"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/providers/ad/ad_common.c" between
sssd-2.1.0.tar.gz and sssd-2.2.0.tar.gz

About: SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides also an NSS and PAM interface toward the system.

ad_common.c  (sssd-2.1.0):ad_common.c  (sssd-2.2.0)
skipping to change at line 27 skipping to change at line 27
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. along with this program. If not, see <http://www.gnu.org/licenses/>.
*/ */
#include <ctype.h> #include <ctype.h>
#include "providers/ad/ad_common.h" #include "providers/ad/ad_common.h"
#include "providers/ad/ad_opts.h" #include "providers/ad/ad_opts.h"
#include "providers/be_dyndns.h" #include "providers/be_dyndns.h"
#include "providers/fail_over.h"
struct ad_server_data { struct ad_server_data {
bool gc; bool gc;
}; };
errno_t ad_set_search_bases(struct sdap_options *id_opts, errno_t ad_set_search_bases(struct sdap_options *id_opts,
struct sdap_domain *sdap); struct sdap_domain *sdap);
static errno_t ad_set_sdap_options(struct ad_options *ad_opts, static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts); struct sdap_options *id_opts);
skipping to change at line 578 skipping to change at line 579
ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL); ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL);
if (ret != EOK) { if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n");
goto done; goto done;
} }
for (j = 0; list[j]; j++) { for (j = 0; list[j]; j++) {
if (resolv_is_address(list[j])) { if (resolv_is_address(list[j])) {
DEBUG(SSSDBG_IMPORTANT_INFO, DEBUG(SSSDBG_IMPORTANT_INFO,
"ad_server [%s] is detected as IP address, " "ad_server [%s] is detected as IP address, "
"this can cause GSSAPI problems\n", list[j]); "this can cause GSSAPI/GSS-SPNEGO problems\n", list[j]);
} }
} }
/* Add each of these servers to the failover service */ /* Add each of these servers to the failover service */
for (i = 0; list[i]; i++) { for (i = 0; list[i]; i++) {
if (be_fo_is_srv_identifier(list[i])) { if (be_fo_is_srv_identifier(list[i])) {
if (!primary) { if (!primary) {
DEBUG(SSSDBG_MINOR_FAILURE, DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to add server [%s] to failover service: " "Failed to add server [%s] to failover service: "
"SRV resolution only allowed for primary servers!\n", "SRV resolution only allowed for primary servers!\n",
skipping to change at line 730 skipping to change at line 731
errno_t errno_t
ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
const char *primary_servers, const char *primary_servers,
const char *backup_servers, const char *backup_servers,
const char *krb5_realm, const char *krb5_realm,
const char *ad_service, const char *ad_service,
const char *ad_gc_service, const char *ad_gc_service,
const char *ad_domain, const char *ad_domain,
bool use_kdcinfo, bool use_kdcinfo,
size_t n_lookahead_primary,
size_t n_lookahead_backup,
struct ad_service **_service) struct ad_service **_service)
{ {
errno_t ret; errno_t ret;
TALLOC_CTX *tmp_ctx; TALLOC_CTX *tmp_ctx;
struct ad_service *service; struct ad_service *service;
tmp_ctx = talloc_new(mem_ctx); tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM; if (!tmp_ctx) return ENOMEM;
service = talloc_zero(tmp_ctx, struct ad_service); service = talloc_zero(tmp_ctx, struct ad_service);
skipping to change at line 761 skipping to change at line 764
service->sdap->name = talloc_strdup(service->sdap, ad_service); service->sdap->name = talloc_strdup(service->sdap, ad_service);
service->gc->name = talloc_strdup(service->gc, ad_gc_service); service->gc->name = talloc_strdup(service->gc, ad_gc_service);
if (!service->sdap->name || !service->gc->name) { if (!service->sdap->name || !service->gc->name) {
ret = ENOMEM; ret = ENOMEM;
goto done; goto done;
} }
service->krb5_service = krb5_service_new(service, bectx, service->krb5_service = krb5_service_new(service, bectx,
ad_service, krb5_realm, ad_service, krb5_realm,
use_kdcinfo); use_kdcinfo,
n_lookahead_primary,
n_lookahead_backup);
if (!service->krb5_service) { if (!service->krb5_service) {
ret = ENOMEM; ret = ENOMEM;
goto done; goto done;
} }
ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp); ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp);
if (ret != EOK) { if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n");
goto done; goto done;
} }
skipping to change at line 854 skipping to change at line 859
{ {
if (adsvc == NULL) { if (adsvc == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "NULL service\n"); DEBUG(SSSDBG_CRIT_FAILURE, "NULL service\n");
return; return;
} }
sdap_service_reset_fo(bectx, adsvc->sdap); sdap_service_reset_fo(bectx, adsvc->sdap);
sdap_service_reset_fo(bectx, adsvc->gc); sdap_service_reset_fo(bectx, adsvc->gc);
} }
static bool
ad_krb5info_file_filter(struct fo_server *server)
{
struct ad_server_data *sdata = NULL;
if (server == NULL) return true;
sdata = fo_get_server_user_data(server);
if (sdata && sdata->gc) {
/* Only write kdcinfo files for local servers */
return true;
}
return false;
}
static void static void
ad_resolve_callback(void *private_data, struct fo_server *server) ad_resolve_callback(void *private_data, struct fo_server *server)
{ {
errno_t ret; errno_t ret;
TALLOC_CTX *tmp_ctx; TALLOC_CTX *tmp_ctx;
struct ad_service *service; struct ad_service *service;
struct resolv_hostent *srvaddr; struct resolv_hostent *srvaddr;
struct sockaddr_storage *sockaddr; struct sockaddr_storage *sockaddr;
char *address; char *address;
char *safe_addr_list[2] = { NULL, NULL };
char *new_uri; char *new_uri;
int new_port; int new_port;
const char *srv_name; const char *srv_name;
struct ad_server_data *sdata = NULL; struct ad_server_data *sdata = NULL;
tmp_ctx = talloc_new(NULL); tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) { if (!tmp_ctx) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n");
return; return;
} }
skipping to change at line 968 skipping to change at line 986
} }
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri); DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri);
if (service->gc->sockaddr == NULL) { if (service->gc->sockaddr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, DEBUG(SSSDBG_CRIT_FAILURE,
"resolv_get_sockaddr_address failed.\n"); "resolv_get_sockaddr_address failed.\n");
ret = EIO; ret = EIO;
goto done; goto done;
} }
/* Only write kdcinfo files for local servers */ if (service->krb5_service->write_kdcinfo) {
if ((sdata == NULL || sdata->gc == false) && ret = write_krb5info_file_from_fo_server(service->krb5_service,
service->krb5_service->write_kdcinfo) { server,
/* Write krb5 info files */ SSS_KRB5KDC_FO_SRV,
safe_addr_list[0] = sss_escape_ip_address(tmp_ctx, ad_krb5info_file_filter);
srvaddr->family,
address);
if (safe_addr_list[0] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n");
ret = ENOMEM;
goto done;
}
ret = write_krb5info_file(service->krb5_service,
safe_addr_list,
SSS_KRB5KDC_FO_SRV);
if (ret != EOK) { if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, DEBUG(SSSDBG_MINOR_FAILURE,
"write_krb5info_file failed, authentication might fail.\n"); "write_krb5info_file failed, authentication might fail.\n");
} }
} }
ret = EOK; ret = EOK;
done: done:
if (ret != EOK) { if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, DEBUG(SSSDBG_CRIT_FAILURE,
"Error: [%s]\n", strerror(ret)); "Error: [%s]\n", strerror(ret));
} }
talloc_free(tmp_ctx); talloc_free(tmp_ctx);
skipping to change at line 1020 skipping to change at line 1027
* force that on. * force that on.
*/ */
ret = dp_opt_set_string(id_opts->basic, ret = dp_opt_set_string(id_opts->basic,
SDAP_PWD_POLICY, SDAP_PWD_POLICY,
PWD_POL_OPT_MIT); PWD_POL_OPT_MIT);
if (ret != EOK) { if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not set password policy\n"); DEBUG(SSSDBG_FATAL_FAILURE, "Could not set password policy\n");
goto done; goto done;
} }
/* Set the Kerberos Realm for GSSAPI */ /* Set the Kerberos Realm for GSSAPI or GSS-SPNEGO */
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
if (!krb5_realm) { if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */ /* Should be impossible, this is set in ad_get_common_options() */
DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
ret = EINVAL; ret = EINVAL;
goto done; goto done;
} }
ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm); ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
if (ret != EOK) goto done; if (ret != EOK) goto done;
skipping to change at line 1277 skipping to change at line 1284
/* Force the krb5_servers to match the ad_servers */ /* Force the krb5_servers to match the ad_servers */
ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers); ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
if (ret != EOK) goto done; if (ret != EOK) goto done;
DEBUG(SSSDBG_CONF_SETTINGS, DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n", "Option %s set to %s\n",
krb5_options[KRB5_KDC].opt_name, krb5_options[KRB5_KDC].opt_name,
ad_servers); ad_servers);
/* Set krb5 realm */ /* Set krb5 realm */
/* Set the Kerberos Realm for GSSAPI */ /* Set the Kerberos Realm for GSSAPI/GSS-SPNEGO */
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
if (!krb5_realm) { if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */ /* Should be impossible, this is set in ad_get_common_options() */
DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
ret = EINVAL; ret = EINVAL;
goto done; goto done;
} }
/* Force the kerberos realm to match the AD_KRB5_REALM (which may have /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
* been upper-cased in ad_common_options() * been upper-cased in ad_common_options()
skipping to change at line 1304 skipping to change at line 1311
krb5_realm); krb5_realm);
/* Set flag that controls whether we want to write the /* Set flag that controls whether we want to write the
* kdcinfo files at all * kdcinfo files at all
*/ */
ad_opts->service->krb5_service->write_kdcinfo = \ ad_opts->service->krb5_service->write_kdcinfo = \
dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO); dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
krb5_options[KRB5_USE_KDCINFO].opt_name, krb5_options[KRB5_USE_KDCINFO].opt_name,
ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"); ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false");
sss_krb5_parse_lookahead(
dp_opt_get_string(krb5_options, KRB5_KDCINFO_LOOKAHEAD),
&ad_opts->service->krb5_service->lookahead_primary,
&ad_opts->service->krb5_service->lookahead_backup);
*_opts = talloc_steal(mem_ctx, krb5_options); *_opts = talloc_steal(mem_ctx, krb5_options);
ret = EOK; ret = EOK;
done: done:
talloc_free(tmp_ctx); talloc_free(tmp_ctx);
return ret; return ret;
} }
skipping to change at line 1458 skipping to change at line 1469
cindex++; cindex++;
} }
/* Users from primary domain can be just downloaded from LDAP. /* Users from primary domain can be just downloaded from LDAP.
* The domain's LDAP connection also works as a fallback * The domain's LDAP connection also works as a fallback
*/ */
clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom); clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
return clist; return clist;
} }
errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
struct dp_option *suddom_opts,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
int opt_id)
{
int ret;
const char *parent_val = NULL;
char *dummy = NULL;
char *option_list[2] = { NULL, NULL };
parent_val = dp_opt_get_cstring(parent_opts, opt_id);
if (parent_val != NULL) {
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
parent_opts[opt_id].opt_name, NULL, &dummy);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed.\n");
goto done;
}
if (dummy == NULL) {
DEBUG(SSSDBG_CONF_SETTINGS,
"Option [%s] is set in parent domain but not set for "
"sub-domain trying to set it to [%s].\n",
parent_opts[opt_id].opt_name, parent_val);
option_list[0] = discard_const(parent_opts[opt_id].opt_name);
dp_option_inherit(option_list, opt_id, parent_opts, suddom_opts);
}
}
ret = EOK;
done:
talloc_free(dummy);
return ret;
}
 End of changes. 12 change blocks. 
22 lines changed or deleted 33 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)