ad_common.c revision 892ddeb5190dd5c1ffa26a95142a10a0034fc5e3
89a126810703c666309310d0f3189e9834d70b5bTimo Sirainen/*
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen SSSD
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen Authors:
16f816d3f3c32ae3351834253f52ddd0212bcbf3Timo Sirainen Stephen Gallagher <sgallagh@redhat.com>
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen Copyright (C) 2012 Red Hat
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen This program is free software; you can redistribute it and/or modify
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen it under the terms of the GNU General Public License as published by
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen the Free Software Foundation; either version 3 of the License, or
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen (at your option) any later version.
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen This program is distributed in the hope that it will be useful,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen but WITHOUT ANY WARRANTY; without even the implied warranty of
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen GNU General Public License for more details.
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen You should have received a copy of the GNU General Public License
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen along with this program. If not, see <http://www.gnu.org/licenses/>.
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen*/
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen#include <ctype.h>
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen#include "providers/ad/ad_common.h"
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen#include "providers/ad/ad_opts.h"
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen#include "providers/be_dyndns.h"
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainenstruct ad_server_data {
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen bool gc;
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen};
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainenerrno_t ad_set_search_bases(struct sdap_options *id_opts);
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainenstatic errno_t ad_set_sdap_options(struct ad_options *ad_opts,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen struct sdap_options *id_opts);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainenstatic struct sdap_options *
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen{
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen struct sdap_options *id_opts;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen errno_t ret;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen id_opts = talloc_zero(mem_ctx, struct sdap_options);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (!id_opts) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = dp_copy_defaults(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_def_ldap_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_OPTS_BASIC,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen &id_opts->basic);
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen if (ret != EOK) {
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen goto fail;
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen }
8fb1e3e2349c9940732b5bb77a2a4053b8f72a4fTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen /* Get sdap option maps */
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen /* General Attribute Map */
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = sdap_copy_map(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_2008r2_attr_map,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_AT_GENERAL,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen &id_opts->gen_map);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen goto fail;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen /* User map */
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = sdap_copy_map(id_opts,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen ad_2008r2_user_map,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen SDAP_OPTS_USER,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen &id_opts->user_map);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen goto fail;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen id_opts->user_map_cnt = SDAP_OPTS_USER;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen /* Group map */
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = sdap_copy_map(id_opts,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen ad_2008r2_group_map,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen SDAP_OPTS_GROUP,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen &id_opts->group_map);
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto fail;
5cda0bfea032000c4a51134c748d9efe6614870bTimo Sirainen }
5cda0bfea032000c4a51134c748d9efe6614870bTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen /* Netgroup map */
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = sdap_copy_map(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_netgroup_map,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen SDAP_OPTS_NETGROUP,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen &id_opts->netgroup_map);
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen if (ret != EOK) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen goto fail;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen /* Services map */
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = sdap_copy_map(id_opts,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen ad_service_map,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen SDAP_OPTS_SERVICES,
5b1da062c037e9352ddf18ccfdf99248116f44d0Timo Sirainen &id_opts->service_map);
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen if (ret != EOK) {
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen goto fail;
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen return id_opts;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenfail:
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen talloc_free(id_opts);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen}
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenstruct ad_options *
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenad_create_default_options(TALLOC_CTX *mem_ctx)
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen{
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen struct ad_options *ad_options;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen errno_t ret;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_options = talloc_zero(mem_ctx, struct ad_options);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ad_options == NULL) return NULL;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = dp_copy_defaults(ad_options,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_basic_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen AD_OPTS_BASIC,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen &ad_options->basic);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen talloc_free(ad_options);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return NULL;
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_options->id = ad_create_default_sdap_options(ad_options);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ad_options->id == NULL) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n");
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen talloc_free(ad_options);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen return NULL;
5cda0bfea032000c4a51134c748d9efe6614870bTimo Sirainen }
5cda0bfea032000c4a51134c748d9efe6614870bTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return ad_options;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen}
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainenstatic errno_t
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainenset_common_ad_trust_opts(struct ad_options *ad_options,
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen const char *realm,
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen const char *ad_domain,
5cda0bfea032000c4a51134c748d9efe6614870bTimo Sirainen const char *hostname,
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen const char *keytab)
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen{
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen errno_t ret;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm);
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen if (ret != EOK) {
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD krb5 realm\n");
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen return ret;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen }
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain);
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen if (ret != EOK) {
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n");
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen return ret;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen }
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname);
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen if (ret != EOK) {
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD hostname\n");
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen return ret;
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen }
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen if (keytab != NULL) {
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen if (ret != EOK) {
77af0bd168cf3e3ddc3ae68abc82bfad7e9b5ff4Timo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n");
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen return ret;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen return EOK;
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen}
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenstruct ad_options *
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainenad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen const char *realm,
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen const char *ad_domain,
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen const char *hostname,
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen const char *keytab)
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen{
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen struct ad_options *ad_options;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen errno_t ret;
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ad_options = ad_create_default_options(mem_ctx);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ad_options == NULL) return NULL;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen keytab);
872b8fd8a8db97dc54067b7ab25bda96ec0aac0dTimo Sirainen if (ret != EOK) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen talloc_free(ad_options);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen return NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = ad_set_sdap_options(ad_options, ad_options->id);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen talloc_free(ad_options);
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen return NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return ad_options;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen}
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenstruct ad_options *
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainenad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen const char *ad_domain,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen const char *hostname,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen const char *keytab,
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen const char *sasl_authid)
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen{
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen struct ad_options *ad_options;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen const char *realm;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen errno_t ret;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen ad_options = ad_create_default_options(mem_ctx);
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen if (ad_options == NULL) return NULL;
3af0a1a2c2ef22a14c6b3c5cc4f780a2ea4df438Timo Sirainen
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen realm = get_uppercase_realm(ad_options, ad_domain);
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen if (!realm) {
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen talloc_free(ad_options);
3af0a1a2c2ef22a14c6b3c5cc4f780a2ea4df438Timo Sirainen return NULL;
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen }
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen ret = set_common_ad_trust_opts(ad_options, realm,
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen ad_domain, hostname, keytab);
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen if (ret != EOK) {
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen talloc_free(ad_options);
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen return NULL;
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen }
45b2a27617d8475f71fdfc870690e46cd63849f2Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen /* Set SDAP_SASL_AUTHID to the trust principal */
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = dp_opt_set_string(ad_options->id->basic,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_SASL_AUTHID, sasl_authid);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen talloc_free(ad_options);
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen return NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
644268f7848a7c4221146d0b11feb8ed5bbed233Timo Sirainen ret = ad_set_sdap_options(ad_options, ad_options->id);
97511ac4d7607e1ba64ce151eda3d9b5f9775519Timo Sirainen if (ret != EOK) {
97511ac4d7607e1ba64ce151eda3d9b5f9775519Timo Sirainen talloc_free(ad_options);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen return NULL;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen return ad_options;
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen}
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainenstatic errno_t
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenad_create_sdap_options(TALLOC_CTX *mem_ctx,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen struct confdb_ctx *cdb,
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen const char *conf_path,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen struct sdap_options **_id_opts)
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen{
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen struct sdap_options *id_opts;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen errno_t ret;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen id_opts = talloc_zero(mem_ctx, struct sdap_options);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (!id_opts) {
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen ret = ENOMEM;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen }
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = dp_get_options(id_opts, cdb, conf_path,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_def_ldap_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_OPTS_BASIC,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen &id_opts->basic);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
e192a3b1ca8ae857e7d87298ea507d32977ba570Timo Sirainen
97511ac4d7607e1ba64ce151eda3d9b5f9775519Timo Sirainen /* Get sdap option maps */
97511ac4d7607e1ba64ce151eda3d9b5f9775519Timo Sirainen
97511ac4d7607e1ba64ce151eda3d9b5f9775519Timo Sirainen /* General Attribute Map */
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = sdap_get_map(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen cdb, conf_path,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_2008r2_attr_map,
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen SDAP_AT_GENERAL,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen &id_opts->gen_map);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen /* User map */
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = sdap_get_map(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen cdb, conf_path,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_2008r2_user_map,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen SDAP_OPTS_USER,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen &id_opts->user_map);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = sdap_extend_map_with_list(id_opts, id_opts,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen SDAP_USER_EXTRA_ATTRS,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen id_opts->user_map,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_OPTS_USER,
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen &id_opts->user_map,
2ebeb22b9a8a8bb7fbe2f2e2908478a220792b87Timo Sirainen &id_opts->user_map_cnt);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen }
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen /* Group map */
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen ret = sdap_get_map(id_opts,
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen cdb, conf_path,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen ad_2008r2_group_map,
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen SDAP_OPTS_GROUP,
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen &id_opts->group_map);
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen if (ret != EOK) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen /* Netgroup map */
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = sdap_get_map(id_opts,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen cdb, conf_path,
60576cd64e6a537413cd90104f7e862f71d48c81Timo Sirainen ad_netgroup_map,
203560029e3ad8687c2c759e6a81ecdb8b37ebe6Timo Sirainen SDAP_OPTS_NETGROUP,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen &id_opts->netgroup_map);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen /* Services map */
644268f7848a7c4221146d0b11feb8ed5bbed233Timo Sirainen ret = sdap_get_map(id_opts,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen cdb, conf_path,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ad_service_map,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen SDAP_OPTS_SERVICES,
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen &id_opts->service_map);
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen if (ret != EOK) {
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen goto done;
80cdfe47daf6129410bafcecbe5c9faf09f2721bTimo Sirainen }
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen
80cdfe47daf6129410bafcecbe5c9faf09f2721bTimo Sirainen ret = EOK;
80cdfe47daf6129410bafcecbe5c9faf09f2721bTimo Sirainen *_id_opts = id_opts;
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainendone:
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen return ret;
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen}
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainenerrno_t
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainenad_get_common_options(TALLOC_CTX *mem_ctx,
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen struct confdb_ctx *cdb,
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen const char *conf_path,
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen struct sss_domain_info *dom,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen struct ad_options **_opts)
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen{
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen errno_t ret;
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen int gret;
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen struct ad_options *opts = NULL;
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen char *domain;
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen char *server;
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen char *realm;
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen char *ad_hostname;
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen char hostname[HOST_NAME_MAX + 1];
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen char *case_sensitive_opt;
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen const char *opt_override;
4d0d535efdfc4aad3bd48b74adfafecf58094e0aTimo Sirainen
fe363b433b8038a69b55169da9dca27892ad7d18Timo Sirainen opts = talloc_zero(mem_ctx, struct ad_options);
fe363b433b8038a69b55169da9dca27892ad7d18Timo Sirainen if (!opts) return ENOMEM;
fe363b433b8038a69b55169da9dca27892ad7d18Timo Sirainen
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen ret = dp_get_options(opts, cdb, conf_path,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen ad_basic_opts,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen AD_OPTS_BASIC,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen &opts->basic);
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen if (ret != EOK) {
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen goto done;
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen }
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen /* If the AD domain name wasn't explicitly set, assume that it
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen * matches the SSSD domain name
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen */
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen domain = dp_opt_get_string(opts->basic, AD_DOMAIN);
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen if (!domain) {
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen ret = dp_opt_set_string(opts->basic, AD_DOMAIN, dom->name);
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen if (ret != EOK) {
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen goto done;
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen }
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen domain = dom->name;
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen }
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen /* Did we get an explicit server name, or are we discovering it? */
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen server = dp_opt_get_string(opts->basic, AD_SERVER);
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen if (!server) {
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS,
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen "No AD server set, will use service discovery!\n");
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen }
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen /* Set the machine's hostname to the local host name if it
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen * wasn't explicitly specified.
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen */
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME);
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen if (ad_hostname == NULL) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen gret = gethostname(hostname, HOST_NAME_MAX);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (gret != 0) {
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen ret = errno;
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen "gethostname failed [%s].\n",
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen strerror(ret));
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen hostname[HOST_NAME_MAX] = '\0';
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS,
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen "Setting ad_hostname to [%s].\n", hostname);
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
1045a1d4c191a14867cde0d5cea9e4ac5e36f85fTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen "Setting ad_hostname failed [%s].\n",
dd0dea1fdd913a04bae16e82dd66d67571a5f6c2Timo Sirainen strerror(ret));
96541d31299bb40b5a6efdbf9b4cb3d4f4b4a069Timo Sirainen goto done;
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen }
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
d96f86fb881c5b106649e8994ead1052acf24030Timo Sirainen /* Always use the upper-case AD domain for the kerberos realm */
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen realm = get_uppercase_realm(opts, domain);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (!realm) {
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen ret = ENOMEM;
96541d31299bb40b5a6efdbf9b4cb3d4f4b4a069Timo Sirainen goto done;
55773f17bccf6361d6599ffcbe072d7c9fe205bfTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen ret = dp_opt_set_string(opts->basic, AD_KRB5_REALM, realm);
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen /* Active Directory is always case-insensitive */
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen ret = confdb_get_string(cdb, mem_ctx, conf_path,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen CONFDB_DOMAIN_CASE_SENSITIVE, "false",
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen &case_sensitive_opt);
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "condb_get_string failed.\n");
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (strcasecmp(case_sensitive_opt, "true") == 0) {
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen "Warning: AD domain can not be set as case-sensitive.\n");
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen dom->case_sensitive = false;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen dom->case_preserve = false;
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen } else if (strcasecmp(case_sensitive_opt, "false") == 0) {
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen dom->case_sensitive = false;
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen dom->case_preserve = false;
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen dom->case_sensitive = false;
36977c4a74e164f7d81eb4785f0a5d3ff436fd19Timo Sirainen dom->case_preserve = true;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen } else {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
9db263f2b9ab771fbf9a2bff44a245c45eaef218Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen opt_override = dom->case_preserve ? "preserving" : "false";
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
043c8a96a035379bcba04f487d58457beefdfcaaTimo Sirainen /* Set this in the confdb so that the responders pick it
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen * up when they start up.
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen */
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen ret = confdb_set_string(cdb, conf_path, "case_sensitive", opt_override);
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen if (ret != EOK) {
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE,
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen "Could not set domain option case_sensitive: [%s]\n",
20195ef995a4eb63a282283db63f1dc0605323e0Timo Sirainen strerror(ret));
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
645f258ea29afaf09b673fc65d1bd788dfec8db8Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen "Setting domain option case_sensitive to [%s]\n", opt_override);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen ret = EOK;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen *_opts = opts;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainendone:
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen if (ret != EOK) {
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen talloc_zfree(opts);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen }
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen return ret;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen}
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainenstatic void
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainenad_resolve_callback(void *private_data, struct fo_server *server);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainenstatic errno_t
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen_ad_servers_init(struct ad_service *service,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen struct be_ctx *bectx,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen const char *fo_service,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen const char *fo_gc_service,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen const char *servers,
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen const char *ad_domain,
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen bool primary)
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen{
cf52b37d807553e91a2d6fb7cb2c8b4c34589e1dTimo Sirainen size_t i;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen errno_t ret = 0;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen char **list;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen struct ad_server_data *sdata;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen TALLOC_CTX *tmp_ctx;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen tmp_ctx = talloc_new(NULL);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen if (!tmp_ctx) return ENOMEM;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen /* Split the server list */
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL);
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen if (ret != EOK) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n");
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen goto done;
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen }
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen /* Add each of these servers to the failover service */
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen for (i = 0; list[i]; i++) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen if (be_fo_is_srv_identifier(list[i])) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen if (!primary) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen DEBUG(SSSDBG_MINOR_FAILURE,
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen "Failed to add server [%s] to failover service: "
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen "SRV resolution only allowed for primary servers!\n",
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen list[i]);
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen continue;
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen }
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen sdata = talloc(service, struct ad_server_data);
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen if (sdata == NULL) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen ret = ENOMEM;
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen goto done;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen sdata->gc = true;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen ret = be_fo_add_srv_server(bectx, fo_gc_service, "gc",
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ad_domain, BE_FO_PROTO_TCP,
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen false, sdata);
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen if (ret != EOK) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen "Failed to add service discovery to failover: [%s]\n",
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen strerror(ret));
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen goto done;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen sdata = talloc(service, struct ad_server_data);
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen if (sdata == NULL) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = ENOMEM;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen goto done;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen sdata->gc = false;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = be_fo_add_srv_server(bectx, fo_service, "ldap",
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ad_domain, BE_FO_PROTO_TCP,
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen false, sdata);
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen if (ret != EOK) {
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen "Failed to add service discovery to failover: [%s]\n",
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen strerror(ret));
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen goto done;
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen }
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS, "Added service discovery for AD\n");
1e242794e7a4f653f18fbb8edfe9ccec489a3a08Timo Sirainen continue;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen /* It could be ipv6 address in square brackets. Remove
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen * the brackets if needed. */
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = remove_ipv6_brackets(list[i]);
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen if (ret != EOK) {
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen sdata = talloc(service, struct ad_server_data);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (sdata == NULL) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen ret = ENOMEM;
2aecf7be5834e7f6520f8deaad683a6fa1de4d61Timo Sirainen goto done;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen sdata->gc = true;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret && ret != EEXIST) {
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n");
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen }
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen sdata = talloc(service, struct ad_server_data);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (sdata == NULL) {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen ret = ENOMEM;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen sdata->gc = false;
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen
5dabb8e733a8af2337eb543f782eb6c43ea462dcTimo Sirainen ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary);
5dabb8e733a8af2337eb543f782eb6c43ea462dcTimo Sirainen if (ret && ret != EEXIST) {
5dabb8e733a8af2337eb543f782eb6c43ea462dcTimo Sirainen DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n");
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen DEBUG(SSSDBG_CONF_SETTINGS, "Added failover server %s\n", list[i]);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainendone:
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen talloc_free(tmp_ctx);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen return ret;
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen}
98dd8e6e81f11f1e6040ca72f4916242d246c863Timo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainenstatic inline errno_t
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainenad_primary_servers_init(struct ad_service *service,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen struct be_ctx *bectx, const char *servers,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen const char *fo_service, const char *fo_gc_service,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen const char *ad_domain)
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen{
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen return _ad_servers_init(service, bectx, fo_service,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen fo_gc_service, servers, ad_domain, true);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen}
8d80659e504ffb34bb0c6a633184fece35751b18Timo Sirainen
8f61542ca70f3f0dda15630447a00877b132efa8Timo Sirainenstatic inline errno_t
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainenad_backup_servers_init(struct ad_service *service,
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen struct be_ctx *bectx, const char *servers,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen const char *fo_service, const char *fo_gc_service,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen const char *ad_domain)
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen{
38d7db318188c4ac9cdc8c6cdb936b36a5258e19Timo Sirainen return _ad_servers_init(service, bectx, fo_service,
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen fo_gc_service, servers, ad_domain, false);
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen}
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenstatic int ad_user_data_cmp(void *ud1, void *ud2)
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen{
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen struct ad_server_data *sd1, *sd2;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen sd1 = talloc_get_type(ud1, struct ad_server_data);
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen sd2 = talloc_get_type(ud2, struct ad_server_data);
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen if (sd1 == NULL || sd2 == NULL) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen DEBUG(SSSDBG_TRACE_FUNC, "No user data\n");
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen return sd1 == sd2 ? 0 : 1;
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (sd1->gc == sd2->gc) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen return 0;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen return 1;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen}
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainenstatic void ad_online_cb(void *pvt)
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen{
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen struct ad_service *service = talloc_get_type(pvt, struct ad_service);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen if (service == NULL) {
87460b08cb97b31cde640d4975a6aa2c1d0e7226Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Invalid private pointer\n");
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen return;
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen }
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen DEBUG(SSSDBG_TRACE_FUNC, "The AD provider is online\n");
d3837c0362588792db3e3148d217f31ff3172922Timo Sirainen}
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainenerrno_t
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainenad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *primary_servers,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *backup_servers,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *krb5_realm,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *ad_service,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *ad_gc_service,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen const char *ad_domain,
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen struct ad_service **_service)
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen{
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen errno_t ret;
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen TALLOC_CTX *tmp_ctx;
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen struct ad_service *service;
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen tmp_ctx = talloc_new(mem_ctx);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen if (!tmp_ctx) return ENOMEM;
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen service = talloc_zero(tmp_ctx, struct ad_service);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen if (!service) {
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen ret = ENOMEM;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen service->sdap = talloc_zero(service, struct sdap_service);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen service->gc = talloc_zero(service, struct sdap_service);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen if (!service->sdap || !service->gc) {
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen ret = ENOMEM;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen service->sdap->name = talloc_strdup(service->sdap, ad_service);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen service->gc->name = talloc_strdup(service->gc, ad_gc_service);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen if (!service->sdap->name || !service->gc->name) {
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen ret = ENOMEM;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen service->krb5_service = talloc_zero(service, struct krb5_service);
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen if (!service->krb5_service) {
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen ret = ENOMEM;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen
dce5a2719df4fc64a8762d2aa94ba98dcf9cd6feTimo Sirainen ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen if (ret != EOK) {
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n");
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen ret = be_fo_add_service(bectx, ad_gc_service, ad_user_data_cmp);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create GC failover service!\n");
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen goto done;
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen }
d2b94d25f842cd1b7acaf4dd7de858f7c6a821c9Timo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen service->krb5_service->name = talloc_strdup(service->krb5_service,
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ad_service);
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen if (!service->krb5_service->name) {
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen ret = ENOMEM;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen service->sdap->kinit_service_name = service->krb5_service->name;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen service->gc->kinit_service_name = service->krb5_service->name;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen if (!krb5_realm) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n");
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = EINVAL;
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen goto done;
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen }
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen service->krb5_service->realm =
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen talloc_strdup(service->krb5_service, krb5_realm);
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen if (!service->krb5_service->realm) {
a24b0595f0f7d3925d4c9ac26fa503ff87c43e43Timo Sirainen ret = ENOMEM;
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (!primary_servers) {
19a1cfc537d979c532fac71264dba0b9dabc65d9Timo Sirainen DEBUG(SSSDBG_CONF_SETTINGS,
cd56a23e21f1df3f79648cf07e2f4385e2fadebbTimo Sirainen "No primary servers defined, using service discovery\n");
19a1cfc537d979c532fac71264dba0b9dabc65d9Timo Sirainen primary_servers = BE_SRV_IDENTIFIER;
fe363b433b8038a69b55169da9dca27892ad7d18Timo Sirainen }
19a1cfc537d979c532fac71264dba0b9dabc65d9Timo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen ret = ad_primary_servers_init(service, bectx,
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen primary_servers, ad_service,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_gc_service, ad_domain);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
fdc557286bc9f92c5f3bb49096ff6e2bcec0ea79Timo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen if (backup_servers) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = ad_backup_servers_init(service, bectx,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen backup_servers, ad_service,
cd56a23e21f1df3f79648cf07e2f4385e2fadebbTimo Sirainen ad_gc_service, ad_domain);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen }
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen
185ed0142fbbfb86e7a98519e7c6f11ec00723cdTimo Sirainen ret = be_add_online_cb(bectx, bectx, ad_online_cb, service, NULL);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up AD online callback\n");
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen goto done;
83bb013a99f0936995f9c7a1077822662d8fefdbTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = be_fo_service_add_callback(mem_ctx, bectx, ad_service,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_resolve_callback, service);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen "Failed to add failover callback! [%s]\n", strerror(ret));
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = be_fo_service_add_callback(mem_ctx, bectx, ad_gc_service,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ad_resolve_callback, service);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (ret != EOK) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen DEBUG(SSSDBG_FATAL_FAILURE,
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen "Failed to add failover callback! [%s]\n", strerror(ret));
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen goto done;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen *_service = talloc_steal(mem_ctx, service);
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen ret = EOK;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainendone:
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen talloc_free(tmp_ctx);
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen return ret;
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen}
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen
87b426af6a2365c6840b14281a98c23e903bf28eTimo Sirainenstatic void
042e2b8447b34051f0380baafcf0073704430239Timo Sirainenad_resolve_callback(void *private_data, struct fo_server *server)
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen{
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen errno_t ret;
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen TALLOC_CTX *tmp_ctx;
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen struct ad_service *service;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen struct resolv_hostent *srvaddr;
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen struct sockaddr_storage *sockaddr;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen char *address;
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen const char *safe_address;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen char *new_uri;
0a9ad944630d84066c5c445eb4b657206ad88e80Timo Sirainen int new_port;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen const char *srv_name;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen struct ad_server_data *sdata = NULL;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
9d3ccd79130199ffdb19a688027d49bf20a4aaaaTimo Sirainen tmp_ctx = talloc_new(NULL);
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen if (!tmp_ctx) {
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n");
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen return;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen }
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen sdata = fo_get_server_user_data(server);
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen if (fo_is_srv_lookup(server) == false && sdata == NULL) {
042e2b8447b34051f0380baafcf0073704430239Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE, "No user data?\n");
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen ret = EINVAL;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen service = talloc_get_type(private_data, struct ad_service);
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen if (!service) {
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen ret = EINVAL;
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen goto done;
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen }
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainen
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen srvaddr = fo_get_server_hostent(server);
648d24583c1574441c4fa0331a90bd4d6e7996c5Timo Sirainen if (!srvaddr) {
1bdda5c0c30463160c47151537e6bb2c6c994841Timo Sirainen DEBUG(SSSDBG_CRIT_FAILURE,
"No hostent available for server (%s)\n",
fo_get_server_str_name(server));
ret = EINVAL;
goto done;
}
address = resolv_get_string_address(tmp_ctx, srvaddr);
if (address == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n");
ret = EIO;
goto done;
}
srv_name = fo_get_server_name(server);
if (srv_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n");
ret = EINVAL;
goto done;
}
new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
if (!new_uri) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
if (sockaddr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
ret = EIO;
goto done;
}
/* free old one and replace with new one */
talloc_zfree(service->sdap->uri);
service->sdap->uri = new_uri;
talloc_zfree(service->sdap->sockaddr);
service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr);
talloc_zfree(service->gc->uri);
talloc_zfree(service->gc->sockaddr);
if (sdata && sdata->gc) {
new_port = fo_get_server_port(server);
new_port = (new_port == 0) ? AD_GC_PORT : new_port;
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
new_uri, new_port);
service->gc->sockaddr = resolv_get_sockaddr_address(service->gc,
srvaddr,
new_port);
} else {
/* Make sure there always is an URI even if we know that this
* server doesn't support GC. That way the lookup would go through
* just not return anything
*/
service->gc->uri = talloc_strdup(service->gc, service->sdap->uri);
service->gc->sockaddr = talloc_memdup(service->gc, service->sdap->sockaddr,
sizeof(struct sockaddr_storage));
}
if (!service->gc->uri) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to append to URI\n");
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri);
if (service->gc->sockaddr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"resolv_get_sockaddr_address failed.\n");
ret = EIO;
goto done;
}
/* Only write kdcinfo files for local servers */
if ((sdata == NULL || sdata->gc == false) &&
service->krb5_service->write_kdcinfo) {
/* Write krb5 info files */
safe_address = sss_escape_ip_address(tmp_ctx,
srvaddr->family,
address);
if (safe_address == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n");
ret = ENOMEM;
goto done;
}
ret = write_krb5info_file(service->krb5_service->realm, safe_address,
SSS_KRB5KDC_FO_SRV);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"write_krb5info_file failed, authentication might fail.\n");
}
}
ret = EOK;
done:
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Error: [%s]\n", strerror(ret));
}
talloc_free(tmp_ctx);
return;
}
static errno_t
ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts)
{
errno_t ret;
char *krb5_realm;
char *keytab_path;
/* We only support Kerberos password policy with AD, so
* force that on.
*/
ret = dp_opt_set_string(id_opts->basic,
SDAP_PWD_POLICY,
PWD_POL_OPT_MIT);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not set password policy\n");
goto done;
}
/* Set the Kerberos Realm for GSSAPI */
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */
DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
ret = EINVAL;
goto done;
}
ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
if (ret != EOK) goto done;
DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n",
id_opts->basic[SDAP_KRB5_REALM].opt_name,
krb5_realm);
keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
if (keytab_path) {
ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_KEYTAB,
keytab_path);
if (ret != EOK) goto done;
DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n",
id_opts->basic[SDAP_KRB5_KEYTAB].opt_name,
keytab_path);
}
ret = sdap_set_sasl_options(id_opts,
dp_opt_get_string(ad_opts->basic,
AD_HOSTNAME),
dp_opt_get_string(ad_opts->basic,
AD_KRB5_REALM),
keytab_path);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set the SASL-related options\n");
goto done;
}
/* fix schema to AD */
id_opts->schema_type = SDAP_SCHEMA_AD;
ad_opts->id = id_opts;
ret = EOK;
done:
return ret;
}
errno_t
ad_get_id_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options **_opts)
{
struct sdap_options *id_opts;
errno_t ret;
ret = ad_create_sdap_options(ad_opts, cdb, conf_path, &id_opts);
if (ret != EOK) {
return ENOMEM;
}
ret = ad_set_sdap_options(ad_opts, id_opts);
if (ret != EOK) {
talloc_free(id_opts);
return ret;
}
ret = sdap_domain_add(id_opts,
ad_opts->id_ctx->sdap_id_ctx->be->domain,
NULL);
if (ret != EOK) {
talloc_free(id_opts);
return ret;
}
/* Set up search bases if they were assigned explicitly */
ret = ad_set_search_bases(id_opts);
if (ret != EOK) {
talloc_free(id_opts);
return ret;
}
*_opts = id_opts;
return EOK;
}
errno_t
ad_get_autofs_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path)
{
errno_t ret;
/* autofs maps */
ret = sdap_get_map(ad_opts->id,
cdb,
conf_path,
ad_autofs_mobject_map,
SDAP_OPTS_AUTOFS_MAP,
&ad_opts->id->autofs_mobject_map);
if (ret != EOK) {
return ret;
}
ret = sdap_get_map(ad_opts->id,
cdb,
conf_path,
ad_autofs_entry_map,
SDAP_OPTS_AUTOFS_ENTRY,
&ad_opts->id->autofs_entry_map);
if (ret != EOK) {
return ret;
}
return EOK;
}
errno_t
ad_set_search_bases(struct sdap_options *id_opts)
{
errno_t ret;
char *default_search_base;
size_t o;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
SDAP_GROUP_SEARCH_BASE,
SDAP_NETGROUP_SEARCH_BASE,
SDAP_SERVICE_SEARCH_BASE,
-1 };
/* AD servers provide defaultNamingContext, so we will
* rely on that to specify the search base unless it has
* been specifically overridden.
*/
default_search_base =
dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE);
if (default_search_base) {
/* set search bases if they are not */
for (o = 0; search_base_options[o] != -1; o++) {
if (NULL == dp_opt_get_string(id_opts->basic,
search_base_options[o])) {
ret = dp_opt_set_string(id_opts->basic,
search_base_options[o],
default_search_base);
if (ret != EOK) {
goto done;
}
DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n",
id_opts->basic[search_base_options[o]].opt_name,
dp_opt_get_string(id_opts->basic,
search_base_options[o]));
}
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
"Search base not set. SSSD will attempt to discover it later, "
"when connecting to the LDAP server.\n");
}
/* Default search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_SEARCH_BASE,
&id_opts->sdom->search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* User search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_USER_SEARCH_BASE,
&id_opts->sdom->user_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Group search base */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_GROUP_SEARCH_BASE,
&id_opts->sdom->group_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Netgroup search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_NETGROUP_SEARCH_BASE,
&id_opts->sdom->netgroup_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Service search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_SERVICE_SEARCH_BASE,
&id_opts->sdom->service_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
ret = EOK;
done:
return ret;
}
errno_t
ad_get_auth_options(TALLOC_CTX *mem_ctx,
struct ad_options *ad_opts,
struct be_ctx *bectx,
struct dp_option **_opts)
{
errno_t ret;
struct dp_option *krb5_options;
const char *ad_servers;
const char *krb5_realm;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
/* Get krb5 options */
ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path,
ad_def_krb5_opts, KRB5_OPTS,
&krb5_options);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not read Kerberos options from the configuration\n");
goto done;
}
ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER);
/* Force the krb5_servers to match the ad_servers */
ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers);
if (ret != EOK) goto done;
DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n",
krb5_options[KRB5_KDC].opt_name,
ad_servers);
/* Set krb5 realm */
/* Set the Kerberos Realm for GSSAPI */
krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
if (!krb5_realm) {
/* Should be impossible, this is set in ad_get_common_options() */
DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
ret = EINVAL;
goto done;
}
/* Force the kerberos realm to match the AD_KRB5_REALM (which may have
* been upper-cased in ad_common_options()
*/
ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
if (ret != EOK) goto done;
DEBUG(SSSDBG_CONF_SETTINGS,
"Option %s set to %s\n",
krb5_options[KRB5_REALM].opt_name,
krb5_realm);
/* Set flag that controls whether we want to write the
* kdcinfo files at all
*/
ad_opts->service->krb5_service->write_kdcinfo = \
dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
krb5_options[KRB5_USE_KDCINFO].opt_name,
ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false");
*_opts = talloc_steal(mem_ctx, krb5_options);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
errno_t ad_get_dyndns_options(struct be_ctx *be_ctx,
struct ad_options *ad_opts)
{
errno_t ret;
ret = be_nsupdate_init(ad_opts, be_ctx, ad_dyndns_opts,
&ad_opts->dyndns_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot initialize AD dyndns opts [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
return EOK;
}
struct ad_id_ctx *
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx)
{
struct sdap_id_ctx *sdap_ctx;
struct ad_id_ctx *ad_ctx;
ad_ctx = talloc_zero(ad_opts, struct ad_id_ctx);
if (ad_ctx == NULL) {
return NULL;
}
ad_ctx->ad_options = ad_opts;
sdap_ctx = sdap_id_ctx_new(ad_ctx, bectx, ad_opts->service->sdap);
if (sdap_ctx == NULL) {
talloc_free(ad_ctx);
return NULL;
}
ad_ctx->sdap_id_ctx = sdap_ctx;
ad_ctx->ldap_ctx = sdap_ctx->conn;
ad_ctx->gc_ctx = sdap_id_ctx_conn_add(sdap_ctx, ad_opts->service->gc);
if (ad_ctx->gc_ctx == NULL) {
talloc_free(ad_ctx);
return NULL;
}
return ad_ctx;
}
struct sdap_id_conn_ctx *
ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom)
{
struct sdap_id_conn_ctx *conn;
struct sdap_domain *sdom;
struct ad_id_ctx *subdom_id_ctx;
sdom = sdap_domain_get(ad_ctx->sdap_id_ctx->opts, dom);
if (sdom == NULL || sdom->pvt == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
dom->name);
return NULL;
}
subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
conn = subdom_id_ctx->ldap_ctx;
if (IS_SUBDOMAIN(sdom->dom) == true && conn != NULL) {
/* Regardless of connection types, a subdomain error must not be
* allowed to set the whole back end offline, rather report an error
* and let the caller deal with it (normally disable the subdomain
*/
conn->ignore_mark_offline = true;
}
return conn;
}
struct sdap_id_conn_ctx **
ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
struct sss_domain_info *dom)
{
struct sdap_id_conn_ctx **clist;
int cindex = 0;
clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
if (clist == NULL) return NULL;
/* Always try GC first */
if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
clist[cindex] = ad_ctx->gc_ctx;
clist[cindex]->ignore_mark_offline = true;
cindex++;
}
clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
return clist;
}
struct sdap_id_conn_ctx **
ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
struct ad_id_ctx *ad_ctx,
struct sss_domain_info *dom)
{
struct sdap_id_conn_ctx **clist;
clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 2);
if (clist == NULL) {
return NULL;
}
clist[0] = ad_get_dom_ldap_conn(ad_ctx, dom);
clist[1] = NULL;
return clist;
}
struct sdap_id_conn_ctx **
ad_user_conn_list(struct ad_id_ctx *ad_ctx,
struct sss_domain_info *dom)
{
struct sdap_id_conn_ctx **clist;
int cindex = 0;
clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
if (clist == NULL) {
return NULL;
}
/* Try GC first for users from trusted domains, but go to LDAP
* for users from non-trusted domains to get all POSIX attrs
*/
if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
&& IS_SUBDOMAIN(dom)) {
clist[cindex] = ad_ctx->gc_ctx;
clist[cindex]->ignore_mark_offline = true;
cindex++;
}
/* Users from primary domain can be just downloaded from LDAP.
* The domain's LDAP connection also works as a fallback
*/
clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
return clist;
}