"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.2.3/src/providers/ad/ad_init.c" (30 Nov 2019, 21898 Bytes) of package /linux/misc/sssd-2.2.3.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ad_init.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.2.2_vs_2.2.3.

    1 /*
    2     SSSD
    3 
    4     Authors:
    5         Stephen Gallagher <sgallagh@redhat.com>
    6 
    7     Copyright (C) 2012 Red Hat
    8 
    9     This program is free software; you can redistribute it and/or modify
   10     it under the terms of the GNU General Public License as published by
   11     the Free Software Foundation; either version 3 of the License, or
   12     (at your option) any later version.
   13 
   14     This program is distributed in the hope that it will be useful,
   15     but WITHOUT ANY WARRANTY; without even the implied warranty of
   16     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   17     GNU General Public License for more details.
   18 
   19     You should have received a copy of the GNU General Public License
   20     along with this program.  If not, see <http://www.gnu.org/licenses/>.
   21 */
   22 
   23 
   24 #include <sys/types.h>
   25 #include <unistd.h>
   26 #include <sys/stat.h>
   27 #include <fcntl.h>
   28 
   29 #include <sasl/sasl.h>
   30 
   31 #include "util/util.h"
   32 #include "providers/ad/ad_common.h"
   33 #include "providers/ad/ad_access.h"
   34 #include "providers/ldap/ldap_common.h"
   35 #include "providers/ldap/sdap_access.h"
   36 #include "providers/ldap/sdap_idmap.h"
   37 #include "providers/krb5/krb5_auth.h"
   38 #include "providers/krb5/krb5_init_shared.h"
   39 #include "providers/ad/ad_id.h"
   40 #include "providers/ad/ad_srv.h"
   41 #include "providers/be_dyndns.h"
   42 #include "providers/ad/ad_subdomains.h"
   43 #include "providers/ad/ad_domain_info.h"
   44 
   45 struct ad_init_ctx {
   46     struct ad_options *options;
   47     struct ad_id_ctx *id_ctx;
   48     struct krb5_ctx *auth_ctx;
   49 };
   50 
   51 #define AD_COMPAT_ON "1"
   52 static int ad_sasl_getopt(void *context, const char *plugin_name,
   53                           const char *option,
   54                           const char **result, unsigned *len)
   55 {
   56     if (!plugin_name || !result) {
   57         return SASL_FAIL;
   58     }
   59     if (!sdap_sasl_mech_needs_kinit(plugin_name)) {
   60         return SASL_FAIL;
   61     }
   62     if (strcmp(option, "ad_compat") != 0) {
   63         return SASL_FAIL;
   64     }
   65     *result = AD_COMPAT_ON;
   66     if (len) {
   67         *len = 2;
   68     }
   69     return SASL_OK;
   70 }
   71 
   72 typedef int (*sss_sasl_gen_cb_fn)(void);
   73 
   74 static int map_sasl2sssd_log_level(int sasl_level)
   75 {
   76     int sssd_level;
   77 
   78     switch(sasl_level) {
   79     case SASL_LOG_ERR:       /* log unusual errors (default) */
   80         sssd_level = SSSDBG_CRIT_FAILURE;
   81         break;
   82     case SASL_LOG_FAIL:      /* log all authentication failures */
   83         sssd_level = SSSDBG_OP_FAILURE;
   84         break;
   85     case SASL_LOG_WARN:      /* log non-fatal warnings */
   86         sssd_level = SSSDBG_MINOR_FAILURE;
   87         break;
   88     case SASL_LOG_NOTE:      /* more verbose than LOG_WARN */
   89     case SASL_LOG_DEBUG:     /* more verbose than LOG_NOTE */
   90     case SASL_LOG_TRACE:     /* traces of internal protocols */
   91     case SASL_LOG_PASS:      /* traces of internal protocols, including */
   92         sssd_level = SSSDBG_TRACE_ALL;
   93         break;
   94     default:
   95         sssd_level = SSSDBG_TRACE_ALL;
   96         break;
   97     }
   98 
   99     return sssd_level;
  100 }
  101 
  102 static int ad_sasl_log(void *context, int level, const char *message)
  103 {
  104     int sssd_level;
  105 
  106     if (level == SASL_LOG_ERR || level == SASL_LOG_FAIL) {
  107         sss_log(SSS_LOG_ERR, "%s\n", message);
  108     }
  109 
  110     sssd_level = map_sasl2sssd_log_level(level);
  111     DEBUG(sssd_level, "SASL: %s\n", message);
  112     return SASL_OK;
  113 }
  114 
  115 static const sasl_callback_t ad_sasl_callbacks[] = {
  116     { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)(void *)ad_sasl_getopt, NULL },
  117     { SASL_CB_LOG, (sss_sasl_gen_cb_fn)(void *)ad_sasl_log, NULL },
  118     { SASL_CB_LIST_END, NULL, NULL }
  119 };
  120 
  121 /* This is quite a hack, we *try* to fool openldap libraries by initializing
  122  * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some
  123  * options. Should be removed as soon as openldap exposes a way to do that */
  124 static void ad_sasl_initialize(void)
  125 {
  126     /* NOTE: this may fail if soe other library in the system happens to
  127      * initialize and use openldap libraries or directly the cyrus-sasl
  128      * library as this initialization function can be called only once per
  129      * process */
  130     (void)sasl_client_init(ad_sasl_callbacks);
  131 }
  132 
  133 static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
  134                                struct be_ctx *be_ctx,
  135                                struct ad_options **_ad_options)
  136 {
  137     struct ad_options *ad_options;
  138     char *ad_servers = NULL;
  139     char *ad_backup_servers = NULL;
  140     char *ad_realm;
  141     errno_t ret;
  142 
  143     ad_sasl_initialize();
  144 
  145     /* Get AD-specific options */
  146     ret = ad_get_common_options(mem_ctx, be_ctx->cdb, be_ctx->conf_path,
  147                                 be_ctx->domain, &ad_options);
  148     if (ret != EOK) {
  149         DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse common options "
  150               "[%d]: %s\n", ret, sss_strerror(ret));
  151         return ret;
  152     }
  153 
  154     ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
  155     ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
  156     ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
  157 
  158     /* Set up the failover service */
  159     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
  160                            ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
  161                            dp_opt_get_string(ad_options->basic, AD_DOMAIN),
  162                            false, /* will be set in ad_get_auth_options() */
  163                            (size_t) -1,
  164                            (size_t) -1,
  165                            &ad_options->service);
  166     if (ret != EOK) {
  167         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: "
  168               "[%d]: %s\n", ret, sss_strerror(ret));
  169         talloc_free(ad_options);
  170         return ret;
  171     }
  172 
  173     *_ad_options = ad_options;
  174 
  175     return EOK;
  176 }
  177 
  178 static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
  179                                   struct ad_options *ad_options)
  180 {
  181     struct ad_srv_plugin_ctx *srv_ctx;
  182     const char *hostname;
  183     const char *ad_domain;
  184     const char *ad_site_override;
  185     bool sites_enabled;
  186     errno_t ret;
  187 
  188     hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
  189     ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
  190     ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
  191     sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
  192 
  193 
  194     if (!sites_enabled) {
  195         ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, hostname);
  196         if (ret != EOK) {
  197             DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
  198                   "[%d]: %s\n", ret, sss_strerror(ret));
  199             return ret;
  200         }
  201 
  202         return EOK;
  203     }
  204 
  205     srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
  206                                      default_host_dbs, ad_options->id,
  207                                      hostname, ad_domain,
  208                                      ad_site_override);
  209     if (srv_ctx == NULL) {
  210         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
  211         return ENOMEM;
  212     }
  213 
  214     be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
  215                                 ad_srv_plugin_recv, srv_ctx, "AD");
  216 
  217     return EOK;
  218 }
  219 
  220 static errno_t ad_init_sdap_access_ctx(struct ad_access_ctx *access_ctx)
  221 {
  222     struct dp_option *options = access_ctx->ad_options;
  223     struct sdap_id_ctx *sdap_id_ctx = access_ctx->ad_id_ctx->sdap_id_ctx;
  224     struct sdap_access_ctx *sdap_access_ctx;
  225     const char *filter;
  226 
  227     sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx);
  228     if (sdap_access_ctx == NULL) {
  229         return ENOMEM;
  230     }
  231 
  232     sdap_access_ctx->id_ctx = sdap_id_ctx;
  233 
  234 
  235     /* If ad_access_filter is set, the value of ldap_acess_order is
  236      * expire, filter, otherwise only expire.
  237      */
  238     sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
  239     filter = dp_opt_get_cstring(options, AD_ACCESS_FILTER);
  240     if (filter != NULL) {
  241         /* The processing of the extended filter is performed during the access
  242          * check itself.
  243          */
  244         sdap_access_ctx->filter = talloc_strdup(sdap_access_ctx, filter);
  245         if (sdap_access_ctx->filter == NULL) {
  246             talloc_free(sdap_access_ctx);
  247             return ENOMEM;
  248         }
  249 
  250         sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
  251         sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
  252     } else {
  253         sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
  254     }
  255 
  256     access_ctx->sdap_access_ctx = sdap_access_ctx;
  257 
  258     return EOK;
  259 }
  260 
  261 errno_t ad_gpo_parse_map_options(struct ad_access_ctx *access_ctx);
  262 
  263 static errno_t ad_init_gpo(struct ad_access_ctx *access_ctx)
  264 {
  265     struct dp_option *options;
  266     const char *gpo_access_control_mode;
  267     int gpo_cache_timeout;
  268     errno_t ret;
  269 
  270     options = access_ctx->ad_options;
  271 
  272     /* GPO access control mode */
  273     gpo_access_control_mode = dp_opt_get_string(options, AD_GPO_ACCESS_CONTROL);
  274     if (gpo_access_control_mode == NULL) {
  275         return EINVAL;
  276     } else if (strcasecmp(gpo_access_control_mode, "disabled") == 0) {
  277         access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_DISABLED;
  278     } else if (strcasecmp(gpo_access_control_mode, "permissive") == 0) {
  279         access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_PERMISSIVE;
  280     } else if (strcasecmp(gpo_access_control_mode, "enforcing") == 0) {
  281         access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_ENFORCING;
  282     } else {
  283         DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized GPO access control mode: "
  284               "%s\n", gpo_access_control_mode);
  285         return EINVAL;
  286     }
  287 
  288     /* GPO cache timeout */
  289     gpo_cache_timeout = dp_opt_get_int(options, AD_GPO_CACHE_TIMEOUT);
  290     access_ctx->gpo_cache_timeout = gpo_cache_timeout;
  291 
  292     /* GPO logon maps */
  293     ret = sss_hash_create(access_ctx, 10, &access_ctx->gpo_map_options_table);
  294     if (ret != EOK) {
  295         DEBUG(SSSDBG_FATAL_FAILURE, "Could not create gpo_map_options "
  296               "hash table [%d]: %s\n", ret, sss_strerror(ret));
  297         return ret;
  298     }
  299 
  300     ret = ad_gpo_parse_map_options(access_ctx);
  301     if (ret != EOK) {
  302         DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse gpo_map_options "
  303               "(invalid config) [%d]: %s\n", ret, sss_strerror(ret));
  304         talloc_zfree(access_ctx->gpo_map_options_table);
  305         return ret;
  306     }
  307 
  308     return EOK;
  309 }
  310 
  311 static errno_t ad_init_auth_ctx(TALLOC_CTX *mem_ctx,
  312                                 struct be_ctx *be_ctx,
  313                                 struct ad_options *ad_options,
  314                                 struct krb5_ctx **_auth_ctx)
  315 {
  316     struct krb5_ctx *krb5_auth_ctx;
  317     errno_t ret;
  318 
  319     krb5_auth_ctx = talloc_zero(mem_ctx, struct krb5_ctx);
  320     if (krb5_auth_ctx == NULL) {
  321         ret = ENOMEM;
  322         goto done;
  323     }
  324 
  325     krb5_auth_ctx->config_type = K5C_GENERIC;
  326     krb5_auth_ctx->sss_creds_password = true;
  327     krb5_auth_ctx->service = ad_options->service->krb5_service;
  328 
  329     ret = ad_get_auth_options(krb5_auth_ctx, ad_options, be_ctx,
  330                               &krb5_auth_ctx->opts);
  331     if (ret != EOK) {
  332         DEBUG(SSSDBG_FATAL_FAILURE, "Could not determine Kerberos options\n");
  333         goto done;
  334     }
  335 
  336     ret = krb5_child_init(krb5_auth_ctx, be_ctx);
  337     if (ret != EOK) {
  338         DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings: "
  339               "[%d]: %s\n", ret, sss_strerror(ret));
  340         goto done;
  341     }
  342 
  343     ad_options->auth_ctx = krb5_auth_ctx;
  344     *_auth_ctx = krb5_auth_ctx;
  345 
  346     ret = EOK;
  347 
  348 done:
  349     if (ret != EOK) {
  350         talloc_free(krb5_auth_ctx);
  351     }
  352 
  353     return ret;
  354 }
  355 
  356 static errno_t ad_init_misc(struct be_ctx *be_ctx,
  357                             struct ad_options *ad_options,
  358                             struct ad_id_ctx *ad_id_ctx,
  359                             struct sdap_id_ctx *sdap_id_ctx)
  360 {
  361     errno_t ret;
  362 
  363     ret = ad_dyndns_init(be_ctx, ad_options);
  364     if (ret != EOK) {
  365         DEBUG(SSSDBG_MINOR_FAILURE,
  366               "Failure setting up automatic DNS update\n");
  367         /* Continue without DNS updates */
  368     }
  369 
  370     ret = setup_tls_config(sdap_id_ctx->opts->basic);
  371     if (ret != EOK) {
  372         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n",
  373               ret, sss_strerror(ret));
  374         return ret;
  375     }
  376 
  377     ret = sdap_idmap_init(sdap_id_ctx, sdap_id_ctx,
  378                           &sdap_id_ctx->opts->idmap_ctx);
  379     if (ret != EOK) {
  380         DEBUG(SSSDBG_FATAL_FAILURE,
  381               "Could not initialize ID mapping. In case ID mapping properties "
  382               "changed on the server, please remove the SSSD database\n");
  383         return ret;
  384     }
  385 
  386     ret = sdap_id_setup_tasks(be_ctx, sdap_id_ctx, sdap_id_ctx->opts->sdom,
  387                               ad_id_enumeration_send, ad_id_enumeration_recv,
  388                               ad_id_ctx);
  389     if (ret != EOK) {
  390         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks "
  391               "[%d]: %s\n", ret, sss_strerror(ret));
  392         return ret;
  393     }
  394 
  395     sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
  396 
  397     ret = sdap_setup_child();
  398     if (ret != EOK) {
  399         DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
  400               ret, sss_strerror(ret));
  401         return ret;
  402     }
  403 
  404     ret = ad_init_srv_plugin(be_ctx, ad_options);
  405     if (ret != EOK) {
  406         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
  407               ret, sss_strerror(ret));
  408         return ret;
  409     }
  410 
  411     ret = ad_refresh_init(be_ctx, ad_id_ctx);
  412     if (ret != EOK && ret != EEXIST) {
  413         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
  414               "will not work [%d]: %s\n", ret, sss_strerror(ret));
  415     }
  416 
  417     ret = ad_machine_account_password_renewal_init(be_ctx, ad_options);
  418     if (ret != EOK) {
  419         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot setup task for machine account "
  420                                    "password renewal.\n");
  421         return ret;
  422     }
  423 
  424     ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
  425     if (ret != EOK) {
  426         DEBUG(SSSDBG_CRIT_FAILURE,
  427               "Failed to initialize certificate mapping rules. "
  428               "Authentication with certificates/Smartcards might not work "
  429               "as expected.\n");
  430         /* not fatal, ignored */
  431     }
  432 
  433     ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
  434     if (ret != EOK) {
  435         DEBUG(SSSDBG_CRIT_FAILURE,
  436               "Failed to initialized certificate mapping.\n");
  437         return ret;
  438     }
  439 
  440     return EOK;
  441 }
  442 
  443 errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
  444                      struct be_ctx *be_ctx,
  445                      struct data_provider *provider,
  446                      const char *module_name,
  447                      void **_module_data)
  448 {
  449     struct ad_init_ctx *init_ctx;
  450     errno_t ret;
  451 
  452     init_ctx = talloc_zero(mem_ctx, struct ad_init_ctx);
  453     if (init_ctx == NULL) {
  454         return ENOMEM;
  455     }
  456 
  457     /* Always initialize options since it is needed everywhere. */
  458     ret = ad_init_options(mem_ctx, be_ctx, &init_ctx->options);
  459     if (ret != EOK) {
  460         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD options [%d]: %s\n",
  461               ret, sss_strerror(ret));
  462         return ret;
  463     }
  464 
  465     /* Always initialize id_ctx since it is needed everywhere. */
  466     init_ctx->id_ctx = ad_id_ctx_init(init_ctx->options, be_ctx);
  467     if (init_ctx->id_ctx == NULL) {
  468         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize AD ID context\n");
  469         ret = ENOMEM;
  470         goto done;
  471     }
  472 
  473     init_ctx->options->id_ctx = init_ctx->id_ctx;
  474 
  475     ret = ad_get_id_options(init_ctx->options,
  476                             be_ctx->cdb,
  477                             be_ctx->conf_path,
  478                             be_ctx->provider,
  479                             &init_ctx->id_ctx->sdap_id_ctx->opts);
  480     if (ret != EOK) {
  481         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
  482         return ret;
  483     }
  484 
  485     /* Setup miscellaneous things. */
  486     ret = ad_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx,
  487                        init_ctx->id_ctx->sdap_id_ctx);
  488     if (ret != EOK) {
  489         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD module "
  490               "[%d]: %s\n", ret, sss_strerror(ret));
  491         goto done;
  492     }
  493 
  494     /* Initialize auth_ctx only if one of the target is enabled. */
  495     if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) {
  496         ret = ad_init_auth_ctx(init_ctx, be_ctx, init_ctx->options,
  497                                &init_ctx->auth_ctx);
  498         if (ret != EOK) {
  499             DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context "
  500                   "[%d]: %s\n", ret, sss_strerror(ret));
  501             return ret;
  502         }
  503     }
  504 
  505     *_module_data = init_ctx;
  506 
  507     ret = EOK;
  508 
  509 done:
  510     if (ret != EOK) {
  511         talloc_free(init_ctx);
  512     }
  513 
  514     return ret;
  515 }
  516 
  517 errno_t sssm_ad_id_init(TALLOC_CTX *mem_ctx,
  518                         struct be_ctx *be_ctx,
  519                         void *module_data,
  520                         struct dp_method *dp_methods)
  521 {
  522     struct ad_init_ctx *init_ctx;
  523     struct ad_id_ctx *id_ctx;
  524 
  525     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  526     id_ctx = init_ctx->id_ctx;
  527 
  528     dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER,
  529                   ad_account_info_handler_send, ad_account_info_handler_recv, id_ctx,
  530                   struct ad_id_ctx, struct dp_id_data, struct dp_reply_std);
  531 
  532     dp_set_method(dp_methods, DPM_CHECK_ONLINE,
  533                   sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx->sdap_id_ctx,
  534                   struct sdap_id_ctx, void, struct dp_reply_std);
  535 
  536     dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER,
  537                   ad_get_account_domain_send, ad_get_account_domain_recv, id_ctx,
  538                   struct ad_id_ctx, struct dp_get_acct_domain_data, struct dp_reply_std);
  539 
  540     return EOK;
  541 }
  542 
  543 errno_t sssm_ad_auth_init(TALLOC_CTX *mem_ctx,
  544                           struct be_ctx *be_ctx,
  545                           void *module_data,
  546                           struct dp_method *dp_methods)
  547 {
  548     struct ad_init_ctx *init_ctx;
  549     struct krb5_ctx *auth_ctx;
  550 
  551     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  552     auth_ctx = init_ctx->auth_ctx;
  553 
  554     dp_set_method(dp_methods, DPM_AUTH_HANDLER,
  555                   krb5_pam_handler_send, krb5_pam_handler_recv, auth_ctx,
  556                   struct krb5_ctx, struct pam_data, struct pam_data *);
  557 
  558     return EOK;
  559 }
  560 
  561 errno_t sssm_ad_chpass_init(TALLOC_CTX *mem_ctx,
  562                             struct be_ctx *be_ctx,
  563                             void *module_data,
  564                             struct dp_method *dp_methods)
  565 {
  566     return sssm_ad_auth_init(mem_ctx, be_ctx, module_data, dp_methods);
  567 }
  568 
  569 errno_t sssm_ad_access_init(TALLOC_CTX *mem_ctx,
  570                             struct be_ctx *be_ctx,
  571                             void *module_data,
  572                             struct dp_method *dp_methods)
  573 {
  574     struct ad_init_ctx *init_ctx;
  575     struct ad_access_ctx *access_ctx;
  576     errno_t ret;
  577 
  578     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  579 
  580     access_ctx = talloc_zero(mem_ctx, struct ad_access_ctx);
  581     if (access_ctx == NULL) {
  582         return ENOMEM;
  583     }
  584 
  585     access_ctx->ad_id_ctx = init_ctx->id_ctx;
  586 
  587     ret = dp_copy_options(access_ctx, init_ctx->options->basic, AD_OPTS_BASIC,
  588                           &access_ctx->ad_options);
  589     if (ret != EOK) {
  590         DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize access provider "
  591               "options [%d]: %s\n", ret, sss_strerror(ret));
  592         goto done;
  593     }
  594 
  595     ret = ad_init_sdap_access_ctx(access_ctx);
  596     if (ret != EOK) {
  597         DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize sdap access context "
  598               "[%d]: %s\n", ret, sss_strerror(ret));
  599         goto done;
  600     }
  601 
  602     ret = ad_init_gpo(access_ctx);
  603     if (ret != EOK) {
  604         DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize GPO "
  605               "[%d]: %s\n", ret, sss_strerror(ret));
  606         goto done;
  607     }
  608 
  609     dp_set_method(dp_methods, DPM_ACCESS_HANDLER,
  610                   ad_pam_access_handler_send, ad_pam_access_handler_recv, access_ctx,
  611                   struct ad_access_ctx, struct pam_data, struct pam_data *);
  612 
  613     ret = EOK;
  614 
  615 done:
  616     if (ret != EOK) {
  617         talloc_free(access_ctx);
  618     }
  619 
  620     return ret;
  621 }
  622 
  623 errno_t sssm_ad_autofs_init(TALLOC_CTX *mem_ctx,
  624                             struct be_ctx *be_ctx,
  625                             void *module_data,
  626                             struct dp_method *dp_methods)
  627 {
  628 #ifdef BUILD_AUTOFS
  629     struct ad_init_ctx *init_ctx;
  630 
  631     DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n");
  632     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  633 
  634     return ad_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
  635 #else
  636     DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
  637                                 "built without autofs support, ignoring\n");
  638     return EOK;
  639 #endif
  640 }
  641 
  642 errno_t sssm_ad_subdomains_init(TALLOC_CTX *mem_ctx,
  643                                 struct be_ctx *be_ctx,
  644                                 void *module_data,
  645                                 struct dp_method *dp_methods)
  646 {
  647     struct ad_init_ctx *init_ctx;
  648 
  649     DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD subdomains handler\n");
  650     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  651 
  652     return ad_subdomains_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
  653 }
  654 
  655 errno_t sssm_ad_sudo_init(TALLOC_CTX *mem_ctx,
  656                           struct be_ctx *be_ctx,
  657                           void *module_data,
  658                           struct dp_method *dp_methods)
  659 {
  660 #ifdef BUILD_SUDO
  661     struct ad_init_ctx *init_ctx;
  662 
  663     DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD sudo handler\n");
  664     init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
  665 
  666     return ad_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
  667 #else
  668     DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
  669                                 "built without sudo support, ignoring\n");
  670     return EOK;
  671 #endif
  672 }