diff options
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_common.c | 10 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.h | 5 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_sudo_hostinfo.c | 111 | ||||
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 55 | ||||
-rw-r--r-- | src/providers/ldap/sdap_sudo.h | 9 |
5 files changed, 185 insertions, 5 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index b578ad74..64c06cd5 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -345,7 +345,10 @@ done: int ldap_get_sudo_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, - struct sdap_options *opts) + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups) { const char *search_base; int ret; @@ -390,6 +393,11 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx, return ret; } + /* host filter */ + *use_host_filter = dp_opt_get_bool(opts->basic, SDAP_SUDO_USE_HOST_FILTER); + *include_netgroups = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_NETGROUPS); + *include_regexp = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_REGEXP); + return EOK; } diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 8bd2584e..1a458ec9 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -126,7 +126,10 @@ int ldap_get_options(TALLOC_CTX *memctx, int ldap_get_sudo_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, - struct sdap_options *opts); + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups); int ldap_get_autofs_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ldap/sdap_async_sudo_hostinfo.c b/src/providers/ldap/sdap_async_sudo_hostinfo.c new file mode 100644 index 00000000..0b8f4405 --- /dev/null +++ b/src/providers/ldap/sdap_async_sudo_hostinfo.c @@ -0,0 +1,111 @@ +/* + Authors: + Pavel Březina <pbrezina@redhat.com> + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <errno.h> +#include <tevent.h> +#include <talloc.h> + +#include "util/util.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/ldap/sdap_sudo.h" + +struct sdap_sudo_get_hostinfo_state { + char **hostnames; + char **ip_addr; +}; + +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_get_hostinfo_state *state = NULL; + char *conf_hostnames = NULL; + char *conf_ip_addr = NULL; + int ret; + + /* create request */ + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_get_hostinfo_state); + if (req == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, ("tevent_req_create() failed\n")); + return NULL; + } + + state->hostnames = NULL; + state->ip_addr = NULL; + + /* load info from configuration */ + conf_hostnames = dp_opt_get_string(opts->basic, SDAP_SUDO_HOSTNAMES); + conf_ip_addr = dp_opt_get_string(opts->basic, SDAP_SUDO_IP); + + if (conf_hostnames != NULL) { + ret = split_on_separator(state, conf_hostnames, ' ', true, + &state->hostnames, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Unable to parse hostnames [%d]: %s\n", ret, strerror(ret))); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("Hostnames set to: %s\n", conf_hostnames)); + } + } + + if (conf_ip_addr != NULL) { + ret = split_on_separator(state, conf_ip_addr, ' ', true, + &state->ip_addr, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Unable to parse IP addresses [%d]: %s\n", ret, strerror(ret))); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("IP addresses set to: %s\n", conf_ip_addr)); + } + } + + /* auto configuration will be supported later */ + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + } + + return req; +} + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr) +{ + struct sdap_sudo_get_hostinfo_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_get_hostinfo_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *hostnames = talloc_steal(mem_ctx, state->hostnames); + *ip_addr = talloc_steal(mem_ctx, state->ip_addr); + + return EOK; +} diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 80549bfa..806c8b3a 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -104,6 +104,7 @@ struct bet_ops sdap_sudo_ops = { .finalize = sdap_sudo_shutdown }; +static void sdap_sudo_get_hostinfo_done(struct tevent_req *req); int sdap_sudo_setup_periodical_refresh(struct sdap_sudo_ctx *sudo_ctx); int sdap_sudo_init(struct be_ctx *be_ctx, @@ -112,6 +113,7 @@ int sdap_sudo_init(struct be_ctx *be_ctx, void **pvt_data) { struct sdap_sudo_ctx *sudo_ctx = NULL; + struct tevent_req *req = NULL; int ret; DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo LDAP back end\n")); @@ -127,20 +129,67 @@ int sdap_sudo_init(struct be_ctx *be_ctx, *pvt_data = sudo_ctx; ret = ldap_get_sudo_options(id_ctx, be_ctx->cdb, - be_ctx->conf_path, id_ctx->opts); + be_ctx->conf_path, id_ctx->opts, + &sudo_ctx->use_host_filter, + &sudo_ctx->include_regexp, + &sudo_ctx->include_netgroups); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot get SUDO options [%d]: %s\n", ret, strerror(ret))); return ret; } + req = sdap_sudo_get_hostinfo_send(sudo_ctx, id_ctx->opts, be_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to retrieve host information - " + "(host filter will be disabled)\n")); + + sudo_ctx->use_host_filter = false; + + ret = sdap_sudo_setup_periodical_refresh(sudo_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Unable to setup periodical refresh" + "of sudo rules [%d]: %s\n", ret, strerror(ret))); + /* periodical updates will not work, but specific-rule update + * is no affected by this, therefore we don't have to fail here */ + } + } else { + tevent_req_set_callback(req, sdap_sudo_get_hostinfo_done, sudo_ctx); + } + + return EOK; +} + +static void sdap_sudo_get_hostinfo_done(struct tevent_req *req) +{ + struct sdap_sudo_ctx *sudo_ctx = NULL; + char **hostnames = NULL; + char **ip_addr = NULL; + int ret; + + sudo_ctx = tevent_req_callback_data(req, struct sdap_sudo_ctx); + + ret = sdap_sudo_get_hostinfo_recv(sudo_ctx, req, &hostnames, &ip_addr); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to retrieve host information - " + "(host filter will be disabled) [%d]: %s\n", ret, strerror(ret))); + sudo_ctx->use_host_filter = false; + return; + } + + talloc_zfree(sudo_ctx->hostnames); + talloc_zfree(sudo_ctx->ip_addr); + + sudo_ctx->hostnames = talloc_move(sudo_ctx, &hostnames); + sudo_ctx->ip_addr = talloc_move(sudo_ctx, &ip_addr); + ret = sdap_sudo_setup_periodical_refresh(sudo_ctx); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Unable to setup periodical refresh" "of sudo rules [%d]: %s\n", ret, strerror(ret))); } - - return EOK; } int sdap_sudo_setup_periodical_refresh(struct sdap_sudo_ctx *sudo_ctx) diff --git a/src/providers/ldap/sdap_sudo.h b/src/providers/ldap/sdap_sudo.h index 25277271..d2c5e80f 100644 --- a/src/providers/ldap/sdap_sudo.h +++ b/src/providers/ldap/sdap_sudo.h @@ -69,6 +69,15 @@ int sdap_sudo_timer_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct tevent_req **_subreq); +/* host info */ +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx); + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr); + /* (&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)%s)) */ #define SDAP_SUDO_FILTER_USER "(&(objectClass=%s)(|(%s=%s)(%s=ALL)%s))" #define SDAP_SUDO_FILTER_CLASS "(objectClass=%s)" |