ad_init.c revision efe6b4a9d374339cac2528cdeb43720957c6b7c9
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2012 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher#include "providers/krb5/krb5_init_shared.h"
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorcestatic int ad_sasl_getopt(void *context, const char *plugin_name,
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce const char *option,
483728c1f9719e419830cce93b7e411370a5364bOndrej Kostypedef int (*sss_sasl_gen_cb_fn)(void);
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorcestatic const sasl_callback_t ad_sasl_callbacks[] = {
483728c1f9719e419830cce93b7e411370a5364bOndrej Kos { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)ad_sasl_getopt, NULL },
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce/* This is quite a hack, we *try* to fool openldap libraries by initializing
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce * options. Should be removed as soon as openldap exposes a way to do that */
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorcestatic void ad_sasl_initialize(void)
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce /* NOTE: this may fail if soe other library in the system happens to
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce * initialize and use openldap libraries or directly the cyrus-sasl
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce * library as this initialization function can be called only once per
fb945a2cacc5506a2acb50349670f22078f1d4f5Simo Sorce * process */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Get AD-specific options */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ret = ad_get_common_options(bectx, bectx->cdb,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Could not parse common options: [%s]\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
294e9a5521d327c5cdc49beeb9cb9e703b3134f1Jan Zeleny ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* Set up the failover service */
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek ret = ad_failover_init(ad_options, bectx, ad_servers, ad_backup_servers, ad_realm,
59415636c92c6e9764ddc65a85ad61002310519dJakub Hrozek dp_opt_get_string(ad_options->basic, AD_DOMAIN),
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher ("Failed to init AD failover service: [%s]\n",
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* already initialized */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = ad_dyndns_init(ad_ctx->sdap_id_ctx->be, ad_options);
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek ("Failure setting up automatic DNS update\n"));
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek /* Continue without DNS updates */
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek ("setup_child failed [%d][%s].\n",
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek /* Set up various SDAP options */
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek ret = ad_get_id_options(ad_options, bectx->cdb,
2e4f8db631a10224dac20e8a472f751fef0e3fcdJakub Hrozek /* Set up the ID mapping object */
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = sdap_idmap_init(ad_ctx->sdap_id_ctx, ad_ctx->sdap_id_ctx,
ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9Jakub Hrozek ret = setup_tls_config(ad_ctx->sdap_id_ctx->opts->basic);
dcb44c39dda9699cdd6488fd116a51ced0687de3Jakub Hrozek ("setup_tls_config failed [%s]\n", strerror(ret)));
1abdf56dcda5f6bed7b144e544c00dbdd501b3fcPavel Březina /* setup SRV lookup plugin */
1abdf56dcda5f6bed7b144e544c00dbdd501b3fcPavel Březina hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES)) {
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina /* use AD plugin */
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina srv_ctx = ad_srv_plugin_ctx_init(bectx, bectx->be_res,
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n"));
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina be_fo_set_srv_lookup_plugin(bectx, ad_srv_plugin_send,
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina /* fall back to standard plugin */
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin "
7b5e7e539ae9312ab55d75aa94feaad549b2a708Pavel Březina /* setup periodical refresh of expired records */
7b5e7e539ae9312ab55d75aa94feaad549b2a708Pavel Březina ret = be_refresh_add_cb(bectx->refresh_ctx, BE_REFRESH_TYPE_NETGROUPS,
7b5e7e539ae9312ab55d75aa94feaad549b2a708Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, ("Periodical refresh of netgroups "
7b5e7e539ae9312ab55d75aa94feaad549b2a708Pavel Březina "will not work [%d]: %s\n", ret, strerror(ret)));
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Already initialized */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher krb5_auth_ctx = talloc_zero(NULL, struct krb5_ctx);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher krb5_auth_ctx->service = ad_options->service->krb5_service;
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ("Could not determine Kerberos options\n"));
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = krb5_child_init(krb5_auth_ctx, bectx);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ("Could not initialize krb5_child settings: [%s]\n",
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ad_options->auth_ctx = talloc_steal(ad_options, krb5_auth_ctx);
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher /* Already initialized */
d92c50f6d75ae980b0d130134112a33e1584724cStephen Gallagher ret = sssm_ad_auth_init(bectx, ops, pvt_data);
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher access_ctx = talloc_zero(bectx, struct ad_access_ctx);
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher ret = sssm_ad_id_init(bectx, ops, (void **)&ad_id_ctx);
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher access_ctx->sdap_ctx = ad_id_ctx->sdap_id_ctx;
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher ret = dp_copy_options(access_ctx, ad_options->basic, AD_OPTS_BASIC,
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher ("Could not initialize access provider options: [%s]\n",
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher /* Set up an sdap_access_ctx for checking expired/locked accounts */
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher talloc_zero(access_ctx, struct sdap_access_ctx);
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx;
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek /* If ad_access_filter is set, the value of ldap_acess_order is
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek * expire, filter, otherwise only expire
a4cce2c98eedecb5d3b47da62104634cae268434Stephen Gallagher access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER);
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek access_ctx->sdap_access_ctx->filter = sdap_get_access_filter(
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek if (access_ctx->sdap_access_ctx->filter == NULL) {
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
efe6b4a9d374339cac2528cdeb43720957c6b7c9Jakub Hrozek access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher /* TODO: Clean up any internal data */
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher sdap_handler_done(req, DP_ERR_OK, EOK, NULL);
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx);
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ad_id_init failed.\n"));
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, ("Global AD options not available.\n"));
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose ret = ad_subdom_init(bectx, id_ctx, ad_domain, ops, pvt_data);
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, ("ad_subdom_init failed.\n"));