ad_common.c revision 4e2d9fe30bf8b692972a9654c60d2d90ed355815
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2012 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher opts = talloc_zero(mem_ctx, struct ad_options);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_get_options(opts, cdb, conf_path,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* If the AD domain name wasn't explicitly set, assume that it
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * matches the SSSD domain name
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher domain = dp_opt_get_string(opts->basic, AD_DOMAIN);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_DOMAIN, dom->name);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Did we get an explicit server name, or are we discovering it? */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher server = dp_opt_get_string(opts->basic, AD_SERVER);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("No AD server set, will use service discovery!\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set the machine's hostname to the local host name if it
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * wasn't explicitly specified.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher gret = gethostname(hostname, HOST_NAME_MAX);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("gethostname failed [%s].\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Setting ad_hostname to [%s].\n", hostname));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Setting ad_hostname failed [%s].\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Always use the upper-case AD domain for the kerberos realm */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher for (i = 0; realm[i]; i++) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(opts->basic, AD_KRB5_REALM, realm);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_resolve_callback(void *private_data, struct fo_server *server);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service = talloc_zero(tmp_ctx, struct ad_service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap = talloc_zero(service, struct sdap_service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->krb5_service = talloc_zero(service, struct krb5_service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = be_fo_add_service(bectx, AD_SERVICE_NAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create failover service!\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap->name = talloc_strdup(service, AD_SERVICE_NAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->krb5_service->name = talloc_strdup(service, AD_SERVICE_NAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap->kinit_service_name = service->krb5_service->name;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher realm = dp_opt_get_string(options->basic, AD_KRB5_REALM);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("No Kerberos realm set\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher talloc_strdup(service->krb5_service, realm);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Split the server list */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = split_on_separator(tmp_ctx, servers, ',', true, &list, NULL);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to parse server list!\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ad_domain = dp_opt_get_string(options->basic, AD_DOMAIN);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Add each of these servers to the failover service */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher for (i = 0; list[i]; i++) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "ldap",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Failed to add service discovery to failover: [%s]",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CONF_SETTINGS, ("Added service discovery for AD\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = be_fo_add_server(bectx, AD_SERVICE_NAME, list[i], 0, NULL);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to add server\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CONF_SETTINGS, ("Added failover server %s\n", list[i]));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = be_fo_service_add_callback(mem_ctx, bectx, AD_SERVICE_NAME,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Failed to add failover callback! [%s]\n", strerror(ret)));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher *_service = talloc_steal(mem_ctx, service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_resolve_callback(void *private_data, struct fo_server *server)
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("Out of memory\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service = talloc_get_type(private_data, struct ad_service);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("No hostent available for server (%s)\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("resolv_get_sockaddr_address failed.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher address = resolv_get_string_address(tmp_ctx, srvaddr);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("resolv_get_string_address failed.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("Could not get server host name\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher new_uri = talloc_asprintf(service, "ldap://%s", srv_name);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to copy URI\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CONF_SETTINGS, ("Constructed uri '%s'\n", new_uri));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* free old one and replace with new one */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher service->sdap->sockaddr = talloc_steal(service, sockaddr);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher safe_address = sss_escape_ip_address(tmp_ctx,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = write_krb5info_file(service->krb5_service->realm, safe_address,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("write_krb5info_file failed, authentication might fail.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_set_search_bases(struct sdap_options *id_opts);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_get_id_options(struct ad_options *ad_opts,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher id_opts = talloc_zero(tmp_ctx, struct sdap_options);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_get_options(id_opts, cdb, conf_path,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set up search bases if they were assigned explicitly */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* We only support Kerberos password policy with AD, so
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * force that on.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_FATAL_FAILURE, ("Could not set password policy\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set the Kerberos Realm for GSSAPI */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Should be impossible, this is set in ad_get_common_options() */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Option %s set to %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Configuration of SASL auth ID and realm */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher desired_primary = dp_opt_get_string(id_opts->basic, SDAP_SASL_AUTHID);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher desired_primary = dp_opt_get_string(ad_opts->basic, AD_HOSTNAME);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher desired_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_KEYTAB,
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher ("Option %s set to %s\n",
4e2d9fe30bf8b692972a9654c60d2d90ed355815Stephen Gallagher id_opts->basic[SDAP_KRB5_KEYTAB].opt_name,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = select_principal_from_keytab(tmp_ctx,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if ((primary_requested && strcmp(desired_primary, sasl_primary) != 0) ||
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (realm_requested && strcmp(desired_realm, sasl_realm) != 0)) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Configured SASL auth ID/realm not found in keytab.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_SASL_AUTHID, sasl_primary);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Option %s set to %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher id_opts->basic[SDAP_SASL_AUTHID].opt_name,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = dp_opt_set_string(id_opts->basic, SDAP_SASL_REALM, sasl_realm);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Option %s set to %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* fix schema to AD */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Get sdap option maps */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* General Attribute Map */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* User map */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Group map */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Netgroup map */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Services map */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ad_opts->id = talloc_steal(ad_opts, id_opts);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagherad_set_search_bases(struct sdap_options *id_opts)
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* AD servers provide defaultNamingContext, so we will
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * rely on that to specify the search base unless it has
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher * been specifically overridden.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* set search bases if they are not */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher for (o = 0; search_base_options[o] != -1; o++) {
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (NULL == dp_opt_get_string(id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Option %s set to %s\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher id_opts->basic[search_base_options[o]].opt_name,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Search base not set. SSSd will attempt to discover it later, "
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher "when connecting to the LDAP server.\n"));
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Default search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* User search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Group search base */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Netgroup search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Service search */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = sdap_parse_search_base(id_opts, id_opts->basic,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Get krb5 options */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ("Could not read Kerberos options from the configuration\n"));
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Force the krb5_servers to match the ad_servers */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ("Option %s set to %s\n",
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Set krb5 realm */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Set the Kerberos Realm for GSSAPI */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Should be impossible, this is set in ad_get_common_options() */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher * been upper-cased in ad_common_options()
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ("Option %s set to %s\n",