summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/confdb/confdb.c13
-rw-r--r--src/confdb/confdb.h3
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml27
-rw-r--r--src/util/domain_info_utils.c25
-rw-r--r--src/util/util.h4
8 files changed, 75 insertions, 1 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 693118e7..6527ede4 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1129,6 +1129,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_SUBDOMAIN_ENUMERATE,
+ CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
+ if (tmp != NULL) {
+ ret = split_on_separator(domain, tmp, ',', true, true,
+ &domain->sd_enumerate, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Cannot parse %s\n", CONFDB_SUBDOMAIN_ENUMERATE));
+ goto done;
+ }
+ }
+
*_domain = domain;
ret = EOK;
done:
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index ab7abe91..cb2a6242 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -148,6 +148,8 @@
#define CONFDB_DOMAIN_TIMEOUT "timeout"
#define CONFDB_DOMAIN_ATTR "cn"
#define CONFDB_DOMAIN_ENUMERATE "enumerate"
+#define CONFDB_SUBDOMAIN_ENUMERATE "subdomain_enumerate"
+#define CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE "none"
#define CONFDB_DOMAIN_MINID "min_id"
#define CONFDB_DOMAIN_MAXID "max_id"
#define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
@@ -199,6 +201,7 @@ struct sss_domain_info {
char *provider;
int timeout;
bool enumerate;
+ char **sd_enumerate;
bool fqnames;
bool mpg;
bool ignore_group_members;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1bc4f1bf..f073419e 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -133,6 +133,7 @@ option_strings = {
'dyndns_update_ptr' : _("Whether the provider should explicitly update the PTR record as well"),
'dyndns_force_tcp' : _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth' : _("What kind of authentication should be used to perform the DNS update"),
+ 'subdomain_enumerate' : _('Control enumeration of trusted domains'),
# [provider/ipa]
'ipa_domain' : _('IPA domain'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ca344ad4..acec3e6f 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -516,6 +516,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'dyndns_update_ptr',
'dyndns_force_tcp',
'dyndns_auth',
+ 'subdomain_enumerate',
'override_gid',
'case_sensitive',
'override_homedir',
@@ -870,6 +871,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'dyndns_update_ptr',
'dyndns_force_tcp',
'dyndns_auth',
+ 'subdomain_enumerate',
'override_gid',
'case_sensitive',
'override_homedir',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 5c095c18..4b8e97ba 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -94,6 +94,7 @@ max_id = int, None, false
timeout = int, None, false
try_inotify = bool, None, false
enumerate = bool, None, false
+subdomain_enumerate = str, None, false
force_timeout = int, None, false
cache_credentials = bool, None, false
store_legacy_passwords = bool, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 31150a6a..a15f7288 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -972,6 +972,33 @@ override_homedir = /home/%u
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>subdomain_enumerate (string)</term>
+ <listitem>
+ <para>
+ Whether any of autodetected trusted domains should
+ be enumerated. The supported values are:
+ <variablelist>
+ <varlistentry>
+ <term>all</term>
+ <listitem><para>All discovered trusted domains will be enumerated</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>none</term>
+ <listitem><para>No discovered trusted domains will be enumerated</para></listitem>
+ </varlistentry>
+ </variablelist>
+ Optionally, a list of one or more domain
+ names can enable enumeration just for these
+ trusted domains.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>force_timeout (integer)</term>
<listitem>
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index be518569..8b03e9a5 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -49,6 +49,31 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
return dom;
}
+bool subdomain_enumerates(struct sss_domain_info *parent,
+ const char *sd_name)
+{
+ if (parent->sd_enumerate == NULL
+ || parent->sd_enumerate[0] == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Subdomain_enumerate not set\n"));
+ return false;
+ }
+
+ if (strcasecmp(parent->sd_enumerate[0], "all") == 0) {
+ return true;
+ } else if (strcasecmp(parent->sd_enumerate[0], "none") == 0) {
+ return false;
+ } else {
+ for (int i=0; parent->sd_enumerate[i]; i++) {
+ if (strcasecmp(parent->sd_enumerate[i], sd_name) == 0) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
struct sss_domain_info *find_subdomain_by_name(struct sss_domain_info *domain,
const char *name,
bool match_any)
diff --git a/src/util/util.h b/src/util/util.h
index 73d1fae6..f350bc76 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -531,12 +531,14 @@ struct sized_string {
void to_sized_string(struct sized_string *out, const char *in);
-/* form domain_info.c */
+/* from domain_info.c */
struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
bool descend);
struct sss_domain_info *find_subdomain_by_name(struct sss_domain_info *domain,
const char *name,
bool match_any);
+bool subdomain_enumerates(struct sss_domain_info *parent,
+ const char *sd_name);
struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
struct sss_domain_info *parent,