summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/man/sssd-ipa.5.xml13
-rw-r--r--src/providers/ipa/ipa_access.c91
-rw-r--r--src/providers/ipa/ipa_access.h2
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h1
7 files changed, 58 insertions, 54 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index aed683bd..3191ad79 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -91,6 +91,7 @@ option_strings = {
'ipa_hostname' : _('IPA client hostname'),
'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
+ 'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 42a75551..1b4427ab 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -4,6 +4,7 @@ ipa_server = str, None, false
ipa_hostname = str, None, false
ipa_dyndns_update = bool, None, false
ipa_dyndns_iface = str, None, false
+ipa_hbac_search_base = str, None, false
ldap_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index afa52e3c..606581d5 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -132,6 +132,19 @@
</varlistentry>
<varlistentry>
+ <term>ipa_hbac_search_base (string)</term>
+ <listitem>
+ <para>
+ Optional. Use the given string as search base for
+ HBAC related objects.
+ </para>
+ <para>
+ Default: Use base DN
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>krb5_validate (boolean)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index feddc87d..02b0a773 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -60,6 +60,30 @@
#define HBAC_HOSTS_SUBDIR "hbac_hosts"
#define HBAC_SERVICES_SUBDIR "hbac_services"
+static char *get_hbac_search_base(TALLOC_CTX *mem_ctx,
+ struct dp_option *ipa_options)
+{
+ char *base;
+ int ret;
+
+ base = dp_opt_get_string(ipa_options, IPA_HBAC_SEARCH_BASE);
+ if (base != NULL) {
+ return talloc_strdup(mem_ctx, base);
+ }
+
+ DEBUG(9, ("ipa_hbac_search_base not available, trying base DN.\n"));
+
+ ret = domain_to_basedn(mem_ctx,
+ dp_opt_get_string(ipa_options, IPA_DOMAIN),
+ &base);
+ if (ret != EOK) {
+ DEBUG(1, ("domain_to_basedn failed.\n"));
+ return NULL;
+ }
+
+ return base;
+}
+
static errno_t msgs2attrs_array(TALLOC_CTX *mem_ctx, size_t count,
struct ldb_message **msgs,
struct sysdb_attrs ***attrs)
@@ -441,11 +465,9 @@ done:
struct hbac_get_service_data_state {
struct hbac_ctx *hbac_ctx;
- const char *basedn;
bool offline;
char *services_filter;
- char *services_search_base;
const char **services_attrs;
struct sysdb_attrs **services_reply_list;
size_t services_reply_count;
@@ -456,8 +478,7 @@ struct hbac_get_service_data_state {
static void hbac_services_get_done(struct tevent_req *subreq);
struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
- struct hbac_ctx *hbac_ctx,
- const char *basedn)
+ struct hbac_ctx *hbac_ctx)
{
struct tevent_req *req = NULL;
struct tevent_req *subreq = NULL;
@@ -472,21 +493,12 @@ struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
}
state->hbac_ctx = hbac_ctx;
- state->basedn = basedn;
state->services_reply_list = NULL;
state->services_reply_count = 0;
state->current_item = 0;
- state->services_search_base = talloc_asprintf(state, IPA_SERVICES_BASE_TMPL,
- basedn);
- if (state->services_search_base == NULL) {
- DEBUG(1, ("Failed to create service search base.\n"));
- ret = ENOMEM;
- goto fail;
- }
-
state->services_attrs = talloc_array(state, const char *, 7);
if (state->services_attrs == NULL) {
DEBUG(1, ("Failed to allocate service attribute list.\n"));
@@ -538,7 +550,7 @@ struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
- state->services_search_base,
+ state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->services_filter,
state->services_attrs,
@@ -715,7 +727,6 @@ struct hbac_get_host_info_state {
struct hbac_ctx *hbac_ctx;
char *host_filter;
- char *host_search_base;
const char **host_attrs;
struct sysdb_attrs **host_reply_list;
@@ -729,7 +740,6 @@ static void hbac_get_host_memberof_done(struct tevent_req *subreq);
static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
struct hbac_ctx *hbac_ctx,
- const char *basedn,
const char **hostnames)
{
struct tevent_req *req = NULL;
@@ -740,8 +750,8 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
int ret;
int i;
- if (hostnames == NULL || basedn == NULL) {
- DEBUG(1, ("Missing hostnames or domain.\n"));
+ if (hostnames == NULL) {
+ DEBUG(1, ("Missing hostnames.\n"));
return NULL;
}
@@ -787,14 +797,6 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
goto fail;
}
- state->host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL,
- basedn);
- if (state->host_search_base == NULL) {
- DEBUG(1, ("Failed to create host search base.\n"));
- ret = ENOMEM;
- goto fail;
- }
-
state->host_attrs = talloc_array(state, const char *, 8);
if (state->host_attrs == NULL) {
DEBUG(1, ("Failed to allocate host attribute list.\n"));
@@ -835,7 +837,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
subreq = sdap_get_generic_send(state, hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
- state->host_search_base,
+ state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->host_filter,
state->host_attrs,
@@ -1019,7 +1021,6 @@ struct hbac_get_rules_state {
const char *host_dn;
const char **memberof;
char *hbac_filter;
- char *hbac_search_base;
const char **hbac_attrs;
struct ldb_message *old_rules;
@@ -1032,7 +1033,6 @@ static void hbac_rule_get_done(struct tevent_req *subreq);
static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
struct hbac_ctx *hbac_ctx,
- const char *basedn,
const char *host_dn,
const char **memberof)
{
@@ -1044,8 +1044,8 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
int ret;
int i;
- if (host_dn == NULL || basedn == NULL) {
- DEBUG(1, ("Missing host_dn or domain.\n"));
+ if (host_dn == NULL) {
+ DEBUG(1, ("Missing host_dn.\n"));
return NULL;
}
@@ -1064,14 +1064,6 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
state->hbac_reply_count = 0;
state->current_item = 0;
- state->hbac_search_base = talloc_asprintf(state, IPA_HBAC_BASE_TMPL,
- basedn);
- if (state->hbac_search_base == NULL) {
- DEBUG(1, ("Failed to create HBAC search base.\n"));
- ret = ENOMEM;
- goto fail;
- }
-
state->hbac_attrs = talloc_array(state, const char *, 17);
if (state->hbac_attrs == NULL) {
DEBUG(1, ("Failed to allocate HBAC attribute list.\n"));
@@ -1156,7 +1148,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
subreq = sdap_get_generic_send(state, hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
- state->hbac_search_base,
+ state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->hbac_filter,
state->hbac_attrs,
@@ -1682,11 +1674,10 @@ void ipa_access_handler(struct be_req *be_req)
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
- ret = domain_to_basedn(hbac_ctx,
- dp_opt_get_string(hbac_ctx->ipa_options, IPA_DOMAIN),
- &hbac_ctx->ldap_basedn);
- if (ret != EOK) {
- DEBUG(1, ("domain_to_basedn failed.\n"));
+ hbac_ctx->hbac_search_base = get_hbac_search_base(hbac_ctx,
+ hbac_ctx->ipa_options);
+ if (hbac_ctx->hbac_search_base == NULL) {
+ DEBUG(1, ("No HBAC search base found.\n"));
goto fail;
}
@@ -1818,9 +1809,7 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
pd->rhost = discard_const_p(char, hostlist[0]);
}
- subreq = hbac_get_host_info_send(hbac_ctx, hbac_ctx,
- hbac_ctx->ldap_basedn,
- hostlist);
+ subreq = hbac_get_host_info_send(hbac_ctx, hbac_ctx, hostlist);
if (!subreq) {
DEBUG(1, ("hbac_get_host_info_send failed.\n"));
return ENOMEM;
@@ -1866,8 +1855,7 @@ static void hbac_get_host_info_done(struct tevent_req *req)
pam_status = PAM_PERM_DENIED;
goto fail;
}
- req = hbac_get_rules_send(hbac_ctx, hbac_ctx,
- hbac_ctx->ldap_basedn, local_hhi->dn,
+ req = hbac_get_rules_send(hbac_ctx, hbac_ctx, local_hhi->dn,
local_hhi->memberof);
if (req == NULL) {
DEBUG(1, ("hbac_get_rules_send failed.\n"));
@@ -1898,8 +1886,7 @@ static void hbac_get_rules_done(struct tevent_req *req)
return;
}
- req = hbac_get_service_data_send(hbac_ctx, hbac_ctx,
- hbac_ctx->ldap_basedn);
+ req = hbac_get_service_data_send(hbac_ctx, hbac_ctx);
if (req == NULL) {
DEBUG(1, ("hbac_get_service_data_send failed.\n"));
goto failed;
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index ba567008..52b2f070 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -60,7 +60,7 @@ struct hbac_ctx {
const char *user_dn;
size_t groups_count;
const char **groups;
- char *ldap_basedn;
+ char *hbac_search_base;
struct sysdb_attrs **hbac_services_list;
size_t hbac_services_count;
};
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 6b4f64f2..407b9ef5 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -34,7 +34,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
- { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}
+ { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+ { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}
};
struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 49618f01..294e84fa 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -48,6 +48,7 @@ enum ipa_basic_opt {
IPA_HOSTNAME,
IPA_DYNDNS_UPDATE,
IPA_DYNDNS_IFACE,
+ IPA_HBAC_SEARCH_BASE,
IPA_OPTS_BASIC /* opts counter */
};