGROUP_MEMBER_OF, + IPA_AT_NETGROUP_MEMBER_USER, + IPA_AT_NETGROUP_MEMBER_HOST, + IPA_AT_NETGROUP_EXTERNAL_HOST, + IPA_AT_NETGROUP_DOMAIN, + IPA_AT_NETGROUP_UUID, + + IPA_OPTS_NETGROUP /* attrs counter */ +}; + +enum ipa_host_attrs { + IPA_OC_HOST = 0, + IPA_AT_HOST_FQDN, + + IPA_OPTS_HOST /* attrs counter */ +}; + struct ipa_auth_ctx { struct krb5_ctx *krb5_auth_ctx; struct sdap_auth_ctx *sdap_auth_ctx; @@ -65,6 +87,7 @@ struct ipa_auth_ctx { struct ipa_options { struct dp_option *basic; + struct sdap_search_base **host_search_bases; struct ipa_service *service; /* id provider */ |