From 75a8d8e7996c35fd9bef504f2f4d3e308b7553c8 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Wed, 22 Mar 2017 12:53:17 +0100

Subject: [PATCH 61/72] CONFDB: Introduce SSSD domain type to distinguish POSIX

 and application domains

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Related to:

https://pagure.io/SSSD/sssd/issue/3310

Adds a new option that allows to distinguish domains that do contain

POSIX users and groups and those that don't. The POSIX domains are the

default. The non-POSIX domains are selected by selecting an

"application" type domain.

Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/confdb/confdb.c                  | 18 +++++++++++++++++-

 src/confdb/confdb.h                  | 15 +++++++++++++++

 src/config/SSSDConfig/__init__.py.in |  1 +

 src/config/SSSDConfigTest.py         |  2 ++

 src/config/cfg_rules.ini             |  1 +

 src/config/etc/sssd.api.conf         |  1 +

 src/man/sssd.conf.5.xml              | 33 +++++++++++++++++++++++++++++++++

 src/util/domain_info_utils.c         | 14 ++++++++++++++

 src/util/util.h                      |  1 +

 9 files changed, 85 insertions(+), 1 deletion(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c

index d82fd98ee02928b3c20df014528bd869ec946f92..70a1eb7b2c7e83dfa9d217a15c7d3d4c8580b891 100644

--- a/src/confdb/confdb.c

+++ b/src/confdb/confdb.c

@@ -1367,6 +1367,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,

         }

     }

+    domain->type = DOM_TYPE_POSIX;

+    tmp = ldb_msg_find_attr_as_string(res->msgs[0],

+                                      CONFDB_DOMAIN_TYPE,

+                                      CONFDB_DOMAIN_TYPE_POSIX);

+    if (tmp != NULL) {

+        if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_POSIX) == 0) {

+            domain->type = DOM_TYPE_POSIX;

+        } else if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_APP) == 0) {

+            domain->type = DOM_TYPE_APPLICATION;

+        } else {

+            DEBUG(SSSDBG_FATAL_FAILURE,

+                  "Invalid value %s for [%s]\n", tmp, CONFDB_DOMAIN_TYPE);

+            goto done;

+        }

+    }

+

     ret = get_entry_as_uint32(res->msgs[0], &domain->subdomain_refresh_interval,

                               CONFDB_DOMAIN_SUBDOMAIN_REFRESH, 14400);

     if (ret != EOK || domain->subdomain_refresh_interval == 0) {

@@ -1444,7 +1460,7 @@ int confdb_get_domains(struct confdb_ctx *cdb,

         if (ret) {

             DEBUG(SSSDBG_FATAL_FAILURE,

                   "Error (%d [%s]) retrieving domain [%s], skipping!\n",

-                      ret, sss_strerror(ret), domlist[i]);

+                  ret, sss_strerror(ret), domlist[i]);

             continue;

         }

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h

index 56a603652d6c8256735e7f8b125300ff7b254645..a4046610f3cdbdb832de8924bf4397fb0018f2db 100644

--- a/src/confdb/confdb.h

+++ b/src/confdb/confdb.h

@@ -209,6 +209,9 @@

 #define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout"

 #define CONFDB_DOMAIN_SUBDOMAIN_INHERIT "subdomain_inherit"

 #define CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT "cached_auth_timeout"

+#define CONFDB_DOMAIN_TYPE "domain_type"

+#define CONFDB_DOMAIN_TYPE_POSIX "posix"

+#define CONFDB_DOMAIN_TYPE_APP "application"

 /* Local Provider */

 #define CONFDB_LOCAL_DEFAULT_SHELL   "default_shell"

@@ -261,11 +264,23 @@ enum sss_domain_state {

     DOM_INCONSISTENT,

 };

+/** Whether the domain only supports looking up POSIX entries */

+enum sss_domain_type {

+    /** This is the default domain type. It resolves only entries

+     * with the full POSIX set of attributes

+     */

+    DOM_TYPE_POSIX,

+    /** In this mode, entries are typically resolved only by name */

+    DOM_TYPE_APPLICATION,

+};

+

 /**

  * Data structure storing all of the basic features

  * of a domain.

  */

 struct sss_domain_info {

+    enum sss_domain_type type;

+

     char *name;

     char *conn_name;

     char *provider;

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in

index e7fb7673d393d4f12910f355d3edf33f4390c1f1..806611b6076048c08ce08c772dbd3cea5fdd656c 100644

--- a/src/config/SSSDConfig/__init__.py.in

+++ b/src/config/SSSDConfig/__init__.py.in

@@ -148,6 +148,7 @@ option_strings = {

     'selinux_provider' : _('SELinux provider'),

     # [domain]

+    'domain_type' : _('Whether the domain is usable by the OS or by applications'),

     'min_id' : _('Minimum user ID'),

     'max_id' : _('Maximum user ID'),

     'enumerate' : _('Enable enumerating all users/groups'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py

index 6899bf8ae04bf210546c8cbdba8235f094e23dc0..9b3175962c697e314b3d5d94c2bc5beda537b66e 100755

--- a/src/config/SSSDConfigTest.py

+++ b/src/config/SSSDConfigTest.py

@@ -510,6 +510,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):

             'debug',

             'debug_level',

             'debug_timestamps',

+            'domain_type',

             'min_id',

             'max_id',

             'timeout',

@@ -878,6 +879,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):

             'debug',

             'debug_level',

             'debug_timestamps',

+            'domain_type',

             'min_id',

             'max_id',

             'timeout',

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini

index 41efcea552a82c5492a0d21a8d0797ee42cdc8c7..3c857236eaa55b313d176bc4bb479918163b60d5 100644

--- a/src/config/cfg_rules.ini

+++ b/src/config/cfg_rules.ini

@@ -311,6 +311,7 @@ option = subdomains_provider

 option = selinux_provider

 # Options available to all domains

+option = domain_type

 option = min_id

 option = max_id

 option = timeout

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf

index 6965028e1ca748f8b6677d9fc1faa66d5c307a0c..a38b24208f89e4502e41625c540ea9958d5bbffe 100644

--- a/src/config/etc/sssd.api.conf

+++ b/src/config/etc/sssd.api.conf

@@ -129,6 +129,7 @@ selinux_provider = str, None, false

 [domain]

 # Options available to all domains

 description = str, None, false

+domain_type = str, None, false

 debug = int, None, false

 debug_level = int, None, false

 debug_timestamps = bool, None, false

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml

index 4fe13b85d511fb6a2ccc9b4de956710b05bc898c..9abcff84a95ea1b27e36845e830cc125fdc89f90 100644

--- a/src/man/sssd.conf.5.xml

+++ b/src/man/sssd.conf.5.xml

@@ -1512,6 +1512,39 @@ pam_account_locked_message = Account locked, please contact help desk.

             <quote>[domain/<replaceable>NAME</replaceable>]</quote>

             <variablelist>

                 <varlistentry>

+                    <term>domain_type (string)</term>

+                    <listitem>

+                        <para>

+                            Specifies whether the domain is meant to be used

+                            by POSIX-aware clients such as the Name Service Switch

+                            or by applications that do not need POSIX data to be

+                            present or generated. Only objects from POSIX domains

+                            are available to the operating system interfaces and

+                            utilities.

+                        </para>

+                        <para>

+                            Allowed values for this option are <quote>posix</quote>

+                            and <quote>application</quote>.

+                        </para>

+                        <para>

+                            POSIX domains are reachable by all services. Application

+                            domains are only reachable from the InfoPipe responder (see

+                            <citerefentry>

+                                <refentrytitle>sssd-ifp</refentrytitle>

+                                <manvolnum>5</manvolnum>

+                            </citerefentry>) and the PAM responder.

+                        </para>

+                        <para>

+                            NOTE: The application domains are currently well tested with

+                            <quote>id_provider=ldap</quote> only.

+                        </para>

+                        <para>

+                            Default: posix

+                        </para>

+                    </listitem>

+                </varlistentry>

+

+                <varlistentry>

                     <term>min_id,max_id (integer)</term>

                     <listitem>

                         <para>

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c

index a7f118842aa8ba870143b2f2b425a3e3c0ea5a78..2af7852f03f89b61f5b9fd8a244e98fb27b7e6a2 100644

--- a/src/util/domain_info_utils.c

+++ b/src/util/domain_info_utils.c

@@ -885,3 +885,17 @@ char *subdomain_create_conf_path(TALLOC_CTX *mem_ctx,

                            subdomain->parent->name,

                            subdomain->name);

 }

+

+const char *sss_domain_type_str(struct sss_domain_info *dom)

+{

+    if (dom == NULL) {

+        return "BUG: Invalid domain";

+    }

+    switch (dom->type) {

+    case DOM_TYPE_POSIX:

+        return "POSIX";

+    case DOM_TYPE_APPLICATION:

+        return "Application";

+    }

+    return "Unknown";

+}

diff --git a/src/util/util.h b/src/util/util.h

index 2170c5fb7cffda3910d2b58e33ec7abe3ec4a7d4..436550f5078cc173b8ed8cb58836d366f813146b 100644

--- a/src/util/util.h

+++ b/src/util/util.h

@@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom);

 void sss_domain_set_state(struct sss_domain_info *dom,

                           enum sss_domain_state state);

 bool is_email_from_domain(const char *email, struct sss_domain_info *dom);

+const char *sss_domain_type_str(struct sss_domain_info *dom);

 struct sss_domain_info*

 sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,

-- 

2.9.3