|
 |
e543c9 |
From 8e382375715232130f7b96d3098a7c7a0d6cef7d Mon Sep 17 00:00:00 2001
|
|
|
e543c9 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
e543c9 |
Date: Tue, 28 Apr 2015 13:48:42 +0200
|
|
|
e543c9 |
Subject: [PATCH 207/207] subdomains: Inherit cleanup period and tokengroup
|
|
|
e543c9 |
settings from parent domain
|
|
|
e543c9 |
|
|
|
e543c9 |
Allows the administrator to extend the functionality of
|
|
|
e543c9 |
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
|
|
|
e543c9 |
the subdomains.
|
|
|
e543c9 |
|
|
|
e543c9 |
This is a less intrusive way of achieving:
|
|
|
e543c9 |
https://fedorahosted.org/sssd/ticket/2627
|
|
|
e543c9 |
|
|
|
e543c9 |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
e543c9 |
(cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650)
|
|
|
e543c9 |
|
|
|
e543c9 |
Conflicts:
|
|
|
e543c9 |
src/tests/cmocka/test_sdap.c
|
|
|
e543c9 |
---
|
|
|
e543c9 |
src/man/sssd.conf.5.xml | 9 +++
|
|
|
e543c9 |
src/providers/ad/ad_subdomains.c | 4 +
|
|
|
e543c9 |
src/providers/ipa/ipa_subdomains.c | 4 +
|
|
|
e543c9 |
src/providers/ldap/sdap.c | 58 ++++++++++++++
|
|
|
e543c9 |
src/providers/ldap/sdap.h | 4 +
|
|
|
e543c9 |
src/tests/cmocka/test_sdap.c | 158 +++++++++++++++++++++++++++++++++++++
|
|
|
e543c9 |
6 files changed, 237 insertions(+)
|
|
|
e543c9 |
|
|
|
e543c9 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
e543c9 |
index 19995be..ef82dcd 100644
|
|
|
e543c9 |
--- a/src/man/sssd.conf.5.xml
|
|
|
e543c9 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
e543c9 |
@@ -489,6 +489,15 @@
|
|
|
e543c9 |
ignore_group_members
|
|
|
e543c9 |
</para>
|
|
|
e543c9 |
<para>
|
|
|
e543c9 |
+ ldap_purge_cache_timeout
|
|
|
e543c9 |
+ </para>
|
|
|
e543c9 |
+ <para>
|
|
|
e543c9 |
+ ldap_use_tokengroups
|
|
|
e543c9 |
+ </para>
|
|
|
e543c9 |
+ <para>
|
|
|
e543c9 |
+ ldap_user_principal
|
|
|
e543c9 |
+ </para>
|
|
|
e543c9 |
+ <para>
|
|
|
e543c9 |
Example:
|
|
|
e543c9 |
<programlisting>
|
|
|
e543c9 |
subdomain_inherit = ldap_purge_cache_timeout
|
|
|
e543c9 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
e543c9 |
index 3c61d13..554da69 100644
|
|
|
e543c9 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
e543c9 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
e543c9 |
@@ -180,6 +180,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
e543c9 |
return EFAULT;
|
|
|
e543c9 |
}
|
|
|
e543c9 |
|
|
|
e543c9 |
+ sdap_inherit_options(subdom->parent->sd_inherit,
|
|
|
e543c9 |
+ id_ctx->sdap_id_ctx->opts,
|
|
|
e543c9 |
+ ad_id_ctx->sdap_id_ctx->opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
/* Set up the ID mapping object */
|
|
|
e543c9 |
ad_id_ctx->sdap_id_ctx->opts->idmap_ctx =
|
|
|
e543c9 |
id_ctx->sdap_id_ctx->opts->idmap_ctx;
|
|
|
e543c9 |
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
|
e543c9 |
index 3148389..e529454 100644
|
|
|
e543c9 |
--- a/src/providers/ipa/ipa_subdomains.c
|
|
|
e543c9 |
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
|
e543c9 |
@@ -228,6 +228,10 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
e543c9 |
return EFAULT;
|
|
|
e543c9 |
}
|
|
|
e543c9 |
|
|
|
e543c9 |
+ sdap_inherit_options(subdom->parent->sd_inherit,
|
|
|
e543c9 |
+ id_ctx->sdap_id_ctx->opts,
|
|
|
e543c9 |
+ ad_id_ctx->sdap_id_ctx->opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
ret = sdap_id_setup_tasks(be_ctx,
|
|
|
e543c9 |
ad_id_ctx->sdap_id_ctx,
|
|
|
e543c9 |
sdom,
|
|
|
e543c9 |
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
|
e543c9 |
index bc9f8b3..9b65940 100644
|
|
|
e543c9 |
--- a/src/providers/ldap/sdap.c
|
|
|
e543c9 |
+++ b/src/providers/ldap/sdap.c
|
|
|
e543c9 |
@@ -243,6 +243,64 @@ int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx,
|
|
|
e543c9 |
return EOK;
|
|
|
e543c9 |
}
|
|
|
e543c9 |
|
|
|
e543c9 |
+static void sdap_inherit_basic_options(char **inherit_opt_list,
|
|
|
e543c9 |
+ struct dp_option *parent_opts,
|
|
|
e543c9 |
+ struct dp_option *subdom_opts)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ int inherit_options[] = {
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT,
|
|
|
e543c9 |
+ SDAP_AD_USE_TOKENGROUPS,
|
|
|
e543c9 |
+ SDAP_OPTS_BASIC /* sentinel */
|
|
|
e543c9 |
+ };
|
|
|
e543c9 |
+ int i;
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ for (i = 0; inherit_options[i] != SDAP_OPTS_BASIC; i++) {
|
|
|
e543c9 |
+ dp_option_inherit(inherit_opt_list,
|
|
|
e543c9 |
+ inherit_options[i],
|
|
|
e543c9 |
+ parent_opts,
|
|
|
e543c9 |
+ subdom_opts);
|
|
|
e543c9 |
+ }
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void sdap_inherit_user_options(char **inherit_opt_list,
|
|
|
e543c9 |
+ struct sdap_attr_map *parent_user_map,
|
|
|
e543c9 |
+ struct sdap_attr_map *child_user_map)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ int inherit_options[] = {
|
|
|
e543c9 |
+ SDAP_AT_USER_PRINC,
|
|
|
e543c9 |
+ SDAP_OPTS_USER /* sentinel */
|
|
|
e543c9 |
+ };
|
|
|
e543c9 |
+ int i;
|
|
|
e543c9 |
+ int opt_index;
|
|
|
e543c9 |
+ bool inherit_option;
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) {
|
|
|
e543c9 |
+ opt_index = inherit_options[i];
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ inherit_option = string_in_list(parent_user_map[opt_index].opt_name,
|
|
|
e543c9 |
+ inherit_opt_list,
|
|
|
e543c9 |
+ false);
|
|
|
e543c9 |
+ if (inherit_option == false) {
|
|
|
e543c9 |
+ continue;
|
|
|
e543c9 |
+ }
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ sdap_copy_map_entry(parent_user_map, child_user_map, opt_index);
|
|
|
e543c9 |
+ }
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+void sdap_inherit_options(char **inherit_opt_list,
|
|
|
e543c9 |
+ struct sdap_options *parent_sdap_opts,
|
|
|
e543c9 |
+ struct sdap_options *child_sdap_opts)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ sdap_inherit_basic_options(inherit_opt_list,
|
|
|
e543c9 |
+ parent_sdap_opts->basic,
|
|
|
e543c9 |
+ child_sdap_opts->basic);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ sdap_inherit_user_options(inherit_opt_list,
|
|
|
e543c9 |
+ parent_sdap_opts->user_map,
|
|
|
e543c9 |
+ child_sdap_opts->user_map);
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
int sdap_get_map(TALLOC_CTX *memctx,
|
|
|
e543c9 |
struct confdb_ctx *cdb,
|
|
|
e543c9 |
const char *conf_path,
|
|
|
e543c9 |
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
|
e543c9 |
index c0e9ff9..19fc039 100644
|
|
|
e543c9 |
--- a/src/providers/ldap/sdap.h
|
|
|
e543c9 |
+++ b/src/providers/ldap/sdap.h
|
|
|
e543c9 |
@@ -491,6 +491,10 @@ int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx,
|
|
|
e543c9 |
struct sdap_attr_map **_map,
|
|
|
e543c9 |
size_t *_new_size);
|
|
|
e543c9 |
|
|
|
e543c9 |
+void sdap_inherit_options(char **inherit_opt_list,
|
|
|
e543c9 |
+ struct sdap_options *parent_sdap_opts,
|
|
|
e543c9 |
+ struct sdap_options *child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
int sdap_get_map(TALLOC_CTX *memctx,
|
|
|
e543c9 |
struct confdb_ctx *cdb,
|
|
|
e543c9 |
const char *conf_path,
|
|
|
e543c9 |
diff --git a/src/tests/cmocka/test_sdap.c b/src/tests/cmocka/test_sdap.c
|
|
|
e543c9 |
index d1e6959..5488694 100644
|
|
|
e543c9 |
--- a/src/tests/cmocka/test_sdap.c
|
|
|
e543c9 |
+++ b/src/tests/cmocka/test_sdap.c
|
|
|
e543c9 |
@@ -792,6 +792,150 @@ static void test_sdap_copy_map_entry_null_name(void **state)
|
|
|
e543c9 |
assert_null(uuid_val);
|
|
|
e543c9 |
}
|
|
|
e543c9 |
|
|
|
e543c9 |
+struct test_sdap_inherit_ctx {
|
|
|
e543c9 |
+ struct sdap_options *parent_sdap_opts;
|
|
|
e543c9 |
+ struct sdap_options *child_sdap_opts;
|
|
|
e543c9 |
+};
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+struct sdap_options *mock_sdap_opts(TALLOC_CTX *mem_ctx)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ int ret;
|
|
|
e543c9 |
+ struct sdap_options *opts;
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ opts = talloc_zero(mem_ctx, struct sdap_options);
|
|
|
e543c9 |
+ assert_non_null(opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ ret = sdap_copy_map(opts, rfc2307_user_map,
|
|
|
e543c9 |
+ SDAP_OPTS_USER, &opts->user_map);
|
|
|
e543c9 |
+ assert_int_equal(ret, ERR_OK);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ ret = dp_copy_defaults(opts, default_basic_opts,
|
|
|
e543c9 |
+ SDAP_OPTS_BASIC, &opts->basic);
|
|
|
e543c9 |
+ assert_int_equal(ret, ERR_OK);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ return opts;
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_setup(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ int ret;
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx;
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ assert_true(leak_check_setup());
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ test_ctx = talloc_zero(global_talloc_context,
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+ assert_non_null(test_ctx);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts = talloc_zero(test_ctx, struct sdap_options);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts = mock_sdap_opts(test_ctx);
|
|
|
e543c9 |
+ assert_non_null(test_ctx->parent_sdap_opts);
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts = mock_sdap_opts(test_ctx);
|
|
|
e543c9 |
+ assert_non_null(test_ctx->child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts->user_map[SDAP_AT_USER_PRINC].name = \
|
|
|
e543c9 |
+ discard_const("test_princ");
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ ret = dp_opt_set_int(test_ctx->parent_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT, 123);
|
|
|
e543c9 |
+ assert_int_equal(ret, EOK);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ *state = test_ctx;
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_teardown(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx = \
|
|
|
e543c9 |
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ talloc_free(test_ctx);
|
|
|
e543c9 |
+ assert_true(leak_check_teardown());
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_null(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx = \
|
|
|
e543c9 |
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+ int val;
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 10800);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ sdap_inherit_options(NULL,
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts,
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 10800);
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_notset(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx = \
|
|
|
e543c9 |
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+ int val;
|
|
|
e543c9 |
+ const char *inherit_options[] = { "ldap_use_tokengroups", NULL };
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 10800);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ /* parent has nondefault, but it's not supposed to be inherited */
|
|
|
e543c9 |
+ sdap_inherit_options(discard_const(inherit_options),
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts,
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 10800);
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_basic(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx = \
|
|
|
e543c9 |
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+ int val;
|
|
|
e543c9 |
+ const char *inherit_options[] = { "ldap_purge_cache_timeout", NULL };
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 10800);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ /* parent has nondefault, but it's not supposed to be inherited */
|
|
|
e543c9 |
+ sdap_inherit_options(discard_const(inherit_options),
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts,
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ val = dp_opt_get_int(test_ctx->child_sdap_opts->basic,
|
|
|
e543c9 |
+ SDAP_CACHE_PURGE_TIMEOUT);
|
|
|
e543c9 |
+ assert_int_equal(val, 123);
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+static void test_sdap_inherit_option_user(void **state)
|
|
|
e543c9 |
+{
|
|
|
e543c9 |
+ struct test_sdap_inherit_ctx *test_ctx = \
|
|
|
e543c9 |
+ talloc_get_type_abort(*state, struct test_sdap_inherit_ctx);
|
|
|
e543c9 |
+ const char *inherit_options[] = { "ldap_user_principal", NULL };
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ assert_string_equal(
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
e543c9 |
+ "krbPrincipalName");
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ /* parent has nondefault, but it's not supposed to be inherited */
|
|
|
e543c9 |
+ sdap_inherit_options(discard_const(inherit_options),
|
|
|
e543c9 |
+ test_ctx->parent_sdap_opts,
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts);
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ assert_string_equal(
|
|
|
e543c9 |
+ test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
e543c9 |
+ "test_princ");
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ talloc_free(test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name);
|
|
|
e543c9 |
+}
|
|
|
e543c9 |
+
|
|
|
e543c9 |
int main(int argc, const char *argv[])
|
|
|
e543c9 |
{
|
|
|
e543c9 |
poptContext pc;
|
|
|
e543c9 |
@@ -845,6 +989,20 @@ int main(int argc, const char *argv[])
|
|
|
e543c9 |
unit_test_setup_teardown(test_sdap_copy_map_entry_null_name,
|
|
|
e543c9 |
copy_map_entry_test_setup,
|
|
|
e543c9 |
copy_map_entry_test_teardown),
|
|
|
e543c9 |
+
|
|
|
e543c9 |
+ /* Option inherit tests */
|
|
|
e543c9 |
+ unit_test_setup_teardown(test_sdap_inherit_option_null,
|
|
|
e543c9 |
+ test_sdap_inherit_option_setup,
|
|
|
e543c9 |
+ test_sdap_inherit_option_teardown),
|
|
|
e543c9 |
+ unit_test_setup_teardown(test_sdap_inherit_option_notset,
|
|
|
e543c9 |
+ test_sdap_inherit_option_setup,
|
|
|
e543c9 |
+ test_sdap_inherit_option_teardown),
|
|
|
e543c9 |
+ unit_test_setup_teardown(test_sdap_inherit_option_basic,
|
|
|
e543c9 |
+ test_sdap_inherit_option_setup,
|
|
|
e543c9 |
+ test_sdap_inherit_option_teardown),
|
|
|
e543c9 |
+ unit_test_setup_teardown(test_sdap_inherit_option_user,
|
|
|
e543c9 |
+ test_sdap_inherit_option_setup,
|
|
|
e543c9 |
+ test_sdap_inherit_option_teardown),
|
|
|
e543c9 |
};
|
|
|
e543c9 |
|
|
|
e543c9 |
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
|
|
e543c9 |
--
|
|
|
e543c9 |
2.1.0
|
|
|
e543c9 |
|