sssd  2.2.3
About: SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides also an NSS and PAM interface toward the system.
  Fossies Dox: sssd-2.2.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

ad_init.c
Go to the documentation of this file.
1 /*
2  SSSD
3 
4  Authors:
5  Stephen Gallagher <sgallagh@redhat.com>
6 
7  Copyright (C) 2012 Red Hat
8 
9  This program is free software; you can redistribute it and/or modify
10  it under the terms of the GNU General Public License as published by
11  the Free Software Foundation; either version 3 of the License, or
12  (at your option) any later version.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22 
23 
24 #include <sys/types.h>
25 #include <unistd.h>
26 #include <sys/stat.h>
27 #include <fcntl.h>
28 
29 #include <sasl/sasl.h>
30 
31 #include "util/util.h"
32 #include "providers/ad/ad_common.h"
33 #include "providers/ad/ad_access.h"
39 #include "providers/ad/ad_id.h"
40 #include "providers/ad/ad_srv.h"
41 #include "providers/be_dyndns.h"
44 
45 struct ad_init_ctx {
47  struct ad_id_ctx *id_ctx;
48  struct krb5_ctx *auth_ctx;
49 };
50 
51 #define AD_COMPAT_ON "1"
52 static int ad_sasl_getopt(void *context, const char *plugin_name,
53  const char *option,
54  const char **result, unsigned *len)
55 {
56  if (!plugin_name || !result) {
57  return SASL_FAIL;
58  }
59  if (!sdap_sasl_mech_needs_kinit(plugin_name)) {
60  return SASL_FAIL;
61  }
62  if (strcmp(option, "ad_compat") != 0) {
63  return SASL_FAIL;
64  }
65  *result = AD_COMPAT_ON;
66  if (len) {
67  *len = 2;
68  }
69  return SASL_OK;
70 }
71 
72 typedef int (*sss_sasl_gen_cb_fn)(void);
73 
74 static int map_sasl2sssd_log_level(int sasl_level)
75 {
76  int sssd_level;
77 
78  switch(sasl_level) {
79  case SASL_LOG_ERR: /* log unusual errors (default) */
80  sssd_level = SSSDBG_CRIT_FAILURE;
81  break;
82  case SASL_LOG_FAIL: /* log all authentication failures */
83  sssd_level = SSSDBG_OP_FAILURE;
84  break;
85  case SASL_LOG_WARN: /* log non-fatal warnings */
86  sssd_level = SSSDBG_MINOR_FAILURE;
87  break;
88  case SASL_LOG_NOTE: /* more verbose than LOG_WARN */
89  case SASL_LOG_DEBUG: /* more verbose than LOG_NOTE */
90  case SASL_LOG_TRACE: /* traces of internal protocols */
91  case SASL_LOG_PASS: /* traces of internal protocols, including */
92  sssd_level = SSSDBG_TRACE_ALL;
93  break;
94  default:
95  sssd_level = SSSDBG_TRACE_ALL;
96  break;
97  }
98 
99  return sssd_level;
100 }
101 
102 static int ad_sasl_log(void *context, int level, const char *message)
103 {
104  int sssd_level;
105 
106  if (level == SASL_LOG_ERR || level == SASL_LOG_FAIL) {
107  sss_log(SSS_LOG_ERR, "%s\n", message);
108  }
109 
110  sssd_level = map_sasl2sssd_log_level(level);
111  DEBUG(sssd_level, "SASL: %s\n", message);
112  return SASL_OK;
113 }
114 
115 static const sasl_callback_t ad_sasl_callbacks[] = {
116  { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)(void *)ad_sasl_getopt, NULL },
117  { SASL_CB_LOG, (sss_sasl_gen_cb_fn)(void *)ad_sasl_log, NULL },
118  { SASL_CB_LIST_END, NULL, NULL }
119 };
120 
121 /* This is quite a hack, we *try* to fool openldap libraries by initializing
122  * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some
123  * options. Should be removed as soon as openldap exposes a way to do that */
124 static void ad_sasl_initialize(void)
125 {
126  /* NOTE: this may fail if soe other library in the system happens to
127  * initialize and use openldap libraries or directly the cyrus-sasl
128  * library as this initialization function can be called only once per
129  * process */
130  (void)sasl_client_init(ad_sasl_callbacks);
131 }
132 
133 static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
134  struct be_ctx *be_ctx,
135  struct ad_options **_ad_options)
136 {
137  struct ad_options *ad_options;
138  char *ad_servers = NULL;
139  char *ad_backup_servers = NULL;
140  char *ad_realm;
141  errno_t ret;
142 
144 
145  /* Get AD-specific options */
148  if (ret != EOK) {
149  DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse common options "
150  "[%d]: %s\n", ret, sss_strerror(ret));
151  return ret;
152  }
153 
155  ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
157 
158  /* Set up the failover service */
159  ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
162  false, /* will be set in ad_get_auth_options() */
163  (size_t) -1,
164  (size_t) -1,
165  &ad_options->service);
166  if (ret != EOK) {
167  DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: "
168  "[%d]: %s\n", ret, sss_strerror(ret));
169  talloc_free(ad_options);
170  return ret;
171  }
172 
173  *_ad_options = ad_options;
174 
175  return EOK;
176 }
177 
179  struct ad_options *ad_options)
180 {
181  struct ad_srv_plugin_ctx *srv_ctx;
182  const char *hostname;
183  const char *ad_domain;
184  const char *ad_site_override;
185  bool sites_enabled;
186  errno_t ret;
187 
192 
193 
194  if (!sites_enabled) {
196  if (ret != EOK) {
197  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
198  "[%d]: %s\n", ret, sss_strerror(ret));
199  return ret;
200  }
201 
202  return EOK;
203  }
204 
209  if (srv_ctx == NULL) {
210  DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
211  return ENOMEM;
212  }
213 
215  ad_srv_plugin_recv, srv_ctx, "AD");
216 
217  return EOK;
218 }
219 
221 {
222  struct dp_option *options = access_ctx->ad_options;
223  struct sdap_id_ctx *sdap_id_ctx = access_ctx->ad_id_ctx->sdap_id_ctx;
225  const char *filter;
226 
227  sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx);
228  if (sdap_access_ctx == NULL) {
229  return ENOMEM;
230  }
231 
233 
234 
235  /* If ad_access_filter is set, the value of ldap_acess_order is
236  * expire, filter, otherwise only expire.
237  */
240  if (filter != NULL) {
241  /* The processing of the extended filter is performed during the access
242  * check itself.
243  */
244  sdap_access_ctx->filter = talloc_strdup(sdap_access_ctx, filter);
245  if (sdap_access_ctx->filter == NULL) {
246  talloc_free(sdap_access_ctx);
247  return ENOMEM;
248  }
249 
252  } else {
254  }
255 
256  access_ctx->sdap_access_ctx = sdap_access_ctx;
257 
258  return EOK;
259 }
260 
262 
263 static errno_t ad_init_gpo(struct ad_access_ctx *access_ctx)
264 {
265  struct dp_option *options;
266  const char *gpo_access_control_mode;
267  int gpo_cache_timeout;
268  errno_t ret;
269 
270  options = access_ctx->ad_options;
271 
272  /* GPO access control mode */
273  gpo_access_control_mode = dp_opt_get_string(options, AD_GPO_ACCESS_CONTROL);
274  if (gpo_access_control_mode == NULL) {
275  return EINVAL;
276  } else if (strcasecmp(gpo_access_control_mode, "disabled") == 0) {
277  access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_DISABLED;
278  } else if (strcasecmp(gpo_access_control_mode, "permissive") == 0) {
279  access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_PERMISSIVE;
280  } else if (strcasecmp(gpo_access_control_mode, "enforcing") == 0) {
281  access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_ENFORCING;
282  } else {
283  DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized GPO access control mode: "
284  "%s\n", gpo_access_control_mode);
285  return EINVAL;
286  }
287 
288  /* GPO cache timeout */
289  gpo_cache_timeout = dp_opt_get_int(options, AD_GPO_CACHE_TIMEOUT);
290  access_ctx->gpo_cache_timeout = gpo_cache_timeout;
291 
292  /* GPO logon maps */
293  ret = sss_hash_create(access_ctx, 10, &access_ctx->gpo_map_options_table);
294  if (ret != EOK) {
295  DEBUG(SSSDBG_FATAL_FAILURE, "Could not create gpo_map_options "
296  "hash table [%d]: %s\n", ret, sss_strerror(ret));
297  return ret;
298  }
299 
300  ret = ad_gpo_parse_map_options(access_ctx);
301  if (ret != EOK) {
302  DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse gpo_map_options "
303  "(invalid config) [%d]: %s\n", ret, sss_strerror(ret));
304  talloc_zfree(access_ctx->gpo_map_options_table);
305  return ret;
306  }
307 
308  return EOK;
309 }
310 
311 static errno_t ad_init_auth_ctx(TALLOC_CTX *mem_ctx,
312  struct be_ctx *be_ctx,
313  struct ad_options *ad_options,
314  struct krb5_ctx **_auth_ctx)
315 {
316  struct krb5_ctx *krb5_auth_ctx;
317  errno_t ret;
318 
319  krb5_auth_ctx = talloc_zero(mem_ctx, struct krb5_ctx);
320  if (krb5_auth_ctx == NULL) {
321  ret = ENOMEM;
322  goto done;
323  }
324 
325  krb5_auth_ctx->config_type = K5C_GENERIC;
326  krb5_auth_ctx->sss_creds_password = true;
327  krb5_auth_ctx->service = ad_options->service->krb5_service;
328 
329  ret = ad_get_auth_options(krb5_auth_ctx, ad_options, be_ctx,
330  &krb5_auth_ctx->opts);
331  if (ret != EOK) {
332  DEBUG(SSSDBG_FATAL_FAILURE, "Could not determine Kerberos options\n");
333  goto done;
334  }
335 
336  ret = krb5_child_init(krb5_auth_ctx, be_ctx);
337  if (ret != EOK) {
338  DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings: "
339  "[%d]: %s\n", ret, sss_strerror(ret));
340  goto done;
341  }
342 
343  ad_options->auth_ctx = krb5_auth_ctx;
344  *_auth_ctx = krb5_auth_ctx;
345 
346  ret = EOK;
347 
348 done:
349  if (ret != EOK) {
350  talloc_free(krb5_auth_ctx);
351  }
352 
353  return ret;
354 }
355 
357  struct ad_options *ad_options,
358  struct ad_id_ctx *ad_id_ctx,
359  struct sdap_id_ctx *sdap_id_ctx)
360 {
361  errno_t ret;
362 
364  if (ret != EOK) {
366  "Failure setting up automatic DNS update\n");
367  /* Continue without DNS updates */
368  }
369 
371  if (ret != EOK) {
372  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n",
373  ret, sss_strerror(ret));
374  return ret;
375  }
376 
379  if (ret != EOK) {
381  "Could not initialize ID mapping. In case ID mapping properties "
382  "changed on the server, please remove the SSSD database\n");
383  return ret;
384  }
385 
388  ad_id_ctx);
389  if (ret != EOK) {
390  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks "
391  "[%d]: %s\n", ret, sss_strerror(ret));
392  return ret;
393  }
394 
396 
397  ret = sdap_setup_child();
398  if (ret != EOK) {
399  DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
400  ret, sss_strerror(ret));
401  return ret;
402  }
403 
405  if (ret != EOK) {
406  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
407  ret, sss_strerror(ret));
408  return ret;
409  }
410 
412  if (ret != EOK && ret != EEXIST) {
413  DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
414  "will not work [%d]: %s\n", ret, sss_strerror(ret));
415  }
416 
418  if (ret != EOK) {
419  DEBUG(SSSDBG_CRIT_FAILURE, "Cannot setup task for machine account "
420  "password renewal.\n");
421  return ret;
422  }
423 
425  if (ret != EOK) {
427  "Failed to initialize certificate mapping rules. "
428  "Authentication with certificates/Smartcards might not work "
429  "as expected.\n");
430  /* not fatal, ignored */
431  }
432 
434  if (ret != EOK) {
436  "Failed to initialized certificate mapping.\n");
437  return ret;
438  }
439 
440  return EOK;
441 }
442 
443 errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
444  struct be_ctx *be_ctx,
445  struct data_provider *provider,
446  const char *module_name,
447  void **_module_data)
448 {
449  struct ad_init_ctx *init_ctx;
450  errno_t ret;
451 
452  init_ctx = talloc_zero(mem_ctx, struct ad_init_ctx);
453  if (init_ctx == NULL) {
454  return ENOMEM;
455  }
456 
457  /* Always initialize options since it is needed everywhere. */
458  ret = ad_init_options(mem_ctx, be_ctx, &init_ctx->options);
459  if (ret != EOK) {
460  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD options [%d]: %s\n",
461  ret, sss_strerror(ret));
462  return ret;
463  }
464 
465  /* Always initialize id_ctx since it is needed everywhere. */
466  init_ctx->id_ctx = ad_id_ctx_init(init_ctx->options, be_ctx);
467  if (init_ctx->id_ctx == NULL) {
468  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize AD ID context\n");
469  ret = ENOMEM;
470  goto done;
471  }
472 
473  init_ctx->options->id_ctx = init_ctx->id_ctx;
474 
475  ret = ad_get_id_options(init_ctx->options,
476  be_ctx->cdb,
477  be_ctx->conf_path,
478  be_ctx->provider,
479  &init_ctx->id_ctx->sdap_id_ctx->opts);
480  if (ret != EOK) {
481  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
482  return ret;
483  }
484 
485  /* Setup miscellaneous things. */
486  ret = ad_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx,
487  init_ctx->id_ctx->sdap_id_ctx);
488  if (ret != EOK) {
489  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD module "
490  "[%d]: %s\n", ret, sss_strerror(ret));
491  goto done;
492  }
493 
494  /* Initialize auth_ctx only if one of the target is enabled. */
495  if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) {
496  ret = ad_init_auth_ctx(init_ctx, be_ctx, init_ctx->options,
497  &init_ctx->auth_ctx);
498  if (ret != EOK) {
499  DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context "
500  "[%d]: %s\n", ret, sss_strerror(ret));
501  return ret;
502  }
503  }
504 
505  *_module_data = init_ctx;
506 
507  ret = EOK;
508 
509 done:
510  if (ret != EOK) {
511  talloc_free(init_ctx);
512  }
513 
514  return ret;
515 }
516 
517 errno_t sssm_ad_id_init(TALLOC_CTX *mem_ctx,
518  struct be_ctx *be_ctx,
519  void *module_data,
520  struct dp_method *dp_methods)
521 {
522  struct ad_init_ctx *init_ctx;
523  struct ad_id_ctx *id_ctx;
524 
525  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
526  id_ctx = init_ctx->id_ctx;
527 
530  struct ad_id_ctx, struct dp_id_data, struct dp_reply_std);
531 
534  struct sdap_id_ctx, void, struct dp_reply_std);
535 
538  struct ad_id_ctx, struct dp_get_acct_domain_data, struct dp_reply_std);
539 
540  return EOK;
541 }
542 
543 errno_t sssm_ad_auth_init(TALLOC_CTX *mem_ctx,
544  struct be_ctx *be_ctx,
545  void *module_data,
546  struct dp_method *dp_methods)
547 {
548  struct ad_init_ctx *init_ctx;
549  struct krb5_ctx *auth_ctx;
550 
551  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
552  auth_ctx = init_ctx->auth_ctx;
553 
556  struct krb5_ctx, struct pam_data, struct pam_data *);
557 
558  return EOK;
559 }
560 
561 errno_t sssm_ad_chpass_init(TALLOC_CTX *mem_ctx,
562  struct be_ctx *be_ctx,
563  void *module_data,
564  struct dp_method *dp_methods)
565 {
566  return sssm_ad_auth_init(mem_ctx, be_ctx, module_data, dp_methods);
567 }
568 
569 errno_t sssm_ad_access_init(TALLOC_CTX *mem_ctx,
570  struct be_ctx *be_ctx,
571  void *module_data,
572  struct dp_method *dp_methods)
573 {
574  struct ad_init_ctx *init_ctx;
575  struct ad_access_ctx *access_ctx;
576  errno_t ret;
577 
578  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
579 
580  access_ctx = talloc_zero(mem_ctx, struct ad_access_ctx);
581  if (access_ctx == NULL) {
582  return ENOMEM;
583  }
584 
585  access_ctx->ad_id_ctx = init_ctx->id_ctx;
586 
587  ret = dp_copy_options(access_ctx, init_ctx->options->basic, AD_OPTS_BASIC,
588  &access_ctx->ad_options);
589  if (ret != EOK) {
590  DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize access provider "
591  "options [%d]: %s\n", ret, sss_strerror(ret));
592  goto done;
593  }
594 
595  ret = ad_init_sdap_access_ctx(access_ctx);
596  if (ret != EOK) {
597  DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize sdap access context "
598  "[%d]: %s\n", ret, sss_strerror(ret));
599  goto done;
600  }
601 
602  ret = ad_init_gpo(access_ctx);
603  if (ret != EOK) {
604  DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize GPO "
605  "[%d]: %s\n", ret, sss_strerror(ret));
606  goto done;
607  }
608 
611  struct ad_access_ctx, struct pam_data, struct pam_data *);
612 
613  ret = EOK;
614 
615 done:
616  if (ret != EOK) {
617  talloc_free(access_ctx);
618  }
619 
620  return ret;
621 }
622 
623 errno_t sssm_ad_autofs_init(TALLOC_CTX *mem_ctx,
624  struct be_ctx *be_ctx,
625  void *module_data,
626  struct dp_method *dp_methods)
627 {
628 #ifdef BUILD_AUTOFS
629  struct ad_init_ctx *init_ctx;
630 
631  DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n");
632  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
633 
634  return ad_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
635 #else
636  DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
637  "built without autofs support, ignoring\n");
638  return EOK;
639 #endif
640 }
641 
642 errno_t sssm_ad_subdomains_init(TALLOC_CTX *mem_ctx,
643  struct be_ctx *be_ctx,
644  void *module_data,
645  struct dp_method *dp_methods)
646 {
647  struct ad_init_ctx *init_ctx;
648 
649  DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD subdomains handler\n");
650  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
651 
652  return ad_subdomains_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
653 }
654 
655 errno_t sssm_ad_sudo_init(TALLOC_CTX *mem_ctx,
656  struct be_ctx *be_ctx,
657  void *module_data,
658  struct dp_method *dp_methods)
659 {
660 #ifdef BUILD_SUDO
661  struct ad_init_ctx *init_ctx;
662 
663  DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD sudo handler\n");
664  init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
665 
666  return ad_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
667 #else
668  DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
669  "built without sudo support, ignoring\n");
670  return EOK;
671 #endif
672 }
ad_srv.h
ad_pam_access_handler_recv
errno_t ad_pam_access_handler_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct pam_data **_data)
Definition: ad_access.c:535
sss_strerror
const char * sss_strerror(errno_t error)
return a string describing the error number like strerror()
Definition: util_errors.c:150
AD_SERVICE_NAME
#define AD_SERVICE_NAME
Definition: ad_common.h:29
be_fo_set_srv_lookup_plugin
void be_fo_set_srv_lookup_plugin(struct be_ctx *ctx, fo_srv_lookup_plugin_send_t send_fn, fo_srv_lookup_plugin_recv_t recv_fn, void *pvt, const char *plugin_name)
Definition: data_provider_fo.c:213
AD_SERVER
@ AD_SERVER
Definition: ad_common.h:46
sdap_idmap.h
SSSDBG_TRACE_INTERNAL
#define SSSDBG_TRACE_INTERNAL
Definition: debug.h:82
confdb_certmap_to_sysdb
int confdb_certmap_to_sysdb(struct confdb_ctx *cdb, struct sss_domain_info *dom)
Convenience function to write the certificate mapping and matching rules from the configuration datab...
Definition: confdb.c:2360
EOK
#define EOK
Definition: hbac_evaluator.c:40
AD_GPO_ACCESS_CONTROL
@ AD_GPO_ACCESS_CONTROL
Definition: ad_common.h:54
sdap_init_certmap
errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx)
Definition: sdap_certmap.c:118
krb5_child_init
errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, struct be_ctx *bectx)
Definition: krb5_init_shared.c:30
sss_sasl_gen_cb_fn
int(* sss_sasl_gen_cb_fn)(void)
Definition: ad_init.c:72
AD_DOMAIN
@ AD_DOMAIN
Definition: ad_common.h:44
ad_init_srv_plugin
static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, struct ad_options *ad_options)
Definition: ad_init.c:178
data_provider
Definition: dp_private.h:76
ad_gpo_parse_map_options
errno_t ad_gpo_parse_map_options(struct ad_access_ctx *access_ctx)
Definition: ad_gpo.c:457
ad_pam_access_handler_send
struct tevent_req * ad_pam_access_handler_send(TALLOC_CTX *mem_ctx, struct ad_access_ctx *access_ctx, struct pam_data *pd, struct dp_req_params *params)
Definition: ad_access.c:467
ad_subdomains.h
default_host_dbs
enum host_database default_host_dbs[]
Definition: async_resolv.c:63
LDAP_ACCESS_FILTER
@ LDAP_ACCESS_FILTER
Definition: sdap_access.h:61
dp_option
Definition: data_provider.h:201
sdap_options::idmap_ctx
struct sdap_idmap_ctx * idmap_ctx
Definition: sdap.h:471
ad_sasl_initialize
static void ad_sasl_initialize(void)
Definition: ad_init.c:124
sdap_domain::pvt
void * pvt
Definition: sdap.h:434
ad_options::service
struct ad_service * service
Definition: ad_common.h:90
ad_id_enumeration_send
struct tevent_req * ad_id_enumeration_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct be_ctx *be_ctx, struct be_ptask *be_ptask, void *pvt)
Definition: ad_id.c:581
DPM_CHECK_ONLINE
@ DPM_CHECK_ONLINE
Definition: dp.h:76
SSS_LOG_ERR
#define SSS_LOG_ERR
Definition: util.h:167
krb5_ctx::config_type
enum krb5_config_type config_type
Definition: krb5_common.h:138
dp_copy_options
int dp_copy_options(TALLOC_CTX *memctx, struct dp_option *src_opts, int num_opts, struct dp_option **_opts)
Definition: data_provider_opts.c:285
be_fo_set_dns_srv_lookup_plugin
errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, const char *hostname)
Definition: data_provider_fo.c:234
sdap_setup_child
int sdap_setup_child(void)
Definition: sdap_child_helpers.c:519
dp_get_acct_domain_data
Definition: dp_custom_data.h:47
ad_init_ctx::options
struct ad_options * options
Definition: ad_init.c:46
krb5_ctx::opts
struct dp_option * opts
Definition: krb5_common.h:124
ad_srv_plugin_ctx::hostname
const char * hostname
Definition: ad_srv.c:490
ad_access_ctx::gpo_access_control_mode
gpo_access_control_mode
Definition: ad_access.h:33
sdap_online_check_handler_recv
errno_t sdap_online_check_handler_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct dp_reply_std *data)
Definition: sdap_online_check.c:236
SSSDBG_TRACE_ALL
#define SSSDBG_TRACE_ALL
Definition: debug.h:83
krb5_ctx::sss_creds_password
bool sss_creds_password
Definition: krb5_common.h:134
DEBUG
#define DEBUG(level, format,...)
macro to generate debug messages
Definition: debug.h:123
ad_access_ctx::ad_options
struct dp_option * ad_options
Definition: ad_access.h:29
dp_reply_std
Definition: dp_custom_data.h:63
sssm_ad_id_init
errno_t sssm_ad_id_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:517
ad_access_ctx::sdap_access_ctx
struct sdap_access_ctx * sdap_access_ctx
Definition: ad_access.h:30
ad_service::krb5_service
struct krb5_service * krb5_service
Definition: ad_common.h:84
DPM_ACCESS_HANDLER
@ DPM_ACCESS_HANDLER
Definition: dp.h:79
krb5_ctx::service
struct krb5_service * service
Definition: krb5_common.h:125
dp_opt_get_bool
#define dp_opt_get_bool(o, i)
Definition: data_provider.h:246
sdap_options::basic
struct dp_option * basic
Definition: sdap.h:460
ad_init_sdap_access_ctx
static errno_t ad_init_sdap_access_ctx(struct ad_access_ctx *access_ctx)
Definition: ad_init.c:220
ldap_common.h
ad_options
Definition: ad_common.h:87
ad_srv_plugin_ctx_init
struct ad_srv_plugin_ctx * ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct be_resolv_ctx *be_res, enum host_database *host_dbs, struct sdap_options *opts, const char *hostname, const char *ad_domain, const char *ad_site_override)
Definition: ad_srv.c:497
AD_HOSTNAME
@ AD_HOSTNAME
Definition: ad_common.h:48
errno_t
int errno_t
Definition: hbac_evaluator.c:36
ad_access_ctx::gpo_map_options_table
hash_table_t * gpo_map_options_table
Definition: ad_access.h:50
sdap_access.h
ad_options::basic
struct dp_option * basic
Definition: ad_common.h:89
sdap_options::sdom
struct sdap_domain * sdom
Definition: sdap.h:496
dp_opt_get_int
#define dp_opt_get_int(o, i)
Definition: data_provider.h:245
ad_get_id_options
errno_t ad_get_id_options(struct ad_options *ad_opts, struct confdb_ctx *cdb, const char *conf_path, struct data_provider *dp, struct sdap_options **_opts)
Definition: ad_common.c:1087
ad_id_ctx_init
struct ad_id_ctx * ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx)
Definition: ad_common.c:1345
sdap_online_check_handler_send
struct tevent_req * sdap_online_check_handler_send(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx, void *data, struct dp_req_params *params)
Definition: sdap_online_check.c:182
ad_id_ctx::sdap_id_ctx
struct sdap_id_ctx * sdap_id_ctx
Definition: ad_common.h:75
SSSDBG_FATAL_FAILURE
#define SSSDBG_FATAL_FAILURE
Definition: debug.h:74
ad_init_ctx::auth_ctx
struct krb5_ctx * auth_ctx
Definition: ad_init.c:48
ad_access_ctx::ad_id_ctx
struct ad_id_ctx * ad_id_ctx
Definition: ad_access.h:31
ad_subdomains_init
errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct ad_id_ctx *ad_id_ctx, struct dp_method *dp_methods)
Definition: ad_subdomains.c:2070
ad_srv_plugin_send
struct tevent_req * ad_srv_plugin_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, const char *service, const char *protocol, const char *discovery_domain, void *pvt)
Definition: ad_srv.c:621
dp_set_method
#define dp_set_method(methods, method, send_fn, recv_fn, method_data, method_dtype, req_dtype, output_dtype)
Definition: dp.h:158
ad_access_ctx
Definition: ad_access.h:28
dp_method
Definition: dp_private.h:66
sssm_ad_sudo_init
errno_t sssm_ad_sudo_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:655
ad_failover_init
errno_t ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, const char *primary_servers, const char *backup_servers, const char *krb5_realm, const char *ad_service, const char *ad_gc_service, const char *ad_domain, bool use_kdcinfo, size_t n_lookahead_primary, size_t n_lookahead_backup, struct ad_service **_service)
Definition: ad_common.c:724
ad_common.h
DPT_CHPASS
@ DPT_CHPASS
Definition: dp.h:64
ad_init_ctx::id_ctx
struct ad_id_ctx * id_ctx
Definition: ad_init.c:47
ad_options::id
struct sdap_options * id
Definition: ad_common.h:93
AD_ENABLE_DNS_SITES
@ AD_ENABLE_DNS_SITES
Definition: ad_common.h:51
ad_sasl_getopt
static int ad_sasl_getopt(void *context, const char *plugin_name, const char *option, const char **result, unsigned *len)
Definition: ad_init.c:52
ad_refresh_init
errno_t ad_refresh_init(struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx)
Definition: ad_refresh.c:208
ad_init_gpo
static errno_t ad_init_gpo(struct ad_access_ctx *access_ctx)
Definition: ad_init.c:263
setup_tls_config
errno_t setup_tls_config(struct dp_option *basic_opts)
Definition: sdap.c:819
ad_dyndns_init
errno_t ad_dyndns_init(struct be_ctx *be_ctx, struct ad_options *ctx)
Definition: ad_dyndns.c:53
be_dyndns.h
ad_init_auth_ctx
static errno_t ad_init_auth_ctx(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct ad_options *ad_options, struct krb5_ctx **_auth_ctx)
Definition: ad_init.c:311
pam_data
Definition: sss_pam_data.h:48
ad_machine_account_password_renewal_init
errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, struct ad_options *ad_opts)
Definition: ad_machine_pw_renewal.c:301
be_ctx::be_res
struct be_resolv_ctx * be_res
Definition: backend.h:87
AD_BACKUP_SERVER
@ AD_BACKUP_SERVER
Definition: ad_common.h:47
AD_GPO_CACHE_TIMEOUT
@ AD_GPO_CACHE_TIMEOUT
Definition: ad_common.h:57
sdap_access_ctx
Definition: sdap_access.h:74
krb5_ctx
Definition: krb5_common.h:97
ad_get_auth_options
errno_t ad_get_auth_options(TALLOC_CTX *mem_ctx, struct ad_options *ad_opts, struct be_ctx *bectx, struct dp_option **_opts)
Definition: ad_common.c:1251
ad_get_common_options
errno_t ad_get_common_options(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, const char *conf_path, struct sss_domain_info *dom, struct ad_options **_opts)
Definition: ad_common.c:410
sdap_access_ctx::filter
const char * filter
Definition: sdap_access.h:76
map_sasl2sssd_log_level
static int map_sasl2sssd_log_level(int sasl_level)
Definition: ad_init.c:74
LDAP_ACCESS_EXPIRE
@ LDAP_ACCESS_EXPIRE
Definition: sdap_access.h:62
AD_OPTS_BASIC
@ AD_OPTS_BASIC
Definition: ad_common.h:71
sdap_id_ctx::opts
struct sdap_options * opts
Definition: ldap_common.h:66
sssm_ad_init
errno_t sssm_ad_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct data_provider *provider, const char *module_name, void **_module_data)
Definition: ad_init.c:443
dp_id_data
Definition: dp_custom_data.h:53
sssm_ad_access_init
errno_t sssm_ad_access_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:569
sssm_ad_chpass_init
errno_t sssm_ad_chpass_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:561
ad_account_info_handler_recv
errno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct dp_reply_std *data)
Definition: ad_id.c:548
sdap_id_setup_tasks
errno_t sdap_id_setup_tasks(struct be_ctx *be_ctx, struct sdap_id_ctx *ctx, struct sdap_domain *sdom, be_ptask_send_t send_fn, be_ptask_recv_t recv_fn, void *pvt)
Definition: ldap_common.c:49
ad_account_info_handler_send
struct tevent_req * ad_account_info_handler_send(TALLOC_CTX *mem_ctx, struct ad_id_ctx *id_ctx, struct dp_id_data *data, struct dp_req_params *params)
Definition: ad_id.c:485
ad_get_account_domain_recv
errno_t ad_get_account_domain_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct dp_reply_std *data)
Definition: ad_id.c:1501
sdap_idmap_init
errno_t sdap_idmap_init(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx, struct sdap_idmap_ctx **_idmap_ctx)
Definition: sdap_idmap.c:129
DPT_AUTH
@ DPT_AUTH
Definition: dp.h:62
dp_opt_get_cstring
#define dp_opt_get_cstring(o, i)
Definition: data_provider.h:242
DPM_AUTH_HANDLER
@ DPM_AUTH_HANDLER
Definition: dp.h:78
sdap_access_ctx::id_ctx
struct sdap_id_ctx * id_ctx
Definition: sdap_access.h:75
be_ctx::conf_path
const char * conf_path
Definition: backend.h:80
ad_init_ctx
Definition: ad_init.c:45
ad_options::id_ctx
struct ad_id_ctx * id_ctx
Definition: ad_common.h:94
dp_opt_get_string
#define dp_opt_get_string(o, i)
Definition: data_provider.h:243
talloc_zfree
#define talloc_zfree(ptr)
Definition: util.h:121
krb5_pam_handler_send
struct tevent_req * krb5_pam_handler_send(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, struct pam_data *pd, struct dp_req_params *params)
Definition: krb5_auth.c:1211
krb5_init_shared.h
sssm_ad_subdomains_init
errno_t sssm_ad_subdomains_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:642
SSSDBG_MINOR_FAILURE
#define SSSDBG_MINOR_FAILURE
Definition: debug.h:77
dp_target_enabled
#define dp_target_enabled(provider, module_name,...)
Definition: dp.h:132
ad_init_options
static errno_t ad_init_options(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct ad_options **_ad_options)
Definition: ad_init.c:133
ad_domain_info.h
sdap_sasl_mech_needs_kinit
bool sdap_sasl_mech_needs_kinit(const char *sasl_mech)
Definition: sdap.c:909
sss_log
void sss_log(int priority, const char *format,...)
Definition: sss_log.c:63
krb5_pam_handler_recv
errno_t krb5_pam_handler_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct pam_data **_data)
Definition: krb5_auth.c:1324
sssm_ad_auth_init
errno_t sssm_ad_auth_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:543
SSSDBG_CRIT_FAILURE
#define SSSDBG_CRIT_FAILURE
Definition: debug.h:75
ad_access_ctx::gpo_cache_timeout
int gpo_cache_timeout
Definition: ad_access.h:38
ad_autofs_init
errno_t ad_autofs_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx, struct dp_method *dp_methods)
Definition: ad_autofs.c:25
krb5_auth.h
be_ctx::provider
struct data_provider * provider
Definition: backend.h:114
ad_id_ctx
Definition: ad_common.h:74
ad_init_misc
static errno_t ad_init_misc(struct be_ctx *be_ctx, struct ad_options *ad_options, struct ad_id_ctx *ad_id_ctx, struct sdap_id_ctx *sdap_id_ctx)
Definition: ad_init.c:356
K5C_GENERIC
@ K5C_GENERIC
Definition: krb5_common.h:87
DPM_ACCT_DOMAIN_HANDLER
@ DPM_ACCT_DOMAIN_HANDLER
Definition: dp.h:85
ad_srv_plugin_ctx::ad_site_override
const char * ad_site_override
Definition: ad_srv.c:492
ad_srv_plugin_ctx::ad_domain
const char * ad_domain
Definition: ad_srv.c:491
LDAP_ACCESS_EMPTY
@ LDAP_ACCESS_EMPTY
Definition: sdap_access.h:60
be_ctx
Definition: backend.h:75
ad_id.h
NULL
#define NULL
Definition: util.h:67
SSSDBG_OP_FAILURE
#define SSSDBG_OP_FAILURE
Definition: debug.h:76
AD_ACCESS_FILTER
@ AD_ACCESS_FILTER
Definition: ad_common.h:52
sdap_access_ctx::access_rule
int access_rule[LDAP_ACCESS_LAST+1]
Definition: sdap_access.h:77
be_ctx::cdb
struct confdb_ctx * cdb
Definition: backend.h:77
ad_options::auth_ctx
struct krb5_ctx * auth_ctx
Definition: ad_common.h:97
ad_access.h
AD_COMPAT_ON
#define AD_COMPAT_ON
Definition: ad_init.c:51
DPM_ACCOUNT_HANDLER
@ DPM_ACCOUNT_HANDLER
Definition: dp.h:77
AD_GC_SERVICE_NAME
#define AD_GC_SERVICE_NAME
Definition: ad_common.h:30
util.h
ad_sudo_init
errno_t ad_sudo_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx, struct dp_method *dp_methods)
Definition: ad_sudo.c:29
ad_srv_plugin_recv
errno_t ad_srv_plugin_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, char **_dns_domain, uint32_t *_ttl, struct fo_server_info **_primary_servers, size_t *_num_primary_servers, struct fo_server_info **_backup_servers, size_t *_num_backup_servers)
Definition: ad_srv.c:889
sss_hash_create
errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count, hash_table_t **tbl)
Definition: util.c:433
be_ctx::domain
struct sss_domain_info * domain
Definition: backend.h:78
ad_sasl_callbacks
static const sasl_callback_t ad_sasl_callbacks[]
Definition: ad_init.c:115
ret
errno_t ret
Definition: sbus_errors.c:31
ad_srv_plugin_ctx
Definition: ad_srv.c:485
AD_SITE
@ AD_SITE
Definition: ad_common.h:66
AD_KRB5_REALM
@ AD_KRB5_REALM
Definition: ad_common.h:50
ad_id_enumeration_recv
errno_t ad_id_enumeration_recv(struct tevent_req *req)
Definition: ad_id.c:1115
ad_get_account_domain_send
struct tevent_req * ad_get_account_domain_send(TALLOC_CTX *mem_ctx, struct ad_id_ctx *id_ctx, struct dp_get_acct_domain_data *data, struct dp_req_params *params)
Definition: ad_id.c:1154
dp_methods
dp_methods
Definition: dp.h:75
ad_sasl_log
static int ad_sasl_log(void *context, int level, const char *message)
Definition: ad_init.c:102
sssm_ad_autofs_init
errno_t sssm_ad_autofs_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods)
Definition: ad_init.c:623
sdap_id_ctx
Definition: ldap_common.h:64