ad_common.c revision 14452cd066b51e32ca0ebad6c45ae909a1debe57
/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2012 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <ctype.h>
#include "providers/ad/ad_common.h"
#include "providers/dp_dyndns.h"
struct ad_server_data {
bool gc;
};
struct confdb_ctx *cdb,
const char *conf_path,
struct sss_domain_info *dom,
struct ad_options **_opts)
{
int gret;
char *domain;
char *server;
char *realm;
char *ad_hostname;
goto done;
}
/* If the AD domain name wasn't explicitly set, assume that it
* matches the SSSD domain name
*/
if (!domain) {
goto done;
}
}
/* Did we get an explicit server name, or are we discovering it? */
if (!server) {
("No AD server set, will use service discovery!\n"));
}
/* Set the machine's hostname to the local host name if it
* wasn't explicitly specified.
*/
if (ad_hostname == NULL) {
if (gret != 0) {
("gethostname failed [%s].\n",
goto done;
}
("Setting ad_hostname to [%s].\n", hostname));
("Setting ad_hostname failed [%s].\n",
goto done;
}
}
/* Always use the upper-case AD domain for the kerberos realm */
if (!realm) {
goto done;
}
goto done;
}
/* Active Directory is always case-insensitive */
dom->case_sensitive = false;
/* Set this in the confdb so that the responders pick it
* up when they start up.
*/
("Could not set domain case-sensitive: [%s]\n",
goto done;
}
("Setting domain case-insensitive\n"));
done:
}
return ret;
}
static void
static errno_t
struct ad_service *service,
const char *servers,
struct ad_options *options,
bool primary)
{
size_t i;
char **list;
char *ad_domain;
struct ad_server_data *sdata;
/* Split the server list */
goto done;
}
/* Add each of these servers to the failover service */
for (i = 0; list[i]; i++) {
if (be_fo_is_srv_identifier(list[i])) {
if (!primary) {
("Failed to add server [%s] to failover service: "
"SRV resolution only allowed for primary servers!\n",
list[i]));
continue;
}
goto done;
}
false, sdata);
("Failed to add service discovery to failover: [%s]",
goto done;
}
goto done;
}
false, sdata);
("Failed to add service discovery to failover: [%s]",
goto done;
}
continue;
}
/* It could be ipv6 address in square brackets. Remove
* the brackets if needed. */
goto done;
}
goto done;
}
goto done;
}
goto done;
}
goto done;
}
}
done:
return ret;
}
static inline errno_t
struct ad_options *options)
{
}
static inline errno_t
struct ad_options *options)
{
}
{
}
return 0;
}
return 1;
}
static void ad_online_cb(void *pvt)
{
return;
}
}
const char *primary_servers,
const char *backup_servers,
struct ad_options *options,
struct ad_service **_service)
{
struct ad_service *service;
char *realm;
if (!service) {
goto done;
}
goto done;
}
goto done;
}
if (!service->krb5_service) {
goto done;
}
goto done;
}
goto done;
}
if (!realm) {
goto done;
}
goto done;
}
if (!primary_servers) {
("No primary servers defined, using service discovery\n"));
}
goto done;
}
if (backup_servers) {
goto done;
}
}
return ret;
}
goto done;
}
done:
return ret;
}
static void
{
struct ad_service *service;
struct resolv_hostent *srvaddr;
struct sockaddr_storage *sockaddr;
char *address;
const char *safe_address;
char *new_uri;
const char *srv_name;
if (!tmp_ctx) {
return;
}
return;
}
if (!service) {
goto done;
}
if (!srvaddr) {
("No hostent available for server (%s)\n",
goto done;
}
goto done;
}
goto done;
}
if (!new_uri) {
goto done;
}
goto done;
}
/* free old one and replace with new one */
} else {
/* Make sure there always is an URI even if we know that this
* server doesn't support GC. That way the lookup would go through
* just not return anything
*/
sizeof(struct sockaddr_storage));
}
goto done;
}
("resolv_get_sockaddr_address failed.\n"));
goto done;
}
/* Write krb5 info files */
address);
if (safe_address == NULL) {
goto done;
}
("write_krb5info_file failed, authentication might fail.\n"));
}
}
done:
}
return;
}
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options **_opts)
{
struct sdap_options *id_opts;
char *krb5_realm;
char *keytab_path;
if (!id_opts) {
goto done;
}
NULL);
goto done;
}
goto done;
}
/* Set up search bases if they were assigned explicitly */
/* We only support Kerberos password policy with AD, so
* force that on.
*/
goto done;
}
/* Set the Kerberos Realm for GSSAPI */
if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */
goto done;
}
("Option %s set to %s\n",
krb5_realm));
if (keytab_path) {
("Option %s set to %s\n",
keytab_path));
}
goto done;
}
/* fix schema to AD */
/* Get sdap option maps */
/* General Attribute Map */
goto done;
}
/* User map */
goto done;
}
/* Group map */
goto done;
}
/* Netgroup map */
&id_opts->netgroup_map);
goto done;
}
/* Services map */
&id_opts->service_map);
goto done;
}
done:
return ret;
}
{
char *default_search_base;
size_t o;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
-1 };
/* AD servers provide defaultNamingContext, so we will
* rely on that to specify the search base unless it has
* been specifically overridden.
*/
if (default_search_base) {
/* set search bases if they are not */
for (o = 0; search_base_options[o] != -1; o++) {
search_base_options[o])) {
goto done;
}
("Option %s set to %s\n",
search_base_options[o])));
}
}
} else {
("Search base not set. SSSD will attempt to discover it later, "
"when connecting to the LDAP server.\n"));
}
/* Default search */
/* User search */
/* Group search base */
/* Netgroup search */
/* Service search */
done:
return ret;
}
struct ad_options *ad_opts,
{
struct dp_option *krb5_options;
const char *ad_servers;
const char *krb5_realm;
/* Get krb5 options */
&krb5_options);
("Could not read Kerberos options from the configuration\n"));
goto done;
}
/* Force the krb5_servers to match the ad_servers */
("Option %s set to %s\n",
ad_servers));
/* Set krb5 realm */
/* Set the Kerberos Realm for GSSAPI */
if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */
goto done;
}
/* Force the kerberos realm to match the AD_KRB5_REALM (which may have
* been upper-cased in ad_common_options()
*/
("Option %s set to %s\n",
krb5_realm));
/* Set flag that controls whether we want to write the
* kdcinfo files at all
*/
done:
return ret;
}
struct ad_options *ad_opts)
{
&ad_opts->dyndns_ctx);
("Cannot initialize AD dyndns opts [%d]: %s\n",
return ret;
}
return EOK;
}