summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf18
-rw-r--r--src/db/sysdb.h8
-rw-r--r--src/man/sssd-ipa.5.xml89
-rw-r--r--src/man/sssd-ldap.5.xml22
-rw-r--r--src/providers/ipa/ipa_common.c70
-rw-r--r--src/providers/ipa/ipa_common.h23
6 files changed, 199 insertions, 31 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 9ea45285..8688dc8d 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -5,6 +5,7 @@ ipa_hostname = str, None, false
ipa_dyndns_update = bool, None, false
ipa_dyndns_iface = str, None, false
ipa_hbac_search_base = str, None, false
+ipa_host_search_base = str, None, false
ldap_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
@@ -83,12 +84,17 @@ ldap_group_entry_usn = str, None, false
ldap_force_upper_case_realm = bool, None, false
ldap_group_nesting_level = int, None, false
ldap_netgroup_search_base = str, None, false
-ldap_netgroup_object_class = str, None, false
-ldap_netgroup_name = str, None, false
-ldap_netgroup_member = str, None, false
-ldap_netgroup_triple = str, None, false
-ldap_netgroup_uuid = str, None, false
-ldap_netgroup_modify_timestamp = str, None, false
+ipa_netgroup_object_class = str, None, false
+ipa_netgroup_name = str, None, false
+ipa_netgroup_member = str, None, false
+ipa_netgroup_member_of = str, None, false
+ipa_netgroup_member_user = str, None, false
+ipa_netgroup_member_host = str, None, false
+ipa_netgroup_member_ext_host = str, None, false
+ipa_netgroup_domain = str, None, false
+ipa_netgroup_uuid = str, None, false
+ipa_host_object_class = str, None, false
+ipa_host_fqdn = str, None, false
[provider/ipa/auth]
krb5_ccachedir = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 88767d3c..5fc36ab5 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -44,6 +44,7 @@
#define SYSDB_USER_CLASS "user"
#define SYSDB_GROUP_CLASS "group"
#define SYSDB_NETGROUP_CLASS "netgroup"
+#define SYSDB_HOST_CLASS "host"
#define SYSDB_NAME "name"
#define SYSDB_NAME_ALIAS "nameAlias"
@@ -85,7 +86,14 @@
#define SYSDB_NETGROUP_TRIPLE "netgroupTriple"
#define SYSDB_ORIG_NETGROUP_MEMBER "originalMemberNisNetgroup"
+#define SYSDB_ORIG_NETGROUP_MEMBER_USER "originalMemberUser"
+#define SYSDB_ORIG_NETGROUP_MEMBER_HOST "originalMemberHost"
+#define SYSDB_ORIG_NETGROUP_EXTERNAL_HOST "originalExternalHost"
+#define SYSDB_NETGROUP_DOMAIN "nisDomain"
#define SYSDB_NETGROUP_MEMBER "memberNisNetgroup"
+#define SYSDB_NETGROUP_MEMBER_USER "memberUser"
+#define SYSDB_NETGROUP_MEMBER_HOST "memberHost"
+#define SYSDB_NETGROUP_MEMBER_EXTERNAL_HOST "memberExternalHost"
#define SYSDB_DESCRIPTION "description"
#define SYSDB_CACHEDPWD "cachedPassword"
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 221c9a25..32d691d7 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -48,7 +48,10 @@
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
- </citerefentry> authentication provider.
+ </citerefentry> authentication provider with some exceptions described
+ below.
+ </para>
+ <para>
However, it is neither necessary nor recommended to set these options.
IPA provider can also be used as an access and chpass provider. As an
access provider it uses HBAC (host-based access control) rules. Please
@@ -235,6 +238,90 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ipa_netgroup_member_of (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that lists netgroup's
+ memberships.
+ </para>
+ <para>
+ Default: memberOf
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ipa_netgroup_member_user (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that lists system users
+ and groups that are direct members of the
+ netgroup.
+ </para>
+ <para>
+ Default: memberUser
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ipa_netgroup_member_host (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that lists hosts and host groups
+ that are direct members of the netgroup.
+ </para>
+ <para>
+ Default: memberHost
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ipa_netgroup_member_ext_host (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that lists FQDNs of hosts
+ and host groups that are members of the netgroup.
+ </para>
+ <para>
+ Default: externalHost
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ipa_netgroup_domain (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains NIS domain
+ name of the netgroup.
+ </para>
+ <para>
+ Default: nisDomainName
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ipa_host_object_class (string)</term>
+ <listitem>
+ <para>
+ The object class of a host entry in LDAP.
+ </para>
+ <para>
+ Default: ipaHost
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ipa_host_fqdn (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains FQDN of the host.
+ </para>
+ <para>
+ Default: fqdn
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect1>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 3efc75e2..75bc764e 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -794,6 +794,10 @@
The object class of a netgroup entry in LDAP.
</para>
<para>
+ In IPA provider, ipa_netgroup_object_class should
+ be used instead.
+ </para>
+ <para>
Default: nisNetgroup
</para>
</listitem>
@@ -807,6 +811,10 @@
the netgroup name.
</para>
<para>
+ In IPA provider, ipa_netgroup_name should
+ be used instead.
+ </para>
+ <para>
Default: cn
</para>
</listitem>
@@ -820,6 +828,10 @@
the netgroup's members.
</para>
<para>
+ In IPA provider, ipa_netgroup_member should
+ be used instead.
+ </para>
+ <para>
Default: memberNisNetgroup
</para>
</listitem>
@@ -833,6 +845,9 @@
domain) netgroup triples.
</para>
<para>
+ This option is not available in IPA provider.
+ </para>
+ <para>
Default: nisNetgroupTriple
</para>
</listitem>
@@ -846,6 +861,10 @@
an LDAP netgroup object.
</para>
<para>
+ In IPA provider, ipa_netgroup_uuid should
+ be used instead.
+ </para>
+ <para>
Default: nsUniqueId
</para>
</listitem>
@@ -859,6 +878,9 @@
last modification of the parent object.
</para>
<para>
+ This option is not available in IPA provider.
+ </para>
+ <para>
Default: modifyTimestamp
</para>
</listitem>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index a0657822..3e848e32 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -37,6 +37,7 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+ { "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }
@@ -154,12 +155,20 @@ struct sdap_attr_map ipa_group_map[] = {
};
struct sdap_attr_map ipa_netgroup_map[] = {
- { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL },
- { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL },
- { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL },
- { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL },
- { "ldap_netgroup_uuid", "nsUniqueId", SYSDB_UUID, NULL },
- { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }
+ { "ipa_netgroup_object_class", "ipaNisNetgroup", SYSDB_NETGROUP_CLASS, NULL },
+ { "ipa_netgroup_name", "cn", SYSDB_NAME, NULL },
+ { "ipa_netgroup_member", "member", SYSDB_ORIG_NETGROUP_MEMBER, NULL },
+ { "ipa_netgroup_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ipa_netgroup_member_user", "memberUser", SYSDB_ORIG_NETGROUP_MEMBER_USER, NULL },
+ { "ipa_netgroup_member_host", "memberHost", SYSDB_ORIG_NETGROUP_MEMBER_HOST, NULL },
+ { "ipa_netgroup_member_ext_host", "externalHost", SYSDB_ORIG_NETGROUP_EXTERNAL_HOST, NULL },
+ { "ipa_netgroup_domain", "nisDomainName", SYSDB_NETGROUP_DOMAIN, NULL },
+ { "ipa_netgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
+};
+
+struct sdap_attr_map ipa_host_map[] = {
+ { "ipa_host_object_class", "ipaHost", SYSDB_HOST_CLASS, NULL },
+ { "ipa_host_fqdn", "fqdn", SYSDB_NAME, NULL },
};
struct dp_option ipa_def_krb5_opts[] = {
@@ -453,31 +462,16 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
if (NULL == dp_opt_get_string(ipa_opts->id->basic,
SDAP_NETGROUP_SEARCH_BASE)) {
-#if 0
- ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE,
- dp_opt_get_string(ipa_opts->id->basic,
- SDAP_SEARCH_BASE));
- if (ret != EOK) {
- goto done;
- }
-#else
- /* We don't yet have support for the native representation
- * of netgroups in IPA. For now, we need to point at the
- * compat tree
- */
- value = talloc_asprintf(tmpctx, "cn=ng,cn=compat,%s", basedn);
+ value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn);
if (!value) {
ret = ENOMEM;
goto done;
}
-
- ret = dp_opt_set_string(ipa_opts->id->basic,
- SDAP_NETGROUP_SEARCH_BASE,
+ ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE,
value);
if (ret != EOK) {
goto done;
}
-#endif
DEBUG(6, ("Option %s set to %s\n",
ipa_opts->id->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name,
@@ -489,6 +483,25 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
&ipa_opts->id->netgroup_search_bases);
if (ret != EOK) goto done;
+ if (NULL == dp_opt_get_string(ipa_opts->basic,
+ IPA_HOST_SEARCH_BASE)) {
+ ret = dp_opt_set_string(ipa_opts->basic, IPA_HOST_SEARCH_BASE,
+ dp_opt_get_string(ipa_opts->id->basic,
+ SDAP_SEARCH_BASE));
+ if (ret != EOK) {
+ goto done;
+ }
+
+ DEBUG(6, ("Option %s set to %s\n",
+ ipa_opts->basic[IPA_HOST_SEARCH_BASE].opt_name,
+ dp_opt_get_string(ipa_opts->basic,
+ IPA_HOST_SEARCH_BASE)));
+ }
+ ret = sdap_parse_search_base(ipa_opts->basic, ipa_opts->basic,
+ IPA_HOST_SEARCH_BASE,
+ &ipa_opts->host_search_bases);
+ if (ret != EOK) goto done;
+
value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF);
if (value != NULL) {
ret = deref_string_to_val(value, &i);
@@ -527,12 +540,21 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
ret = sdap_get_map(ipa_opts->id,
cdb, conf_path,
ipa_netgroup_map,
- SDAP_OPTS_NETGROUP,
+ IPA_OPTS_NETGROUP,
&ipa_opts->id->netgroup_map);
if (ret != EOK) {
goto done;
}
+ ret = sdap_get_map(ipa_opts->id,
+ cdb, conf_path,
+ ipa_host_map,
+ IPA_OPTS_HOST,
+ &ipa_opts->id->host_map);
+ if (ret != EOK) {
+ goto done;
+ }
+
ret = EOK;
*_opts = ipa_opts->id;
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 40c5e532..5b959c8c 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -49,6 +49,7 @@ enum ipa_basic_opt {
IPA_DYNDNS_UPDATE,
IPA_DYNDNS_IFACE,
IPA_HBAC_SEARCH_BASE,
+ IPA_HOST_SEARCH_BASE,
IPA_KRB5_REALM,
IPA_HBAC_REFRESH,
IPA_HBAC_DENY_METHOD,
@@ -56,6 +57,27 @@ enum ipa_basic_opt {
IPA_OPTS_BASIC /* opts counter */
};
+enum ipa_netgroup_attrs {
+ IPA_OC_NETGROUP = 0,
+ IPA_AT_NETGROUP_NAME,
+ IPA_AT_NETGROUP_MEMBER,
+ IPA_AT_NETGROUP_MEMBER_OF,
+ IPA_AT_NETGROUP_MEMBER_USER,
+ IPA_AT_NETGROUP_MEMBER_HOST,
+ IPA_AT_NETGROUP_EXTERNAL_HOST,
+ IPA_AT_NETGROUP_DOMAIN,
+ IPA_AT_NETGROUP_UUID,
+
+ IPA_OPTS_NETGROUP /* attrs counter */
+};
+
+enum ipa_host_attrs {
+ IPA_OC_HOST = 0,
+ IPA_AT_HOST_FQDN,
+
+ IPA_OPTS_HOST /* attrs counter */
+};
+
struct ipa_auth_ctx {
struct krb5_ctx *krb5_auth_ctx;
struct sdap_auth_ctx *sdap_auth_ctx;
@@ -65,6 +87,7 @@ struct ipa_auth_ctx {
struct ipa_options {
struct dp_option *basic;
+ struct sdap_search_base **host_search_bases;
struct ipa_service *service;
/* id provider */