summaryrefslogtreecommitdiff
path: root/server/providers/ipa
diff options
context:
space:
mode:
Diffstat (limited to 'server/providers/ipa')
-rw-r--r--server/providers/ipa/ipa_common.c270
-rw-r--r--server/providers/ipa/ipa_common.h19
-rw-r--r--server/providers/ipa/ipa_init.c29
3 files changed, 169 insertions, 149 deletions
diff --git a/server/providers/ipa/ipa_common.c b/server/providers/ipa/ipa_common.c
index 83f3f676..d3249707 100644
--- a/server/providers/ipa/ipa_common.c
+++ b/server/providers/ipa/ipa_common.c
@@ -29,16 +29,11 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "ipa_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
- { "ipa_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "ipa_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "ipa_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
- { "ipa_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER },
- { "entry_cache_timeout", DP_OPT_NUMBER, { .number = 1800 }, NULL_NUMBER },
};
struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB },
@@ -191,14 +186,13 @@ done:
/* the following preprocessor code is used to keep track of
* the options in the ldap module, so that if they change and ipa
* is not updated correspondingly this will trigger a build error */
-#if SDAP_OPTS_BASIC > 27
+#if SDAP_OPTS_BASIC > 28
#error There are ldap options not accounted for
#endif
-int ipa_get_id_options(TALLOC_CTX *memctx,
+int ipa_get_id_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
- struct ipa_options *ipa_opts,
struct sdap_options **_opts)
{
TALLOC_CTX *tmpctx;
@@ -209,122 +203,136 @@ int ipa_get_id_options(TALLOC_CTX *memctx,
int ret;
int i;
- tmpctx = talloc_new(memctx);
+ tmpctx = talloc_new(ipa_opts);
if (!tmpctx) {
return ENOMEM;
}
- ipa_opts->id = talloc_zero(memctx, struct sdap_options);
+ ipa_opts->id = talloc_zero(ipa_opts, struct sdap_options);
if (!ipa_opts->id) {
ret = ENOMEM;
goto done;
}
- /* generate sdap options */
- ret = dp_copy_options(ipa_opts, ipa_def_ldap_opts,
- SDAP_OPTS_BASIC, &ipa_opts->id->basic);
+ /* get sdap options */
+ ret = dp_get_options(ipa_opts->id, cdb, conf_path,
+ ipa_def_ldap_opts,
+ SDAP_OPTS_BASIC,
+ &ipa_opts->id->basic);
if (ret != EOK) {
goto done;
}
/* set ldap_uri */
- value = talloc_asprintf(tmpctx, "ldap://%s",
- dp_opt_get_string(ipa_opts->basic, IPA_SERVER));
- if (!value) {
- ret = ENOMEM;
- goto done;
- }
- ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_URI, value);
- if (ret != EOK) {
- goto done;
- }
-
- ret = domain_to_basedn(tmpctx,
- dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN),
- &basedn);
- if (ret != EOK) {
- goto done;
- }
-
- /* FIXME: get values by querying IPA */
- /* set ldap_user_search_base */
- value = talloc_asprintf(tmpctx, "cn=users,cn=accounts,%s", basedn);
- if (!value) {
- ret = ENOMEM;
- goto done;
- }
- ret = dp_opt_set_string(ipa_opts->id->basic,
- SDAP_USER_SEARCH_BASE, value);
- if (ret != EOK) {
- goto done;
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_URI)) {
+ value = talloc_asprintf(tmpctx, "ldap://%s",
+ dp_opt_get_string(ipa_opts->basic,
+ IPA_SERVER));
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_URI, value);
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_URI].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic, SDAP_URI)));
}
- /* set ldap_group_search_base */
- value = talloc_asprintf(tmpctx, "cn=groups,cn=accounts,%s", basedn);
- if (!value) {
- ret = ENOMEM;
- goto done;
- }
- ret = dp_opt_set_string(ipa_opts->id->basic,
- SDAP_GROUP_SEARCH_BASE, value);
- if (ret != EOK) {
- goto done;
- }
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE)) {
+ ret = domain_to_basedn(tmpctx,
+ dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN),
+ &basedn);
+ if (ret != EOK) {
+ goto done;
+ }
- /* set the ldap_sasl_authid if the ipa_hostname override was specified */
- hostname = dp_opt_get_string(ipa_opts->basic, IPA_HOSTNAME);
- if (hostname) {
- value = talloc_asprintf(tmpctx, "host/%s", hostname);
+ /* FIXME: get values by querying IPA */
+ /* set search base */
+ value = talloc_asprintf(tmpctx, "cn=accounts,%s", basedn);
if (!value) {
ret = ENOMEM;
goto done;
}
ret = dp_opt_set_string(ipa_opts->id->basic,
- SDAP_SASL_AUTHID, value);
+ SDAP_SEARCH_BASE, value);
if (ret != EOK) {
goto done;
}
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE)));
}
- /* set krb realm */
- realm = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
- for (i = 0; realm[i]; i++) {
- realm[i] = toupper(realm[i]);
+ /* set the ldap_sasl_authid if the ipa_hostname override was specified */
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID)) {
+ hostname = dp_opt_get_string(ipa_opts->basic, IPA_HOSTNAME);
+ if (hostname) {
+ value = talloc_asprintf(tmpctx, "host/%s", hostname);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = dp_opt_set_string(ipa_opts->id->basic,
+ SDAP_SASL_AUTHID, value);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_SASL_AUTHID].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID)));
}
- ret = dp_opt_set_string(ipa_opts->id->basic,
- SDAP_KRB5_REALM, realm);
- if (ret != EOK) {
- goto done;
+
+ /* set krb realm */
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)) {
+ realm = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
+ for (i = 0; realm[i]; i++) {
+ realm[i] = toupper(realm[i]);
+ }
+ ret = dp_opt_set_string(ipa_opts->id->basic,
+ SDAP_KRB5_REALM, realm);
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_KRB5_REALM].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)));
}
/* fix schema to IPAv1 for now */
ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1;
- /* copy over timeouts */
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_SEARCH_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_SEARCH_TIMEOUT));
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_NETWORK_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_NETWORK_TIMEOUT));
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_OPT_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_OPT_TIMEOUT));
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_OFFLINE_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_OFFLINE_TIMEOUT));
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_ENUM_REFRESH_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_ENUM_REFRESH_TIMEOUT));
- ret = dp_opt_set_int(ipa_opts->id->basic,
- SDAP_ENTRY_CACHE_TIMEOUT,
- dp_opt_get_int(ipa_opts->basic,
- IPA_ENTRY_CACHE_TIMEOUT));
+ /* set user/group search bases if they are not specified */
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_USER_SEARCH_BASE)) {
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_USER_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_USER_SEARCH_BASE)));
+ }
+
+ if (NULL == dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_GROUP_SEARCH_BASE)) {
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_GROUP_SEARCH_BASE,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->id->basic[SDAP_GROUP_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_GROUP_SEARCH_BASE)));
+ }
ret = sdap_get_map(ipa_opts->id,
cdb, conf_path,
@@ -362,66 +370,70 @@ done:
#error There are krb5 options not accounted for
#endif
-int ipa_get_auth_options(TALLOC_CTX *memctx,
+int ipa_get_auth_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
- struct ipa_options *ipa_opts,
struct dp_option **_opts)
{
+ char *value;
int ret;
int i;
- TALLOC_CTX *tmpctx;
- struct dp_option *opts;
- char *value;
- tmpctx = talloc_new(memctx);
- if (!tmpctx) {
- return ENOMEM;
- }
-
- opts = talloc_zero(memctx, struct dp_option);
- if (opts == NULL) {
+ ipa_opts->auth = talloc_zero(ipa_opts, struct dp_option);
+ if (ipa_opts->auth == NULL) {
ret = ENOMEM;
goto done;
}
- ret = dp_copy_options(ipa_opts, ipa_def_krb5_opts,
- KRB5_OPTS, &opts);
+ /* get krb5 options */
+ ret = dp_get_options(ipa_opts, cdb, conf_path,
+ ipa_def_krb5_opts,
+ KRB5_OPTS, &ipa_opts->auth);
if (ret != EOK) {
goto done;
}
- value = dp_opt_get_string(ipa_opts->basic, IPA_SERVER);
- if (!value) {
- ret = ENOMEM;
- goto done;
- }
- ret = dp_opt_set_string(opts, KRB5_KDC, value);
- if (ret != EOK) {
- goto done;
+ /* set KDC */
+ if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_KDC)) {
+ value = dp_opt_get_string(ipa_opts->basic, IPA_SERVER);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = dp_opt_set_string(ipa_opts->auth, KRB5_KDC, value);
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->auth[KRB5_KDC].opt_name,
+ dp_opt_get_string(ipa_opts->auth, KRB5_KDC)));
}
-
- value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
- if (!value) {
- ret = ENOMEM;
- goto done;
- }
- for (i = 0; value[i]; i++) {
- value[i] = toupper(value[i]);
- }
- ret = dp_opt_set_string(opts, KRB5_REALM, value);
- if (ret != EOK) {
- goto done;
+ /* set krb realm */
+ if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) {
+ value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
+ if (!value) {
+ ret = ENOMEM;
+ goto done;
+ }
+ for (i = 0; value[i]; i++) {
+ value[i] = toupper(value[i]);
+ }
+ ret = dp_opt_set_string(ipa_opts->auth, KRB5_REALM, value);
+ if (ret != EOK) {
+ goto done;
+ }
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->auth[KRB5_REALM].opt_name,
+ dp_opt_get_string(ipa_opts->auth, KRB5_REALM)));
}
- *_opts = opts;
+ *_opts = ipa_opts->auth;
ret = EOK;
done:
- talloc_zfree(tmpctx);
if (ret != EOK) {
- talloc_zfree(opts);
+ talloc_zfree(ipa_opts->auth);
}
return ret;
}
diff --git a/server/providers/ipa/ipa_common.h b/server/providers/ipa/ipa_common.h
index 83ce4887..21e6e1a3 100644
--- a/server/providers/ipa/ipa_common.h
+++ b/server/providers/ipa/ipa_common.h
@@ -31,19 +31,20 @@ enum ipa_basic_opt {
IPA_DOMAIN = 0,
IPA_SERVER,
IPA_HOSTNAME,
- IPA_SEARCH_TIMEOUT,
- IPA_NETWORK_TIMEOUT,
- IPA_OPT_TIMEOUT,
- IPA_OFFLINE_TIMEOUT,
- IPA_ENUM_REFRESH_TIMEOUT,
- IPA_ENTRY_CACHE_TIMEOUT,
IPA_OPTS_BASIC /* opts counter */
};
struct ipa_options {
struct dp_option *basic;
+
+ /* id provider */
struct sdap_options *id;
+ struct sdap_id_ctx *id_ctx;
+
+ /* auth and chpass provider */
+ struct dp_option *auth;
+ struct krb5_ctx *auth_ctx;
};
/* options parsers */
@@ -53,16 +54,14 @@ int ipa_get_options(TALLOC_CTX *memctx,
struct sss_domain_info *dom,
struct ipa_options **_opts);
-int ipa_get_id_options(TALLOC_CTX *memctx,
+int ipa_get_id_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
- struct ipa_options *ipa_opts,
struct sdap_options **_opts);
-int ipa_get_auth_options(TALLOC_CTX *memctx,
+int ipa_get_auth_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
- struct ipa_options *ipa_opts,
struct dp_option **_opts);
#endif /* _IPA_COMMON_H_ */
diff --git a/server/providers/ipa/ipa_init.c b/server/providers/ipa/ipa_init.c
index 0c2eb2a7..d1439ded 100644
--- a/server/providers/ipa/ipa_init.c
+++ b/server/providers/ipa/ipa_init.c
@@ -64,15 +64,16 @@ int sssm_ipa_init(struct be_ctx *bectx,
return ENOMEM;
}
- ctx = talloc_zero(bectx, struct sdap_id_ctx);
+ ctx = talloc_zero(ipa_options, struct sdap_id_ctx);
if (!ctx) {
return ENOMEM;
}
ctx->be = bectx;
+ ipa_options->id_ctx = ctx;
- ret = ipa_get_id_options(ctx, bectx->cdb,
+ ret = ipa_get_id_options(ipa_options, bectx->cdb,
bectx->conf_path,
- ipa_options, &ctx->opts);
+ &ctx->opts);
if (ret != EOK) {
goto done;
}
@@ -95,7 +96,7 @@ int sssm_ipa_init(struct be_ctx *bectx,
done:
if (ret != EOK) {
- talloc_free(ctx);
+ talloc_zfree(ipa_options->id_ctx);
}
return ret;
}
@@ -104,11 +105,11 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
- struct krb5_ctx *ctx = NULL;
- int ret;
+ struct krb5_ctx *ctx;
struct tevent_signal *sige;
- unsigned v;
FILE *debug_filep;
+ unsigned v;
+ int ret;
if (!ipa_options) {
ipa_get_options(bectx, bectx->cdb,
@@ -119,14 +120,22 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
return ENOMEM;
}
+ if (ipa_options->auth_ctx) {
+ /* already initialized */
+ *ops = &ipa_auth_ops;
+ *pvt_data = ipa_options->auth_ctx;
+ return EOK;
+ }
+
ctx = talloc_zero(bectx, struct krb5_ctx);
if (!ctx) {
return ENOMEM;
}
+ ipa_options->auth_ctx = ctx;
- ret = ipa_get_auth_options(ctx, bectx->cdb,
+ ret = ipa_get_auth_options(ipa_options, bectx->cdb,
bectx->conf_path,
- ipa_options, &ctx->opts);
+ &ctx->opts);
if (ret != EOK) {
goto done;
}
@@ -170,7 +179,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
done:
if (ret != EOK) {
- talloc_free(ctx);
+ talloc_zfree(ipa_options->auth_ctx);
}
return ret;
}