diff options
-rw-r--r-- | src/confdb/confdb.c | 13 | ||||
-rw-r--r-- | src/confdb/confdb.h | 3 | ||||
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rwxr-xr-x | src/config/SSSDConfigTest.py | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 27 | ||||
-rw-r--r-- | src/util/domain_info_utils.c | 25 | ||||
-rw-r--r-- | src/util/util.h | 4 |
8 files changed, 75 insertions, 1 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 693118e7..6527ede4 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1129,6 +1129,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, goto done; } + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_SUBDOMAIN_ENUMERATE, + CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->sd_enumerate, NULL); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Cannot parse %s\n", CONFDB_SUBDOMAIN_ENUMERATE)); + goto done; + } + } + *_domain = domain; ret = EOK; done: diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index ab7abe91..cb2a6242 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -148,6 +148,8 @@ #define CONFDB_DOMAIN_TIMEOUT "timeout" #define CONFDB_DOMAIN_ATTR "cn" #define CONFDB_DOMAIN_ENUMERATE "enumerate" +#define CONFDB_SUBDOMAIN_ENUMERATE "subdomain_enumerate" +#define CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE "none" #define CONFDB_DOMAIN_MINID "min_id" #define CONFDB_DOMAIN_MAXID "max_id" #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials" @@ -199,6 +201,7 @@ struct sss_domain_info { char *provider; int timeout; bool enumerate; + char **sd_enumerate; bool fqnames; bool mpg; bool ignore_group_members; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 1bc4f1bf..f073419e 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -133,6 +133,7 @@ option_strings = { 'dyndns_update_ptr' : _("Whether the provider should explicitly update the PTR record as well"), 'dyndns_force_tcp' : _("Whether the nsupdate utility should default to using TCP"), 'dyndns_auth' : _("What kind of authentication should be used to perform the DNS update"), + 'subdomain_enumerate' : _('Control enumeration of trusted domains'), # [provider/ipa] 'ipa_domain' : _('IPA domain'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index ca344ad4..acec3e6f 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -516,6 +516,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'dyndns_update_ptr', 'dyndns_force_tcp', 'dyndns_auth', + 'subdomain_enumerate', 'override_gid', 'case_sensitive', 'override_homedir', @@ -870,6 +871,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'dyndns_update_ptr', 'dyndns_force_tcp', 'dyndns_auth', + 'subdomain_enumerate', 'override_gid', 'case_sensitive', 'override_homedir', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 5c095c18..4b8e97ba 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -94,6 +94,7 @@ max_id = int, None, false timeout = int, None, false try_inotify = bool, None, false enumerate = bool, None, false +subdomain_enumerate = str, None, false force_timeout = int, None, false cache_credentials = bool, None, false store_legacy_passwords = bool, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 31150a6a..a15f7288 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -972,6 +972,33 @@ override_homedir = /home/%u </para> </listitem> </varlistentry> + + <varlistentry> + <term>subdomain_enumerate (string)</term> + <listitem> + <para> + Whether any of autodetected trusted domains should + be enumerated. The supported values are: + <variablelist> + <varlistentry> + <term>all</term> + <listitem><para>All discovered trusted domains will be enumerated</para></listitem> + </varlistentry> + <varlistentry> + <term>none</term> + <listitem><para>No discovered trusted domains will be enumerated</para></listitem> + </varlistentry> + </variablelist> + Optionally, a list of one or more domain + names can enable enumeration just for these + trusted domains. + </para> + <para> + Default: none + </para> + </listitem> + </varlistentry> + <varlistentry> <term>force_timeout (integer)</term> <listitem> diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index be518569..8b03e9a5 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -49,6 +49,31 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, return dom; } +bool subdomain_enumerates(struct sss_domain_info *parent, + const char *sd_name) +{ + if (parent->sd_enumerate == NULL + || parent->sd_enumerate[0] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Subdomain_enumerate not set\n")); + return false; + } + + if (strcasecmp(parent->sd_enumerate[0], "all") == 0) { + return true; + } else if (strcasecmp(parent->sd_enumerate[0], "none") == 0) { + return false; + } else { + for (int i=0; parent->sd_enumerate[i]; i++) { + if (strcasecmp(parent->sd_enumerate[i], sd_name) == 0) { + return true; + } + } + } + + return false; +} + struct sss_domain_info *find_subdomain_by_name(struct sss_domain_info *domain, const char *name, bool match_any) diff --git a/src/util/util.h b/src/util/util.h index 73d1fae6..f350bc76 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -531,12 +531,14 @@ struct sized_string { void to_sized_string(struct sized_string *out, const char *in); -/* form domain_info.c */ +/* from domain_info.c */ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, bool descend); struct sss_domain_info *find_subdomain_by_name(struct sss_domain_info *domain, const char *name, bool match_any); +bool subdomain_enumerates(struct sss_domain_info *parent, + const char *sd_name); struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, struct sss_domain_info *parent, |