dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0054-Add-domain_resolution_order-config-option.patch

bb7cd1
From 26b838f2229483952aeec92a3446acef828244c4 Mon Sep 17 00:00:00 2001
bb7cd1
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
bb7cd1
Date: Sun, 26 Mar 2017 03:00:14 +0200
bb7cd1
Subject: [PATCH 54/54] Add domain_resolution_order config option
bb7cd1
MIME-Version: 1.0
bb7cd1
Content-Type: text/plain; charset=UTF-8
bb7cd1
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1
This is the local equivalent of option of ipaDomainResolutionOrder and
bb7cd1
has precedence over the ones set on IPA side making the precedence order
bb7cd1
to be like: Local > View > Globally.
bb7cd1
bb7cd1
As done for the IPA side configurations, the domains which were not
bb7cd1
explicitly set up will be apennded to the final of the
bb7cd1
domain_resolution_order list in the very same order they're presented in
bb7cd1
the "domains" option of [sssd] section in the config file. There's no
bb7cd1
guarantee of order for the subdomains though.
bb7cd1
bb7cd1
It's also important to mention that no expansion magic is performed on
bb7cd1
our side. It means that if 'example.com' is set it does *not* stand for
bb7cd1
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
bb7cd1
etc).
bb7cd1
bb7cd1
Related:
bb7cd1
https://pagure.io/SSSD/sssd/issue/3001
bb7cd1
bb7cd1
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
bb7cd1
bb7cd1
Reviewed-by: Sumit Bose <sbose@redhat.com>
bb7cd1
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
bb7cd1
---
bb7cd1
 src/confdb/confdb.h                     |  1 +
bb7cd1
 src/config/SSSDConfig/__init__.py.in    |  1 +
bb7cd1
 src/config/SSSDConfigTest.py            |  7 ++++++-
bb7cd1
 src/config/cfg_rules.ini                |  1 +
bb7cd1
 src/config/etc/sssd.api.conf            |  1 +
bb7cd1
 src/man/sssd.conf.5.xml                 | 20 ++++++++++++++++++++
bb7cd1
 src/responder/common/responder.h        |  1 +
bb7cd1
 src/responder/common/responder_common.c | 27 +++++++++++++++++++++++++++
bb7cd1
 8 files changed, 58 insertions(+), 1 deletion(-)
bb7cd1
bb7cd1
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
bb7cd1
index fb60675ca8beb2c2a157bf021ed9cad362742988..56a603652d6c8256735e7f8b125300ff7b254645 100644
bb7cd1
--- a/src/confdb/confdb.h
bb7cd1
+++ b/src/confdb/confdb.h
bb7cd1
@@ -74,6 +74,7 @@
bb7cd1
 #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
bb7cd1
 #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
bb7cd1
 #define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
bb7cd1
+#define CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER "domain_resolution_order"
bb7cd1
 
bb7cd1
 /* Both monitor and domains */
bb7cd1
 #define CONFDB_NAME_REGEX   "re_expression"
bb7cd1
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
bb7cd1
index 03a1a43336604bb815626e64cb54052bdf87acf2..e7fb7673d393d4f12910f355d3edf33f4390c1f1 100644
bb7cd1
--- a/src/config/SSSDConfig/__init__.py.in
bb7cd1
+++ b/src/config/SSSDConfig/__init__.py.in
bb7cd1
@@ -66,6 +66,7 @@ option_strings = {
bb7cd1
     'override_space': _('All spaces in group or user names will be replaced with this character'),
bb7cd1
     'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
bb7cd1
     'enable_files_domain' : _('Enable or disable the implicit files domain'),
bb7cd1
+    'domain_resolution_order': _('A specific order of the domains to be looked up'),
bb7cd1
 
bb7cd1
     # [nss]
bb7cd1
     'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
bb7cd1
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
bb7cd1
index 457a6f0a09e7139a05f29f8bef7e475fe3b58ec2..6899bf8ae04bf210546c8cbdba8235f094e23dc0 100755
bb7cd1
--- a/src/config/SSSDConfigTest.py
bb7cd1
+++ b/src/config/SSSDConfigTest.py
bb7cd1
@@ -94,6 +94,10 @@ class SSSDConfigTestValid(unittest.TestCase):
bb7cd1
         self.assertTrue('default_domain_suffix' in new_options)
bb7cd1
         self.assertEquals(new_options['default_domain_suffix'][0], str)
bb7cd1
 
bb7cd1
+        self.assertTrue('domain_resolution_order' in new_options)
bb7cd1
+        self.assertEquals(new_options['domain_resolution_order'][0], list)
bb7cd1
+        self.assertEquals(new_options['domain_resolution_order'][1], str)
bb7cd1
+
bb7cd1
         del sssdconfig
bb7cd1
 
bb7cd1
     def testDomains(self):
bb7cd1
@@ -314,7 +318,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
bb7cd1
             'certificate_verification',
bb7cd1
             'override_space',
bb7cd1
             'disable_netlink',
bb7cd1
-            'enable_files_domain']
bb7cd1
+            'enable_files_domain',
bb7cd1
+            'domain_resolution_order']
bb7cd1
 
bb7cd1
         self.assertTrue(type(options) == dict,
bb7cd1
                         "Options should be a dictionary")
bb7cd1
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
bb7cd1
index 933ebccd828189d923d2186753dfbc0b5c0814ce..41efcea552a82c5492a0d21a8d0797ee42cdc8c7 100644
bb7cd1
--- a/src/config/cfg_rules.ini
bb7cd1
+++ b/src/config/cfg_rules.ini
bb7cd1
@@ -43,6 +43,7 @@ option = override_space
bb7cd1
 option = config_file_version
bb7cd1
 option = disable_netlink
bb7cd1
 option = enable_files_domain
bb7cd1
+option = domain_resolution_order
bb7cd1
 
bb7cd1
 [rule/allowed_nss_options]
bb7cd1
 validator = ini_allowed_options
bb7cd1
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
bb7cd1
index 08cecf00367aaaab3794a48bd1e728421a996e49..6965028e1ca748f8b6677d9fc1faa66d5c307a0c 100644
bb7cd1
--- a/src/config/etc/sssd.api.conf
bb7cd1
+++ b/src/config/etc/sssd.api.conf
bb7cd1
@@ -32,6 +32,7 @@ certificate_verification = str, None, false
bb7cd1
 override_space = str, None, false
bb7cd1
 disable_netlink = bool, None, false
bb7cd1
 enable_files_domain = str, None, false
bb7cd1
+domain_resolution_order = list, str, false
bb7cd1
 
bb7cd1
 [nss]
bb7cd1
 # Name service
bb7cd1
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
bb7cd1
index 1c27742cf0c1b6ffad23ab5b044bf4a168ed8f69..4fe13b85d511fb6a2ccc9b4de956710b05bc898c 100644
bb7cd1
--- a/src/man/sssd.conf.5.xml
bb7cd1
+++ b/src/man/sssd.conf.5.xml
bb7cd1
@@ -542,6 +542,26 @@
bb7cd1
                             </para>
bb7cd1
                         </listitem>
bb7cd1
                     </varlistentry>
bb7cd1
+                    <varlistentry>
bb7cd1
+                        <term>domain_resolution_order</term>
bb7cd1
+                        <listitem>
bb7cd1
+                            <para>
bb7cd1
+                                Comma separated list of domains and subdomains
bb7cd1
+                                representing the lookup order that will be
bb7cd1
+                                followed.
bb7cd1
+                                The list doesn't have to include all possible
bb7cd1
+                                domains as the missing domains will be looked
bb7cd1
+                                up based on the order they're presented in the
bb7cd1
+                                <quote>domains</quote> configuration option.
bb7cd1
+                                The subdomains which are not listed as part of
bb7cd1
+                                <quote>lookup_order</quote> will be looked up
bb7cd1
+                                in a random order for each parent domain.
bb7cd1
+                            </para>
bb7cd1
+                            <para>
bb7cd1
+                                Default: Not set
bb7cd1
+                            </para>
bb7cd1
+                        </listitem>
bb7cd1
+                    </varlistentry>
bb7cd1
                 </variablelist>
bb7cd1
             </para>
bb7cd1
         </refsect2>
bb7cd1
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
bb7cd1
index 29e3f95caf484f43307c9c28d4abd3f50f360a95..4210307489fe25829a1674f254ecc7d185029698 100644
bb7cd1
--- a/src/responder/common/responder.h
bb7cd1
+++ b/src/responder/common/responder.h
bb7cd1
@@ -115,6 +115,7 @@ struct resp_ctx {
bb7cd1
     int client_idle_timeout;
bb7cd1
 
bb7cd1
     struct cache_req_domain *cr_domains;
bb7cd1
+    const char *domain_resolution_order;
bb7cd1
 
bb7cd1
     time_t last_request_time;
bb7cd1
     int idle_timeout;
bb7cd1
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
bb7cd1
index 1792a4c3771fa326c7cca31e1981dce315c03758..154d7dc7718c437d10e152fcba98161e2034fb14 100644
bb7cd1
--- a/src/responder/common/responder_common.c
bb7cd1
+++ b/src/responder/common/responder_common.c
bb7cd1
@@ -1163,6 +1163,19 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
bb7cd1
         rctx->override_space = tmp[0];
bb7cd1
     }
bb7cd1
 
bb7cd1
+    ret = confdb_get_string(rctx->cdb, rctx,
bb7cd1
+                            CONFDB_MONITOR_CONF_ENTRY,
bb7cd1
+                            CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER, NULL,
bb7cd1
+                            &tmp);
bb7cd1
+    if (ret == EOK) {
bb7cd1
+        rctx->domain_resolution_order = sss_replace_char(rctx, tmp, ',', ':');
bb7cd1
+    } else {
bb7cd1
+        DEBUG(SSSDBG_MINOR_FAILURE,
bb7cd1
+              "Cannot get the \"domain_resolution_order\" option.\n"
bb7cd1
+              "The set up lookup_order won't be followed [%d]: %s.\n",
bb7cd1
+              ret, sss_strerror(ret));
bb7cd1
+    }
bb7cd1
+
bb7cd1
     ret = sss_monitor_init(rctx, rctx->ev, monitor_intf,
bb7cd1
                            svc_name, svc_version, MT_SVC_SERVICE,
bb7cd1
                            rctx, &rctx->last_request_time,
bb7cd1
@@ -1546,6 +1559,20 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
bb7cd1
     struct sss_domain_info *dom;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
+    if (rctx->domain_resolution_order != NULL) {
bb7cd1
+        cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
bb7cd1
+                            rctx, rctx->domains, rctx->domain_resolution_order);
bb7cd1
+
bb7cd1
+        if (cr_domains == NULL) {
bb7cd1
+            DEBUG(SSSDBG_MINOR_FAILURE,
bb7cd1
+                  "Failed to use domain_resolution_order set in the config file.\n"
bb7cd1
+                  "Trying to fallback to use ipaDomainOrderResolution setup by "
bb7cd1
+                  "IPA.\n");
bb7cd1
+        } else {
bb7cd1
+            goto done;
bb7cd1
+        }
bb7cd1
+    }
bb7cd1
+
bb7cd1
     for (dom = rctx->domains; dom != NULL; dom = dom->next) {
bb7cd1
         if (dom->provider != NULL && strcmp(dom->provider, "ipa") == 0) {
bb7cd1
             break;
bb7cd1
-- 
bb7cd1
2.9.3
bb7cd1