"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.4.2/src/confdb/confdb.h" (19 Feb 2021, 30729 Bytes) of package /linux/misc/sssd-2.4.2.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "confdb.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.4.1_vs_2.4.2.

    1 /*
    2    SSSD
    3 
    4    SSSD Configuration DB
    5 
    6    Copyright (C) Simo Sorce <ssorce@redhat.com> 2008
    7 
    8    This program is free software; you can redistribute it and/or modify
    9    it under the terms of the GNU General Public License as published by
   10    the Free Software Foundation; either version 3 of the License, or
   11    (at your option) any later version.
   12 
   13    This program is distributed in the hope that it will be useful,
   14    but WITHOUT ANY WARRANTY; without even the implied warranty of
   15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   16    GNU General Public License for more details.
   17 
   18    You should have received a copy of the GNU General Public License
   19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
   20 */
   21 
   22 #ifndef _CONF_DB_H
   23 #define _CONF_DB_H
   24 
   25 #include <stdbool.h>
   26 #include <talloc.h>
   27 #include <tevent.h>
   28 #include <ldb.h>
   29 #include <ldb_errors.h>
   30 
   31 #include "config.h"
   32 
   33 /**
   34  * @defgroup sss_confdb The ConfDB API
   35  * The ConfDB is an interface for data providers to
   36  * access the configuration information provided in
   37  * the sssd.conf
   38  * @{
   39  */
   40 
   41 #define CONFDB_DEFAULT_CFG_FILE_VER 2
   42 #define CONFDB_FILE "config.ldb"
   43 #define SSSD_CONFIG_FILE_NAME "sssd.conf"
   44 #define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
   45 #define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
   46 #define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME
   47 #define SSSD_MIN_ID 1
   48 #define SSSD_LOCAL_MINID 1000
   49 #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh"
   50 #define CONFDB_FALLBACK_CONFIG \
   51     "[sssd]\n" \
   52     "services = nss\n"
   53 
   54 
   55 /* Configuration options */
   56 
   57 /* Services */
   58 #define CONFDB_SERVICE_PATH_TMPL "config/%s"
   59 #define CONFDB_SERVICE_COMMAND "command"
   60 #define CONFDB_SERVICE_DEBUG_LEVEL "debug_level"
   61 #define CONFDB_SERVICE_DEBUG_LEVEL_ALIAS "debug"
   62 #define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps"
   63 #define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
   64 #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
   65 #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
   66 #define CONFDB_SERVICE_FD_LIMIT "fd_limit"
   67 #define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids"
   68 
   69 /* Monitor */
   70 #define CONFDB_MONITOR_CONF_ENTRY "config/sssd"
   71 #define CONFDB_MONITOR_SBUS_TIMEOUT "sbus_timeout"
   72 #define CONFDB_MONITOR_ACTIVE_SERVICES "services"
   73 #define CONFDB_MONITOR_ACTIVE_DOMAINS "domains"
   74 #define CONFDB_MONITOR_RESOLV_CONF "monitor_resolv_conf"
   75 #define CONFDB_MONITOR_TRY_INOTIFY "try_inotify"
   76 #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir"
   77 #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
   78 #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
   79 #define CONFDB_MONITOR_USER_RUNAS "user"
   80 #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
   81 #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
   82 #define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
   83 #define CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER "domain_resolution_order"
   84 
   85 /* Both monitor and domains */
   86 #define CONFDB_NAME_REGEX   "re_expression"
   87 #define CONFDB_FULL_NAME_FORMAT "full_name_format"
   88 #define CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL  "%1$s@%2$s%3$s"
   89 #define CONFDB_DEFAULT_FULL_NAME_FORMAT           "%1$s@%2$s"
   90 
   91 /* Responders */
   92 #define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
   93 #define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
   94 #define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
   95 #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
   96 #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT 14400
   97 #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
   98 #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
   99 #define CONFDB_RESPONDER_CACHE_FIRST "cache_first"
  100 
  101 /* NSS */
  102 #define CONFDB_NSS_CONF_ENTRY "config/nss"
  103 #define CONFDB_NSS_ENUM_CACHE_TIMEOUT "enum_cache_timeout"
  104 #define CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE "entry_cache_nowait_percentage"
  105 #define CONFDB_NSS_ENTRY_NEG_TIMEOUT "entry_negative_timeout"
  106 #define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups"
  107 #define CONFDB_NSS_FILTER_USERS "filter_users"
  108 #define CONFDB_NSS_FILTER_GROUPS "filter_groups"
  109 #define CONFDB_NSS_PWFIELD  "pwfield"
  110 #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir"
  111 #define CONFDB_NSS_FALLBACK_HOMEDIR "fallback_homedir"
  112 #define CONFDB_NSS_OVERRIDE_SHELL  "override_shell"
  113 #define CONFDB_NSS_VETOED_SHELL  "vetoed_shells"
  114 #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells"
  115 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
  116 #define CONFDB_NSS_DEFAULT_SHELL "default_shell"
  117 #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
  118 #define CONFDB_NSS_MEMCACHE_SIZE_PASSWD "memcache_size_passwd"
  119 #define CONFDB_NSS_MEMCACHE_SIZE_GROUP "memcache_size_group"
  120 #define CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS "memcache_size_initgroups"
  121 #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
  122 #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
  123 
  124 /* PAM */
  125 #define CONFDB_PAM_CONF_ENTRY "config/pam"
  126 #define CONFDB_PAM_CRED_TIMEOUT "offline_credentials_expiration"
  127 #define CONFDB_PAM_FAILED_LOGIN_ATTEMPTS "offline_failed_login_attempts"
  128 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
  129 #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
  130 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
  131 #define CONFDB_PAM_VERBOSITY "pam_verbosity"
  132 #define CONFDB_PAM_RESPONSE_FILTER "pam_response_filter"
  133 #define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout"
  134 #define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning"
  135 #define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
  136 #define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
  137 #define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
  138 #define CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE "pam_account_locked_message"
  139 #define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
  140 #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
  141 #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
  142 #define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
  143 #define CONFDB_PAM_APP_SERVICES "pam_app_services"
  144 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
  145 #define CONFDB_PAM_P11_URI "p11_uri"
  146 #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
  147 #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
  148 #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
  149 #define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map"
  150 
  151 /* SUDO */
  152 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
  153 #define CONFDB_SUDO_CACHE_TIMEOUT "sudo_cache_timeout"
  154 #define CONFDB_DEFAULT_SUDO_CACHE_TIMEOUT 180
  155 #define CONFDB_SUDO_TIMED "sudo_timed"
  156 #define CONFDB_DEFAULT_SUDO_TIMED false
  157 #define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order"
  158 #define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false
  159 #define CONFDB_SUDO_THRESHOLD "sudo_threshold"
  160 #define CONFDB_DEFAULT_SUDO_THRESHOLD 50
  161 
  162 /* autofs */
  163 #define CONFDB_AUTOFS_CONF_ENTRY "config/autofs"
  164 #define CONFDB_AUTOFS_MAP_NEG_TIMEOUT "autofs_negative_timeout"
  165 
  166 /* SSH */
  167 #define CONFDB_SSH_CONF_ENTRY "config/ssh"
  168 #define CONFDB_SSH_HASH_KNOWN_HOSTS "ssh_hash_known_hosts"
  169 #define CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS true
  170 #define CONFDB_SSH_KNOWN_HOSTS_TIMEOUT "ssh_known_hosts_timeout"
  171 #define CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT 180
  172 #define CONFDB_SSH_CA_DB "ca_db"
  173 #define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/sssd/pki/sssd_auth_ca_db.pem"
  174 #define CONFDB_SSH_USE_CERT_KEYS "ssh_use_certificate_keys"
  175 #define CONFDB_DEFAULT_SSH_USE_CERT_KEYS true
  176 #define CONFDB_SSH_USE_CERT_RULES "ssh_use_certificate_matching_rules"
  177 
  178 /* PAC */
  179 #define CONFDB_PAC_CONF_ENTRY "config/pac"
  180 #define CONFDB_PAC_LIFETIME "pac_lifetime"
  181 
  182 /* InfoPipe */
  183 #define CONFDB_IFP_CONF_ENTRY "config/ifp"
  184 #define CONFDB_IFP_USER_ATTR_LIST "user_attributes"
  185 #define CONFDB_IFP_WILDCARD_LIMIT "wildcard_limit"
  186 
  187 /* Session Recording */
  188 #define CONFDB_SESSION_RECORDING_CONF_ENTRY "config/session_recording"
  189 #define CONFDB_SESSION_RECORDING_SCOPE "scope"
  190 #define CONFDB_SESSION_RECORDING_USERS "users"
  191 #define CONFDB_SESSION_RECORDING_GROUPS "groups"
  192 #define CONFDB_SESSION_RECORDING_EXCLUDE_USERS "exclude_users"
  193 #define CONFDB_SESSION_RECORDING_EXCLUDE_GROUPS "exclude_groups"
  194 
  195 /* Domains */
  196 #define CONFDB_DOMAIN_ENABLED "enabled"
  197 #define CONFDB_DOMAIN_PATH_TMPL "config/domain/%s"
  198 #define CONFDB_DOMAIN_BASEDN "cn=domain,cn=config"
  199 #define CONFDB_APP_DOMAIN_BASEDN "cn=application,cn=config"
  200 #define CONFDB_DOMAIN_ID_PROVIDER "id_provider"
  201 #define CONFDB_DOMAIN_AUTH_PROVIDER "auth_provider"
  202 #define CONFDB_DOMAIN_ACCESS_PROVIDER "access_provider"
  203 #define CONFDB_DOMAIN_CHPASS_PROVIDER "chpass_provider"
  204 #define CONFDB_DOMAIN_SUDO_PROVIDER "sudo_provider"
  205 #define CONFDB_DOMAIN_AUTOFS_PROVIDER "autofs_provider"
  206 #define CONFDB_DOMAIN_SELINUX_PROVIDER "selinux_provider"
  207 #define CONFDB_DOMAIN_HOSTID_PROVIDER "hostid_provider"
  208 #define CONFDB_DOMAIN_SUBDOMAINS_PROVIDER "subdomains_provider"
  209 #define CONFDB_DOMAIN_SESSION_PROVIDER "session_provider"
  210 #define CONFDB_DOMAIN_RESOLVER_PROVIDER "resolver_provider"
  211 #define CONFDB_DOMAIN_COMMAND "command"
  212 #define CONFDB_DOMAIN_TIMEOUT "timeout"
  213 #define CONFDB_DOMAIN_ATTR "cn"
  214 #define CONFDB_DOMAIN_ENUMERATE "enumerate"
  215 #define CONFDB_SUBDOMAIN_ENUMERATE "subdomain_enumerate"
  216 #define CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE "none"
  217 #define CONFDB_DOMAIN_MINID "min_id"
  218 #define CONFDB_DOMAIN_MAXID "max_id"
  219 #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
  220 #define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \
  221                                  "cache_credentials_minimal_first_factor_length"
  222 #define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
  223 #define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
  224 #define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
  225 #define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
  226 #define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
  227 #define CONFDB_DOMAIN_OVERRIDE_GID "override_gid"
  228 #define CONFDB_DOMAIN_CASE_SENSITIVE "case_sensitive"
  229 #define CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR "subdomain_homedir"
  230 #define CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR "/home/%d/%u"
  231 #define CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS "ignore_group_members"
  232 #define CONFDB_DOMAIN_SUBDOMAIN_REFRESH "subdomain_refresh_interval"
  233 #define CONFDB_DOMAIN_SUBDOMAIN_REFRESH_DEFAULT_VALUE 14400
  234 
  235 #define CONFDB_DOMAIN_USER_CACHE_TIMEOUT "entry_cache_user_timeout"
  236 #define CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT "entry_cache_group_timeout"
  237 #define CONFDB_DOMAIN_NETGROUP_CACHE_TIMEOUT "entry_cache_netgroup_timeout"
  238 #define CONFDB_DOMAIN_SERVICE_CACHE_TIMEOUT "entry_cache_service_timeout"
  239 #define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout"
  240 #define CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT "entry_cache_sudo_timeout"
  241 #define CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT "entry_cache_ssh_host_timeout"
  242 #define CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT "entry_cache_computer_timeout"
  243 #define CONFDB_DOMAIN_RESOLVER_CACHE_TIMEOUT "entry_cache_resolver_timeout"
  244 #define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning"
  245 #define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval"
  246 #define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout"
  247 #define CONFDB_DOMAIN_OFFLINE_TIMEOUT_MAX "offline_timeout_max"
  248 #define CONFDB_DOMAIN_SUBDOMAIN_INHERIT "subdomain_inherit"
  249 #define CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT "cached_auth_timeout"
  250 #define CONFDB_DOMAIN_TYPE "domain_type"
  251 #define CONFDB_DOMAIN_TYPE_POSIX "posix"
  252 #define CONFDB_DOMAIN_TYPE_APP "application"
  253 #define CONFDB_DOMAIN_INHERIT_FROM "inherit_from"
  254 
  255 /* Local Provider */
  256 #define CONFDB_LOCAL_DEFAULT_SHELL   "default_shell"
  257 #define CONFDB_LOCAL_DEFAULT_BASEDIR "base_directory"
  258 #define CONFDB_LOCAL_CREATE_HOMEDIR  "create_homedir"
  259 #define CONFDB_LOCAL_REMOVE_HOMEDIR  "remove_homedir"
  260 #define CONFDB_LOCAL_UMASK           "homedir_umask"
  261 #define CONFDB_LOCAL_SKEL_DIR        "skel_dir"
  262 #define CONFDB_LOCAL_MAIL_DIR        "mail_dir"
  263 #define CONFDB_LOCAL_USERDEL_CMD     "userdel_cmd"
  264 
  265 /* Proxy Provider */
  266 #define CONFDB_PROXY_LIBNAME "proxy_lib_name"
  267 #define CONFDB_PROXY_RESOLVER_LIBNAME "proxy_resolver_lib_name"
  268 #define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
  269 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
  270 #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
  271 
  272 /* Files Provider */
  273 #define CONFDB_FILES_PASSWD "passwd_files"
  274 #define CONFDB_FILES_GROUP "group_files"
  275 
  276 /* Secrets Service */
  277 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
  278 #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
  279 #define CONFDB_SEC_MAX_SECRETS "max_secrets"
  280 #define CONFDB_SEC_MAX_UID_SECRETS "max_uid_secrets"
  281 #define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"
  282 
  283 /* KCM Service */
  284 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
  285 #define CONFDB_KCM_SOCKET "socket_path"
  286 #define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
  287 #define CONFDB_KCM_MAX_CCACHES "max_ccaches"
  288 #define CONFDB_KCM_MAX_UID_CCACHES "max_uid_ccaches"
  289 #define CONFDB_KCM_MAX_CCACHE_SIZE "max_ccache_size"
  290 
  291 /* Certificate mapping rules */
  292 #define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
  293 #define CONFDB_CERTMAP_NAME "cn"
  294 #define CONFDB_CERTMAP_MAPRULE "maprule"
  295 #define CONFDB_CERTMAP_MATCHRULE "matchrule"
  296 #define CONFDB_CERTMAP_DOMAINS "domains"
  297 #define CONFDB_CERTMAP_PRIORITY "priority"
  298 
  299 /* Prompting */
  300 #define CONFDB_PC_CONF_ENTRY "config/prompting"
  301 #define CONFDB_PC_TYPE_PASSWORD "password"
  302 #define CONFDB_PC_PASSWORD_PROMPT "password_prompt"
  303 #define CONFDB_PC_TYPE_2FA "2fa"
  304 #define CONFDB_PC_2FA_SINGLE_PROMPT "single_prompt"
  305 #define CONFDB_PC_2FA_1ST_PROMPT "first_prompt"
  306 #define CONFDB_PC_2FA_2ND_PROMPT "second_prompt"
  307 #define CONFDB_PC_TYPE_CERT_AUTH "cert_auth"
  308 
  309 struct confdb_ctx;
  310 struct config_file_ctx;
  311 
  312 /** sssd domain state */
  313 enum sss_domain_state {
  314     /** Domain is usable by both responders and providers. This
  315      * is the default state after creating a new domain
  316      */
  317     DOM_ACTIVE,
  318     /** Domain was removed, should not be used be neither responders
  319      * not providers.
  320      */
  321     DOM_DISABLED,
  322     /** Domain cannot be contacted. Providers return an offline error code
  323      * when receiving request for inactive domain, but responders should
  324      * return cached data
  325      */
  326     DOM_INACTIVE,
  327     /** Domain is being updated. Responders should ignore cached data and
  328      * always contact the DP
  329      */
  330     DOM_INCONSISTENT,
  331 };
  332 
  333 /** Whether the domain only supports looking up POSIX entries */
  334 enum sss_domain_type {
  335     /** This is the default domain type. It resolves only entries
  336      * with the full POSIX set of attributes
  337      */
  338     DOM_TYPE_POSIX,
  339     /** In this mode, entries are typically resolved only by name */
  340     DOM_TYPE_APPLICATION,
  341 };
  342 
  343 enum sss_domain_mpg_mode {
  344     MPG_DISABLED,
  345     MPG_ENABLED,
  346     MPG_HYBRID,
  347 };
  348 
  349 /**
  350  * Data structure storing all of the basic features
  351  * of a domain.
  352  */
  353 struct sss_domain_info {
  354     enum sss_domain_type type;
  355 
  356     char *name;
  357     char *conn_name;
  358     char *provider;
  359     int timeout;
  360     bool enumerate;
  361     char **sd_enumerate;
  362     bool fqnames;
  363     enum sss_domain_mpg_mode mpg_mode;
  364     bool ignore_group_members;
  365     uint32_t id_min;
  366     uint32_t id_max;
  367     const char *pwfield;
  368 
  369     bool cache_credentials;
  370     uint32_t cache_credentials_min_ff_length;
  371     bool case_sensitive;
  372     bool case_preserve;
  373 
  374     gid_t override_gid;
  375     const char *override_homedir;
  376     const char *fallback_homedir;
  377     const char *subdomain_homedir;
  378     const char *homedir_substr;
  379     const char *override_shell;
  380     const char *default_shell;
  381 
  382     uint32_t user_timeout;
  383     uint32_t group_timeout;
  384     uint32_t netgroup_timeout;
  385     uint32_t service_timeout;
  386     uint32_t autofsmap_timeout;
  387     uint32_t sudo_timeout;
  388     uint32_t ssh_host_timeout;
  389     uint32_t computer_timeout;
  390     uint32_t resolver_timeout;
  391 
  392     uint32_t refresh_expired_interval;
  393     uint32_t subdomain_refresh_interval;
  394     uint32_t cached_auth_timeout;
  395 
  396     int pwd_expiration_warning;
  397 
  398     struct sysdb_ctx *sysdb;
  399     struct sss_names_ctx *names;
  400 
  401     struct sss_domain_info *parent;
  402     struct sss_domain_info *subdomains;
  403     char *realm;
  404     char *flat_name;
  405     char *domain_id;
  406     uint32_t trust_direction;
  407     struct timeval subdomains_last_checked;
  408 
  409     bool has_views;
  410     const char *view_name;
  411 
  412     struct sss_domain_info *prev;
  413     struct sss_domain_info *next;
  414 
  415     enum sss_domain_state state;
  416     char **sd_inherit;
  417 
  418     /* Do not use the forest pointer directly in new code, but rather the
  419      * forest_root pointer. sss_domain_info will be more opaque in the future
  420      */
  421     char *forest;
  422     struct sss_domain_info *forest_root;
  423     const char **upn_suffixes;
  424 
  425     struct certmap_info **certmaps;
  426     bool user_name_hint;
  427 
  428     /* Do not use the _output_fqnames property directly in new code, but rather
  429      * use sss_domain_info_{get,set}_output_fqnames(). */
  430     bool output_fqnames;
  431 
  432     /* Hostname associated with this domain. */
  433     const char *hostname;
  434 
  435     /* Keytab used by this domain. */
  436     const char *krb5_keytab;
  437 
  438     /* List of PAM services that are allowed to authenticate with GSSAPI. */
  439     char **gssapi_services;
  440     char *gssapi_check_upn; /* true | false | NULL */
  441     /* List of indicators associated with the specific PAM service */
  442     char **gssapi_indicators_map;
  443 };
  444 
  445 /**
  446  * Initialize the connection to the ConfDB
  447  *
  448  * @param[in]  mem_ctx The parent memory context for the confdb_ctx
  449  * @param[out] cdb_ctx The newly-created connection object
  450  * @param[in]  confdb_location The absolute path to the ConfDB file on the
  451  *             filesystem
  452  *
  453  * @return 0 - Connection succeeded and cdb_ctx was populated
  454  * @return ENOMEM - There was not enough memory to create the cdb_ctx
  455  * @return EIO - There was an I/O error communicating with the ConfDB file
  456  */
  457 int confdb_init(TALLOC_CTX *mem_ctx,
  458                 struct confdb_ctx **cdb_ctx,
  459                 const char *confdb_location);
  460 
  461 /**
  462  * Get a domain object for the named domain
  463  *
  464  * @param[in] cdb The connection object to the confdb
  465  * @param[in] name The name of the domain to retrieve
  466  * @param[out] domain A pointer to a domain object for the domain given by
  467  *                    name
  468  *
  469  * @return 0 - Lookup succeeded and domain was populated
  470  * @return ENOMEM - There was insufficient memory to complete the operation
  471  * @return ENOENT - The named domain does not exist or is not set active
  472  */
  473 int confdb_get_domain(struct confdb_ctx *cdb,
  474                       const char *name,
  475                       struct sss_domain_info **domain);
  476 
  477 /**
  478  * Get a null-terminated linked-list of active domain objects
  479  * @param[in] cdb The connection object to the confdb
  480  * @param[out] domains A pointer to the first entry of a linked-list of domain
  481  *                     objects
  482  *
  483  * @return 0 - Lookup succeeded and all active domains are in the list
  484  * @return ENOMEM - There was insufficient memory to complete the operation
  485  * @return ENOENT - No active domains are configured
  486  */
  487 int confdb_get_domains(struct confdb_ctx *cdb,
  488                        struct sss_domain_info **domains);
  489 
  490 int confdb_expand_app_domains(struct confdb_ctx *cdb);
  491 
  492 /**
  493  * Get a null-terminated linked-list of all domain names
  494  * @param[in] mem_ctx The parent memory context for the value list
  495  * @param[in] cdb The connection object to the confdb
  496  * @param[out] _names Output list
  497  *
  498  * @return 0 - Lookup succeeded and all domain names are in the list
  499  * @return ENOMEM - There was insufficient memory to complete the operation
  500  * @return ENOENT - No active domains are configured
  501  * @return EIO - There was an I/O error communicating with the ConfDB file
  502  * @return EINVAL - Corrupted confdb object
  503  */
  504 int confdb_list_all_domain_names(TALLOC_CTX *mem_ctx,
  505                                  struct confdb_ctx *cdb,
  506                                  char ***_names);
  507 
  508 
  509 /**
  510  * @brief Add an arbitrary parameter to the confdb.
  511  *
  512  * This is mostly useful
  513  * for testing, as they will not persist between SSSD restarts. For
  514  * persistence, make changes to the sssd.conf file.
  515  *
  516  * @param[in] cdb The connection object to the confdb
  517  * @param[in] replace If replace is set to true, pre-existing values will be
  518  *                    overwritten.
  519  *                    If it is false, the provided values will be added to the
  520  *                    attribute.
  521  * @param[in] section The ConfDB section to update. This is constructed from
  522  *                    the format of the sssd.conf file. All sections start
  523  *                    with 'config/'. Subsections are separated by slashes.
  524  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  525  *                    config/domain/LDAP
  526  * @param[in] attribute The name of the attribute to update
  527  * @param[in] values A null-terminated array of values to add to the attribute
  528  *
  529  * @return 0 - Successfully added the provided value(s)
  530  * @return ENOMEM - There was insufficient memory to complete the operation
  531  * @return EINVAL - The section could not be parsed
  532  * @return EIO - An I/O error occurred communicating with the ConfDB
  533  */
  534 int confdb_add_param(struct confdb_ctx *cdb,
  535                      bool replace,
  536                      const char *section,
  537                      const char *attribute,
  538                      const char **values);
  539 
  540 /**
  541  * @brief Retrieve all values for an attribute
  542  *
  543  * @param[in] cdb The connection object to the confdb
  544  * @param[in] mem_ctx The parent memory context for the value list
  545  * @param[in] section The ConfDB section to update. This is constructed from
  546  *                    the format of the sssd.conf file. All sections start
  547  *                    with 'config/'. Subsections are separated by slashes.
  548  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  549  *                    config/domain/LDAP
  550  * @param[in] attribute The name of the attribute to update
  551  * @param[out] values A null-terminated array of cstrings containing all
  552  *                    values for this attribute
  553  *
  554  * @return 0 - Successfully retrieved the value(s)
  555  * @return ENOMEM - There was insufficient memory to complete the operation
  556  * @return EINVAL - The section could not be parsed
  557  * @return EIO - An I/O error occurred while communicating with the ConfDB
  558  */
  559 int confdb_get_param(struct confdb_ctx *cdb,
  560                      TALLOC_CTX *mem_ctx,
  561                      const char *section,
  562                      const char *attribute,
  563                      char ***values);
  564 
  565 /**
  566  * @brief Convenience function to retrieve a single-valued attribute as a
  567  * string
  568  *
  569  * @param[in] cdb The connection object to the confdb
  570  * @param[in] ctx The parent memory context for the returned string
  571  * @param[in] section The ConfDB section to update. This is constructed from
  572  *                    the format of the sssd.conf file. All sections start
  573  *                    with 'config/'. Subsections are separated by slashes.
  574  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  575  *                    config/domain/LDAP
  576  * @param[in] attribute The name of the attribute to update
  577  * @param[in] defstr If not NULL, the string to use if the attribute does not
  578  *                   exist in the ConfDB
  579  * @param[out] result A pointer to the retrieved (or default) string
  580  *
  581  * @return 0 - Successfully retrieved the entry (or used the default)
  582  * @return ENOMEM - There was insufficient memory to complete the operation
  583  * @return EINVAL - The section could not be parsed, or the attribute was not
  584  *                  single-valued.
  585  * @return EIO - An I/O error occurred while communicating with the ConfDB
  586  */
  587 int confdb_get_string(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
  588                       const char *section, const char *attribute,
  589                       const char *defstr, char **result);
  590 
  591 /**
  592  * @brief Convenience function to retrieve a single-valued attribute as an
  593  * integer
  594  *
  595  * @param[in] cdb The connection object to the confdb
  596  * @param[in] section The ConfDB section to update. This is constructed from
  597  *                    the format of the sssd.conf file. All sections start
  598  *                    with 'config/'. Subsections are separated by slashes.
  599  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  600  *                    config/domain/LDAP
  601  * @param[in] attribute The name of the attribute to update
  602  * @param[in] defval If not NULL, the integer to use if the attribute does not
  603  *                   exist in the ConfDB
  604  * @param[out] result A pointer to the retrieved (or default) integer
  605  *
  606  * @return 0 - Successfully retrieved the entry (or used the default)
  607  * @return ENOMEM - There was insufficient memory to complete the operation
  608  * @return EINVAL - The section could not be parsed, or the attribute was not
  609  *                  single-valued.
  610  * @return EIO - An I/O error occurred while communicating with the ConfDB
  611  * @return ERANGE - The value stored in the ConfDB was outside the range
  612  *                  [INT_MIN..INT_MAX]
  613  */
  614 int confdb_get_int(struct confdb_ctx *cdb,
  615                    const char *section, const char *attribute,
  616                    int defval, int *result);
  617 
  618 /**
  619  * @brief Convenience function to retrieve a single-valued attribute as a
  620  * boolean
  621  *
  622  * This function will read (in a case-insensitive manner) a "true" or "false"
  623  * value from the ConfDB and convert it to an integral bool value.
  624  *
  625  * @param[in] cdb The connection object to the confdb
  626  * @param[in] section The ConfDB section to update. This is constructed from
  627  *                    the format of the sssd.conf file. All sections start
  628  *                    with 'config/'. Subsections are separated by slashes.
  629  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  630  *                    config/domain/LDAP
  631  * @param[in] attribute The name of the attribute to update
  632  * @param[in] defval If not NULL, the boolean state to use if the attribute
  633  *                   does not exist in the ConfDB
  634  * @param[out] result A pointer to the retrieved (or default) bool
  635  *
  636  * @return 0 - Successfully retrieved the entry (or used the default)
  637  * @return ENOMEM - There was insufficient memory to complete the operation
  638  * @return EINVAL - The section could not be parsed, the attribute was not
  639  *                  single-valued, or the value was not a boolean.
  640  * @return EIO - An I/O error occurred while communicating with the ConfDB
  641  */
  642 int confdb_get_bool(struct confdb_ctx *cdb,
  643                     const char *section, const char *attribute,
  644                     bool defval, bool *result);
  645 
  646 /**
  647  * @brief Convenience function to set a single-valued attribute as a string
  648  *
  649  * @param[in] cdb The connection object to the confdb
  650  * @param[in] section The ConfDB section to update. This is constructed from
  651  *                    the format of the sssd.conf file. All sections start
  652  *                    with 'config/'. Subsections are separated by slashes.
  653  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  654  *                    config/domain/LDAP
  655  * @param[in] attribute The name of the attribute to update
  656  * @param[in] val New value of the attribute.
  657  *
  658  * @return 0 - Successfully retrieved the entry (or used the default)
  659  * @return ENOMEM - There was insufficient memory to complete the operation
  660  * @return EINVAL - The section could not be parsed
  661  * @return EIO - An I/O error occurred while communicating with the ConfDB
  662  */
  663 int confdb_set_string(struct confdb_ctx *cdb,
  664                       const char *section,
  665                       const char *attribute,
  666                       const char *val);
  667 
  668 /**
  669  * @brief Convenience function to retrieve a single-valued attribute as a
  670  * null-terminated array of strings
  671  *
  672  * This function will automatically split a comma-separated string in an
  673  * attribute into a null-terminated array of strings. This is useful for
  674  * storing and retrieving ordered lists, as ConfDB multivalued attributes do
  675  * not guarantee retrieval order.
  676  *
  677  * @param[in] cdb The connection object to the confdb
  678  * @param[in] ctx The parent memory context for the returned string
  679  * @param[in] section The ConfDB section to update. This is constructed from
  680  *                    the format of the sssd.conf file. All sections start
  681  *                    with 'config/'. Subsections are separated by slashes.
  682  *                    e.g. [domain/LDAP] in sssd.conf would translate to
  683  *                    config/domain/LDAP
  684  * @param[in] attribute The name of the attribute to update
  685  * @param[out] result A pointer to the retrieved array of strings
  686  *
  687  * @return 0 - Successfully retrieved the entry (or used the default)
  688  * @return ENOMEM - There was insufficient memory to complete the operation
  689  * @return EINVAL - The section could not be parsed, or the attribute was not
  690  *                  single-valued.
  691  * @return ENOENT - The attribute was not found.
  692  * @return EIO - An I/O error occurred while communicating with the ConfDB
  693  */
  694 int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
  695                               const char *section, const char *attribute,
  696                               char ***result);
  697 
  698 /**
  699  * @brief Convenience function to retrieve a list of subsections given a
  700  * configuration section name
  701  *
  702  * @param[in] mem_ctx The parent memory context for the returned list
  703  * @param[in] cdb The connection object to the confdb
  704  * @param[in] section The ConfDB section to look for.
  705  *                    All sections should start with 'config/'.
  706  *                    Subsections are separated by slashes.
  707  * @param[out] sections Names of the subsections relative to the section
  708  *                      requested. If "a/b" is requested then "c/d" is
  709  *                      returned for the section named [a/b/c/d]
  710  * @param[out] num_sections Number of section names returned
  711  *
  712  * @return 0 - Successfully retrieved the entry (or used the default)
  713  * @return ENOMEM - There was insufficient memory to complete the operation
  714  * @return EINVAL - The section could not be parsed.
  715  * @return ENOENT - No section was found.
  716  * @return EIO - An I/O error occurred while communicating with the ConfDB
  717  */
  718 int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
  719                             struct confdb_ctx *cdb,
  720                             const char *section,
  721                             char ***sections,
  722                             int *num_sections);
  723 
  724 /**
  725  * @brief Convenience function to write the certificate mapping and matching
  726  * rules from the configuration database to the cache of a domain
  727  *
  728  * @param[in] cdb The connection object to the confdb
  729  * @param[in] dom Target domain where to rules should be written to
  730  *
  731  * @return 0 - Successfully retrieved the entry (or used the default)
  732  * @return ENOMEM - There was insufficient memory to complete the operation
  733  * @return EINVAL - Typically internal processing error
  734  */
  735 int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
  736                             struct sss_domain_info *dom);
  737 
  738 /**
  739  * @}
  740  */
  741 #endif