|
 |
841ac7 |
From 373b1136ccb3bf54f32d47473e8120d0258f8405 Mon Sep 17 00:00:00 2001
|
|
|
841ac7 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
841ac7 |
Date: Tue, 21 May 2019 10:22:04 +0200
|
|
|
841ac7 |
Subject: [PATCH 31/31] sdap: inherit SDAP_SASL_MECH if not set explicitly
|
|
|
841ac7 |
|
|
|
841ac7 |
If ldap_sasl_mech is set for the configured domain in sssd.conf the
|
|
|
841ac7 |
value is inherited automatically to all sub-domains. The can be
|
|
|
841ac7 |
overwritten by setting ldap_sasl_mech for a given sub-domain explicitly
|
|
|
841ac7 |
in sssd.conf.
|
|
|
841ac7 |
|
|
|
841ac7 |
Related to https://pagure.io/SSSD/sssd/issue/4006
|
|
|
841ac7 |
|
|
|
841ac7 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
841ac7 |
(cherry picked from commit 070f22f896b909c140ed7598aed2393d61a834ae)
|
|
|
841ac7 |
---
|
|
|
841ac7 |
src/config/cfg_rules.ini | 1 +
|
|
|
841ac7 |
src/man/sssd-ldap.5.xml | 10 ++++++
|
|
|
841ac7 |
src/man/sssd.conf.5.xml | 1 +
|
|
|
841ac7 |
src/providers/ad/ad_common.c | 38 +++++++++++++++++++++++
|
|
|
841ac7 |
src/providers/ad/ad_common.h | 5 +++
|
|
|
841ac7 |
src/providers/ad/ad_subdomains.c | 18 ++++++++++-
|
|
|
841ac7 |
src/providers/ipa/ipa_subdomains_server.c | 19 +++++++++++-
|
|
|
841ac7 |
7 files changed, 90 insertions(+), 2 deletions(-)
|
|
|
841ac7 |
|
|
|
841ac7 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
841ac7 |
index 603211711..3976ec4e1 100644
|
|
|
841ac7 |
--- a/src/config/cfg_rules.ini
|
|
|
841ac7 |
+++ b/src/config/cfg_rules.ini
|
|
|
841ac7 |
@@ -753,6 +753,7 @@ option = ldap_user_search_base
|
|
|
841ac7 |
option = ldap_group_search_base
|
|
|
841ac7 |
option = ldap_netgroup_search_base
|
|
|
841ac7 |
option = ldap_service_search_base
|
|
|
841ac7 |
+option = ldap_sasl_mech
|
|
|
841ac7 |
option = ad_server
|
|
|
841ac7 |
option = ad_backup_server
|
|
|
841ac7 |
option = ad_site
|
|
|
841ac7 |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
index 17c5523c0..fadd05cb7 100644
|
|
|
841ac7 |
--- a/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
841ac7 |
@@ -1808,6 +1808,16 @@
|
|
|
841ac7 |
Specify the SASL mechanism to use. Currently only
|
|
|
841ac7 |
GSSAPI and GSS-SPNEGO are tested and supported.
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
+ <para>
|
|
|
841ac7 |
+ If the backend supports sub-domains the value of
|
|
|
841ac7 |
+ ldap_sasl_mech is automatically inherited to the
|
|
|
841ac7 |
+ sub-domains. If a different value is needed for a
|
|
|
841ac7 |
+ sub-domain it can be overwritten by setting
|
|
|
841ac7 |
+ ldap_sasl_mech for this sub-domain explicitly.
|
|
|
841ac7 |
+ Please see TRUSTED DOMAIN SECTION in
|
|
|
841ac7 |
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
|
|
|
841ac7 |
+ <manvolnum>5</manvolnum></citerefentry> for details.
|
|
|
841ac7 |
+ </para>
|
|
|
841ac7 |
<para>
|
|
|
841ac7 |
Default: not set
|
|
|
841ac7 |
</para>
|
|
|
841ac7 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
841ac7 |
index 1ab7af00b..3f05b3942 100644
|
|
|
841ac7 |
--- a/src/man/sssd.conf.5.xml
|
|
|
841ac7 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
841ac7 |
@@ -3356,6 +3356,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
|
841ac7 |
<para>ldap_group_search_base,</para>
|
|
|
841ac7 |
<para>ldap_netgroup_search_base,</para>
|
|
|
841ac7 |
<para>ldap_service_search_base,</para>
|
|
|
841ac7 |
+ <para>ldap_sasl_mech,</para>
|
|
|
841ac7 |
<para>ad_server,</para>
|
|
|
841ac7 |
<para>ad_backup_server,</para>
|
|
|
841ac7 |
<para>ad_site,</para>
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
841ac7 |
index 19d4b3d5a..1b8b1df19 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_common.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_common.c
|
|
|
841ac7 |
@@ -1455,3 +1455,41 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx,
|
|
|
841ac7 |
|
|
|
841ac7 |
return clist;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
|
|
|
841ac7 |
+ struct dp_option *suddom_opts,
|
|
|
841ac7 |
+ struct confdb_ctx *cdb,
|
|
|
841ac7 |
+ const char *subdom_conf_path,
|
|
|
841ac7 |
+ int opt_id)
|
|
|
841ac7 |
+{
|
|
|
841ac7 |
+ int ret;
|
|
|
841ac7 |
+ const char *parent_val = NULL;
|
|
|
841ac7 |
+ char *dummy = NULL;
|
|
|
841ac7 |
+ char *option_list[2] = { NULL, NULL };
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ parent_val = dp_opt_get_cstring(parent_opts, opt_id);
|
|
|
841ac7 |
+ if (parent_val != NULL) {
|
|
|
841ac7 |
+ ret = confdb_get_string(cdb, NULL, subdom_conf_path,
|
|
|
841ac7 |
+ parent_opts[opt_id].opt_name, NULL, &dummy);
|
|
|
841ac7 |
+ if (ret != EOK) {
|
|
|
841ac7 |
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed.\n");
|
|
|
841ac7 |
+ goto done;
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ if (dummy == NULL) {
|
|
|
841ac7 |
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
841ac7 |
+ "Option [%s] is set in parent domain but not set for "
|
|
|
841ac7 |
+ "sub-domain trying to set it to [%s].\n",
|
|
|
841ac7 |
+ parent_opts[opt_id].opt_name, parent_val);
|
|
|
841ac7 |
+ option_list[0] = discard_const(parent_opts[opt_id].opt_name);
|
|
|
841ac7 |
+ dp_option_inherit(option_list, opt_id, parent_opts, suddom_opts);
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ ret = EOK;
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+done:
|
|
|
841ac7 |
+ talloc_free(dummy);
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ return ret;
|
|
|
841ac7 |
+}
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
|
841ac7 |
index 638465958..2f624df3d 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_common.h
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_common.h
|
|
|
841ac7 |
@@ -216,4 +216,9 @@ errno_t netlogon_get_domain_info(TALLOC_CTX *mem_ctx,
|
|
|
841ac7 |
char **_site,
|
|
|
841ac7 |
char **_forest);
|
|
|
841ac7 |
|
|
|
841ac7 |
+errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
|
|
|
841ac7 |
+ struct dp_option *suddom_opts,
|
|
|
841ac7 |
+ struct confdb_ctx *cdb,
|
|
|
841ac7 |
+ const char *subdom_conf_path,
|
|
|
841ac7 |
+ int opt_id);
|
|
|
841ac7 |
#endif /* AD_COMMON_H_ */
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
841ac7 |
index b4ad347e4..b4e09fb7e 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
841ac7 |
@@ -305,13 +305,29 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
841ac7 |
realm,
|
|
|
841ac7 |
subdom,
|
|
|
841ac7 |
hostname, keytab);
|
|
|
841ac7 |
- talloc_free(subdom_conf_path);
|
|
|
841ac7 |
if (ad_options == NULL) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
|
|
|
841ac7 |
talloc_free(ad_options);
|
|
|
841ac7 |
+ talloc_free(subdom_conf_path);
|
|
|
841ac7 |
return ENOMEM;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
+ ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
|
|
841ac7 |
+ ad_options->id->basic,
|
|
|
841ac7 |
+ be_ctx->cdb, subdom_conf_path,
|
|
|
841ac7 |
+ SDAP_SASL_MECH);
|
|
|
841ac7 |
+ talloc_free(subdom_conf_path);
|
|
|
841ac7 |
+ if (ret != EOK) {
|
|
|
841ac7 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
841ac7 |
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
|
|
841ac7 |
+ "This error is ignored but might cause issues or unexpected "
|
|
|
841ac7 |
+ "behavior later on.\n",
|
|
|
841ac7 |
+ id_ctx->ad_options->id->basic[SDAP_SASL_MECH].opt_name,
|
|
|
841ac7 |
+ subdom->name);
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ return ret;
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+
|
|
|
841ac7 |
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
|
|
841ac7 |
|
|
|
841ac7 |
gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->name);
|
|
|
841ac7 |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
841ac7 |
index 1d480e52b..d0e89a4f9 100644
|
|
|
841ac7 |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
841ac7 |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
841ac7 |
@@ -172,6 +172,7 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
|
|
|
841ac7 |
const char *forest;
|
|
|
841ac7 |
const char *forest_realm;
|
|
|
841ac7 |
char *subdom_conf_path;
|
|
|
841ac7 |
+ int ret;
|
|
|
841ac7 |
|
|
|
841ac7 |
/* Trusts are only established with forest roots */
|
|
|
841ac7 |
direction = subdom->forest_root->trust_direction;
|
|
|
841ac7 |
@@ -196,12 +197,28 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
|
|
|
841ac7 |
DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n");
|
|
|
841ac7 |
ad_options = NULL;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
- talloc_free(subdom_conf_path);
|
|
|
841ac7 |
|
|
|
841ac7 |
if (ad_options == NULL) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
|
|
|
841ac7 |
+ talloc_free(subdom_conf_path);
|
|
|
841ac7 |
return NULL;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ ret = ad_inherit_opts_if_needed(id_ctx->ipa_options->id->basic,
|
|
|
841ac7 |
+ ad_options->id->basic, be_ctx->cdb,
|
|
|
841ac7 |
+ subdom_conf_path, SDAP_SASL_MECH);
|
|
|
841ac7 |
+ talloc_free(subdom_conf_path);
|
|
|
841ac7 |
+ if (ret != EOK) {
|
|
|
841ac7 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
841ac7 |
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
|
|
841ac7 |
+ "This error is ignored but might cause issues or unexpected "
|
|
|
841ac7 |
+ "behavior later on.\n",
|
|
|
841ac7 |
+ id_ctx->ipa_options->id->basic[SDAP_SASL_MECH].opt_name,
|
|
|
841ac7 |
+ subdom->name);
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ return NULL;
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+
|
|
|
841ac7 |
return ad_options;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
--
|
|
|
841ac7 |
2.20.1
|
|
|
841ac7 |
|