215N/A

132N/A#include "providers/ldap/ldap_common.h"

1215N/A#include "providers/fail_over.h"

1215N/A#include "providers/ldap/sdap_async_private.h"

1318N/A#include "providers/krb5/krb5_common.h"

1176N/A#include "db/sysdb_sudo.h"

132N/A#include "db/sysdb_services.h"

132N/A#include "db/sysdb_autofs.h"

132N/A

132N/A#include "util/sss_krb5.h"

132N/A#include "util/crypto/sss_crypto.h"

132N/A

132N/A#include "providers/ldap/ldap_opts.h"

132N/A#include "providers/ldap/sdap_idmap.h"

132N/A

132N/Aint ldap_child_debug_fd = -1;

132N/A

132N/A

132N/Aint ldap_get_options(TALLOC_CTX *memctx,

132N/A struct confdb_ctx *cdb,

132N/A const char *conf_path,

132N/A struct sdap_options **_opts)

132N/A{

132N/A struct sdap_attr_map *default_attr_map;

132N/A struct sdap_attr_map *default_user_map;

132N/A struct sdap_attr_map *default_group_map;

132N/A struct sdap_attr_map *default_netgroup_map;

132N/A struct sdap_attr_map *default_service_map;

132N/A struct sdap_options *opts;

132N/A char *schema;

132N/A const char *search_base;

132N/A const char *pwd_policy;

132N/A int ret;

132N/A int account_cache_expiration;

132N/A int offline_credentials_expiration;

132N/A const char *ldap_deref;

132N/A int ldap_deref_val;

132N/A int o;

132N/A const char *authtok_type;

132N/A struct dp_opt_blob authtok_blob;

132N/A char *cleartext;

132N/A const int search_base_options[] = { SDAP_USER_SEARCH_BASE,

132N/A SDAP_GROUP_SEARCH_BASE,

132N/A SDAP_NETGROUP_SEARCH_BASE,

132N/A SDAP_SERVICE_SEARCH_BASE,

132N/A -1 };

132N/A

132N/A opts = talloc_zero(memctx, struct sdap_options);

132N/A if (!opts) return ENOMEM;

132N/A

132N/A ret = dp_get_options(opts, cdb, conf_path,

132N/A default_basic_opts,

132N/A SDAP_OPTS_BASIC,

132N/A &opts->basic);

132N/A if (ret != EOK) {

132N/A goto done;

132N/A }

132N/A

132N/A /* Handle search bases */

132N/A search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);

132N/A if (search_base != NULL) {

132N/A /* set user/group/netgroup search bases if they are not */

132N/A for (o = 0; search_base_options[o] != -1; o++) {

132N/A if (NULL == dp_opt_get_string(opts->basic, search_base_options[o])) {

132N/A ret = dp_opt_set_string(opts->basic, search_base_options[o],

132N/A search_base);

132N/A if (ret != EOK) {

132N/A goto done;

219N/A }

1318N/A DEBUG(6, ("Option %s set to %s\n",

220N/A opts->basic[search_base_options[o]].opt_name,

1176N/A dp_opt_get_string(opts->basic,

1176N/A search_base_options[o])));

341N/A }

341N/A }

379N/A } else {

411N/A DEBUG(5, ("Search base not set, trying to discover it later when "

487N/A "connecting to the LDAP server.\n"));

706N/A }

706N/A

706N/A /* Default search */

741N/A ret = sdap_parse_search_base(opts, opts->basic,

741N/A SDAP_SEARCH_BASE,

706N/A &opts->search_bases);

706N/A if (ret != EOK && ret != ENOENT) goto done;

736N/A

487N/A /* User search */

704N/A ret = sdap_parse_search_base(opts, opts->basic,

487N/A SDAP_USER_SEARCH_BASE,

704N/A &opts->user_search_bases);

1215N/A if (ret != EOK && ret != ENOENT) goto done;

1215N/A

487N/A /* Group search base */

487N/A ret = sdap_parse_search_base(opts, opts->basic,

320N/A SDAP_GROUP_SEARCH_BASE,

336N/A &opts->group_search_bases);

336N/A if (ret != EOK && ret != ENOENT) goto done;

336N/A

1215N/A /* Netgroup search */

1215N/A ret = sdap_parse_search_base(opts, opts->basic,

1369N/A SDAP_NETGROUP_SEARCH_BASE,

336N/A &opts->netgroup_search_bases);

336N/A if (ret != EOK && ret != ENOENT) goto done;

336N/A

341N/A /* Service search */

487N/A ret = sdap_parse_search_base(opts, opts->basic,

336N/A SDAP_SERVICE_SEARCH_BASE,

336N/A &opts->service_search_bases);

336N/A if (ret != EOK && ret != ENOENT) goto done;

379N/A

379N/A pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY);

487N/A if (pwd_policy == NULL) {

379N/A DEBUG(1, ("Missing password policy, this may not happen.\n"));

379N/A ret = EINVAL;

411N/A goto done;

411N/A }

487N/A if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) != 0 &&

411N/A strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) != 0 &&

411N/A strcasecmp(pwd_policy, PWD_POL_OPT_MIT) != 0) {

411N/A DEBUG(1, ("Unsupported password policy [%s].\n", pwd_policy));

320N/A ret = EINVAL;

336N/A goto done;

320N/A }

336N/A

1031N/A /* account_cache_expiration must be >= than offline_credentials_expiration */

1031N/A ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,

132N/A CONFDB_PAM_CRED_TIMEOUT, 0,

949N/A &offline_credentials_expiration);

1215N/A if (ret != EOK) {

949N/A DEBUG(1, ("Cannot get value of %s from confdb \n",

949N/A CONFDB_PAM_CRED_TIMEOUT));

949N/A goto done;

949N/A }

949N/A

949N/A account_cache_expiration = dp_opt_get_int(opts->basic,

949N/A SDAP_ACCOUNT_CACHE_EXPIRATION);

949N/A

1272N/A /* account cache_expiration must not be smaller than

949N/A if (!offline_credentials_expiration && account_cache_expiration) {

949N/A DEBUG(1, ("Conflicting values for options %s (unlimited) "

949N/A "and %s (%d)\n",

949N/A opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,

949N/A CONFDB_PAM_CRED_TIMEOUT,

949N/A offline_credentials_expiration));

949N/A ret = EINVAL;

949N/A goto done;

949N/A }

949N/A if (offline_credentials_expiration && account_cache_expiration &&

949N/A offline_credentials_expiration > account_cache_expiration) {

949N/A DEBUG(1, ("Value of %s (now %d) must be larger "

949N/A "than value of %s (now %d)\n",

1256N/A opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,

1256N/A account_cache_expiration,

1275N/A CONFDB_PAM_CRED_TIMEOUT,

1275N/A offline_credentials_expiration));

949N/A ret = EINVAL;

949N/A goto done;

132N/A }

132N/A

230N/A ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF);

989N/A if (ldap_deref != NULL) {

989N/A ret = deref_string_to_val(ldap_deref, &ldap_deref_val);

989N/A if (ret != EOK) {

989N/A DEBUG(1, ("Failed to verify ldap_deref option.\n"));

989N/A goto done;

989N/A }

230N/A }

230N/A

230N/A#ifndef HAVE_LDAP_CONNCB

935N/A bool ldap_referrals;

935N/A

230N/A ldap_referrals = dp_opt_get_bool(opts->basic, SDAP_REFERRALS);

230N/A if (ldap_referrals) {

230N/A DEBUG(1, ("LDAP referrals are not supported, because the LDAP library "

989N/A "is too old, see sssd-ldap(5) for details.\n"));

989N/A ret = dp_opt_set_bool(opts->basic, SDAP_REFERRALS, false);

989N/A }

989N/A#endif

1215N/A

989N/A /* schema type */

989N/A schema = dp_opt_get_string(opts->basic, SDAP_SCHEMA);

989N/A if (strcasecmp(schema, "rfc2307") == 0) {

989N/A opts->schema_type = SDAP_SCHEMA_RFC2307;

989N/A default_attr_map = generic_attr_map;

989N/A default_user_map = rfc2307_user_map;

989N/A default_group_map = rfc2307_group_map;

989N/A default_netgroup_map = netgroup_map;

989N/A default_service_map = service_map;

1215N/A } else

1215N/A if (strcasecmp(schema, "rfc2307bis") == 0) {

1215N/A opts->schema_type = SDAP_SCHEMA_RFC2307BIS;

989N/A default_attr_map = generic_attr_map;

989N/A default_user_map = rfc2307bis_user_map;

1215N/A default_group_map = rfc2307bis_group_map;

989N/A default_netgroup_map = netgroup_map;

989N/A default_service_map = service_map;

989N/A } else

989N/A if (strcasecmp(schema, "IPA") == 0) {

230N/A opts->schema_type = SDAP_SCHEMA_IPA_V1;

230N/A default_attr_map = gen_ipa_attr_map;

230N/A default_user_map = rfc2307bis_user_map;

230N/A default_group_map = rfc2307bis_group_map;

230N/A default_netgroup_map = netgroup_map;

230N/A default_service_map = service_map;

230N/A } else

230N/A if (strcasecmp(schema, "AD") == 0) {

301N/A opts->schema_type = SDAP_SCHEMA_AD;

1318N/A default_attr_map = gen_ad_attr_map;

1323N/A default_user_map = gen_ad2008r2_user_map;

1323N/A default_group_map = gen_ad2008r2_group_map;

132N/A default_netgroup_map = netgroup_map;

949N/A default_service_map = service_map;

213N/A } else {

301N/A DEBUG(0, ("Unrecognized schema type: %s\n", schema));

741N/A ret = EINVAL;

132N/A goto done;

1318N/A }

1318N/A

1318N/A ret = sdap_get_map(opts, cdb, conf_path,

1318N/A default_attr_map,

1318N/A SDAP_AT_GENERAL,

132N/A &opts->gen_map);

211N/A if (ret != EOK) {

213N/A goto done;

213N/A }

213N/A

213N/A ret = sdap_get_map(opts, cdb, conf_path,

213N/A default_user_map,

1215N/A SDAP_OPTS_USER,

213N/A &opts->user_map);

213N/A if (ret != EOK) {

487N/A goto done;

213N/A }

213N/A

213N/A ret = sdap_get_map(opts, cdb, conf_path,

213N/A default_group_map,

213N/A SDAP_OPTS_GROUP,

213N/A &opts->group_map);

1215N/A if (ret != EOK) {

1215N/A goto done;

1215N/A }

1215N/A

1215N/A ret = sdap_get_map(opts, cdb, conf_path,

1215N/A default_netgroup_map,

1215N/A SDAP_OPTS_NETGROUP,

1323N/A &opts->netgroup_map);

1323N/A if (ret != EOK) {

213N/A goto done;

213N/A }

213N/A

213N/A ret = sdap_get_map(opts, cdb, conf_path,

1215N/A default_service_map,

1215N/A SDAP_OPTS_SERVICES,

845N/A &opts->service_map);

1215N/A if (ret != EOK) {

213N/A goto done;

213N/A }

230N/A

213N/A /* If there is no KDC, try the deprecated krb5_kdcip option, too */

213N/A /* FIXME - this can be removed in a future version */

211N/A ret = krb5_try_kdcip(cdb, conf_path, opts->basic, SDAP_KRB5_KDC);

211N/A if (ret != EOK) {

211N/A DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));

211N/A goto done;

211N/A }

1215N/A

1215N/A authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE);

1215N/A if (authtok_type != NULL &&

1215N/A strcasecmp(authtok_type,"obfuscated_password") == 0) {

1215N/A DEBUG(9, ("Found obfuscated password, "

1215N/A "trying to convert to cleartext.\n"));

211N/A

1318N/A authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK);

1318N/A if (authtok_blob.data == NULL || authtok_blob.length == 0) {

1318N/A DEBUG(1, ("Missing obfuscated password string.\n"));

1318N/A return EINVAL;

1318N/A }

1318N/A

1318N/A ret = sss_password_decrypt(memctx, (char *) authtok_blob.data,

1318N/A &cleartext);

1318N/A if (ret != EOK) {

1318N/A DEBUG(1, ("Cannot convert the obfuscated "

1318N/A "password back to cleartext\n"));

1318N/A return ret;

1318N/A }

1318N/A

1318N/A authtok_blob.data = (uint8_t *) cleartext;

1318N/A authtok_blob.length = strlen(cleartext);

1318N/A ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob);

1369N/A talloc_free(cleartext);

1318N/A if (ret != EOK) {

1318N/A DEBUG(1, ("dp_opt_set_string failed.\n"));

1318N/A return ret;

1318N/A }

1318N/A

1318N/A ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE,

1318N/A "password");

1319N/A if (ret != EOK) {

1318N/A DEBUG(1, ("dp_opt_set_string failed.\n"));

1319N/A return ret;

1318N/A }

132N/A }

211N/A

1215N/A ret = EOK;

950N/A *_opts = opts;

144N/A

453N/Adone:

144N/A if (ret != EOK) {

260N/A talloc_zfree(opts);

260N/A }

260N/A return ret;

260N/A}

260N/A

260N/Aint ldap_get_sudo_options(TALLOC_CTX *memctx,

260N/A struct confdb_ctx *cdb,

260N/A const char *conf_path,

144N/A struct sdap_options *opts,

219N/A bool *use_host_filter,

219N/A bool *include_regexp,

1215N/A bool *include_netgroups)

1215N/A{

1215N/A const char *search_base;

1215N/A int ret;

1215N/A

1215N/A /* search base */

219N/A search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);

220N/A if (search_base != NULL) {

220N/A /* set sudo search bases if they are not */

1215N/A if (dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE) == NULL) {

220N/A ret = dp_opt_set_string(opts->basic, SDAP_SUDO_SEARCH_BASE,

1215N/A search_base);

1215N/A if (ret != EOK) {

1215N/A DEBUG(SSSDBG_OP_FAILURE, ("Could not set SUDO search base"

1215N/A "to default value\n"));

1215N/A return ret;

1215N/A }

1215N/A

1215N/A DEBUG(SSSDBG_FUNC_DATA, ("Option %s set to %s\n",

1215N/A opts->basic[SDAP_SUDO_SEARCH_BASE].opt_name,

1215N/A dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));

1215N/A }

1215N/A } else {

1215N/A DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "

1215N/A "connecting to the LDAP server.\n"));

1215N/A }

1215N/A

1215N/A ret = sdap_parse_search_base(opts, opts->basic,

1215N/A SDAP_SUDO_SEARCH_BASE,

1215N/A &opts->sudo_search_bases);

1215N/A if (ret != EOK && ret != ENOENT) {

1215N/A DEBUG(SSSDBG_OP_FAILURE, ("Could not parse SUDO search base\n"));

1215N/A return ret;

1215N/A }

1215N/A

220N/A /* attrs map */

220N/A ret = sdap_get_map(opts, cdb, conf_path,

221N/A native_sudorule_map,

1215N/A SDAP_OPTS_SUDO,

1215N/A &opts->sudorule_map);

1215N/A if (ret != EOK) {

1215N/A DEBUG(SSSDBG_OP_FAILURE, ("Could not get SUDO attribute map\n"));

1215N/A return ret;

981N/A }

981N/A

1215N/A /* host filter */

1215N/A *use_host_filter = dp_opt_get_bool(opts->basic, SDAP_SUDO_USE_HOST_FILTER);

221N/A *include_netgroups = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_NETGROUPS);

295N/A *include_regexp = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_REGEXP);

336N/A

336N/A return EOK;

336N/A}

336N/A

341N/Aint ldap_get_autofs_options(TALLOC_CTX *memctx,

336N/A struct confdb_ctx *cdb,

336N/A const char *conf_path,

336N/A struct sdap_options *opts)

336N/A{

341N/A const char *search_base;

336N/A struct sdap_attr_map *default_entry_map;

336N/A struct sdap_attr_map *default_mobject_map;

879N/A int ret;

336N/A

341N/A /* search base */

341N/A search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);

336N/A if (search_base != NULL) {

336N/A /* set autofs search bases if they are not */

295N/A if (dp_opt_get_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE) == NULL) {

341N/A ret = dp_opt_set_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE,

295N/A search_base);

295N/A if (ret != EOK) {

295N/A DEBUG(SSSDBG_OP_FAILURE, ("Could not set autofs search base"

295N/A "to default value\n"));

295N/A return ret;

295N/A }

295N/A

295N/A DEBUG(SSSDBG_FUNC_DATA, ("Option %s set to %s\n",

295N/A opts->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name,

301N/A dp_opt_get_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE)));

879N/A }

339N/A } else {

341N/A DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "

341N/A "connecting to the LDAP server.\n"));

339N/A }

339N/A

339N/A ret = sdap_parse_search_base(opts, opts->basic,

341N/A SDAP_AUTOFS_SEARCH_BASE,

339N/A &opts->autofs_search_bases);

339N/A if (ret != EOK && ret != ENOENT) {

339N/A DEBUG(SSSDBG_OP_FAILURE, ("Could not parse autofs search base\n"));

339N/A return ret;

339N/A }

339N/A

339N/A /* attribute maps */

339N/A switch (opts->schema_type) {

339N/A case SDAP_SCHEMA_RFC2307:

379N/A default_mobject_map = rfc2307_autofs_mobject_map;

379N/A default_entry_map = rfc2307_autofs_entry_map;

379N/A break;

379N/A case SDAP_SCHEMA_RFC2307BIS:

379N/A case SDAP_SCHEMA_IPA_V1:

379N/A case SDAP_SCHEMA_AD:

411N/A default_mobject_map = rfc2307bis_autofs_mobject_map;

379N/A default_entry_map = rfc2307bis_autofs_entry_map;

379N/A break;

379N/A default:

386N/A DEBUG(SSSDBG_CRIT_FAILURE, ("Unknown LDAP schema!\n"));

379N/A return EINVAL;

1024N/A }

379N/A

379N/A ret = sdap_get_map(opts, cdb, conf_path,

379N/A default_mobject_map,

379N/A SDAP_OPTS_AUTOFS_MAP,

411N/A &opts->autofs_mobject_map);

411N/A if (ret != EOK) {

411N/A DEBUG(SSSDBG_OP_FAILURE,

411N/A ("Could not get autofs map object attribute map\n"));

411N/A return ret;

411N/A }

411N/A

411N/A ret = sdap_get_map(opts, cdb, conf_path,

411N/A default_entry_map,

411N/A SDAP_OPTS_AUTOFS_ENTRY,

411N/A &opts->autofs_entry_map);

411N/A if (ret != EOK) {

411N/A DEBUG(SSSDBG_OP_FAILURE,

411N/A ("Could not get autofs entry object attribute map\n"));

411N/A return ret;

411N/A }

482N/A

411N/A return EOK;

411N/A}

411N/A

1072N/Aerrno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx,

1072N/A struct dp_option *opts, int class,

1072N/A struct sdap_search_base ***_search_bases)

411N/A{

463N/A const char *class_name;

411N/A char *unparsed_base;

339N/A const char *old_filter = NULL;

996N/A

1215N/A *_search_bases = NULL;

996N/A

996N/A switch (class) {

1215N/A case SDAP_SEARCH_BASE:

1215N/A class_name = "DEFAULT";

1215N/A break;

1215N/A case SDAP_USER_SEARCH_BASE:

1215N/A class_name = "USER";

1215N/A old_filter = dp_opt_get_string(opts, SDAP_USER_SEARCH_FILTER);

1215N/A break;

1215N/A case SDAP_GROUP_SEARCH_BASE:

1215N/A class_name = "GROUP";

1215N/A old_filter = dp_opt_get_string(opts, SDAP_GROUP_SEARCH_FILTER);

996N/A break;

996N/A case SDAP_NETGROUP_SEARCH_BASE:

996N/A class_name = "NETGROUP";

1215N/A break;

996N/A case SDAP_SUDO_SEARCH_BASE:

996N/A class_name = "SUDO";

1215N/A break;

1215N/A case SDAP_SERVICE_SEARCH_BASE:

1215N/A class_name = "SERVICE";

1215N/A break;

1215N/A case SDAP_AUTOFS_SEARCH_BASE:

1215N/A class_name = "AUTOFS";

1215N/A break;

1215N/A default:

1215N/A DEBUG(SSSDBG_CONF_SETTINGS,

1215N/A ("Unknown search base type: [%d]\n", class));

996N/A class_name = "UNKNOWN";

996N/A /* Non-fatal */

336N/A break;

381N/A }

336N/A

336N/A unparsed_base = dp_opt_get_string(opts, class);

336N/A if (!unparsed_base || unparsed_base[0] == '\0') return ENOENT;

336N/A

336N/A return common_parse_search_base(mem_ctx, unparsed_base,

336N/A class_name, old_filter,

336N/A _search_bases);

336N/A}

336N/A

336N/Aerrno_t common_parse_search_base(TALLOC_CTX *mem_ctx,

336N/A const char *unparsed_base,

301N/A const char *class_name,

301N/A const char *old_filter,

301N/A struct sdap_search_base ***_search_bases)

301N/A{

301N/A errno_t ret;

301N/A struct sdap_search_base **search_bases;

301N/A TALLOC_CTX *tmp_ctx;

301N/A struct ldb_context *ldb;

301N/A struct ldb_dn *ldn;

301N/A struct ldb_parse_tree *tree;

691N/A char **split_bases;

301N/A char *filter;

301N/A int count;

301N/A int i, c;

301N/A

301N/A tmp_ctx = talloc_new(NULL);

301N/A if (!tmp_ctx) {

448N/A ret = ENOMEM;

446N/A goto done;

448N/A }

500N/A

736N/A /* Create a throwaway LDB context for validating the DN */

706N/A ldb = ldb_init(tmp_ctx, NULL);

706N/A if (!ldb) {

807N/A ret = ENOMEM;

1215N/A goto done;

455N/A }

706N/A

706N/A ret = split_on_separator(tmp_ctx, unparsed_base, '?', false,

455N/A &split_bases, &count);

706N/A if (ret != EOK) goto done;

455N/A

480N/A /* The split must be either exactly one value or a multiple of

706N/A if (count > 1 && (count % 3)) {

455N/A DEBUG(SSSDBG_CRIT_FAILURE,

480N/A ("Unparseable search base: [%s][%d]\n", unparsed_base, count));

480N/A ret = EINVAL;

741N/A goto done;

741N/A }

500N/A

500N/A if (count == 1) {

500N/A search_bases = talloc_array(tmp_ctx, struct sdap_search_base *, 2);

1215N/A if (!search_bases) {

1215N/A ret = ENOMEM;

1215N/A goto done;

1215N/A }

1215N/A search_bases[0] = talloc_zero(search_bases, struct sdap_search_base);

1215N/A if (!search_bases[0]) {

1215N/A ret = ENOMEM;

725N/A goto done;

725N/A }

1215N/A

1215N/A search_bases[0]->basedn = talloc_strdup(search_bases[0],

1215N/A unparsed_base);

1215N/A if (!search_bases[0]->basedn) {

725N/A ret = ENOMEM;

1215N/A goto done;

1215N/A }

1215N/A

1215N/A /* Validate the basedn */

1215N/A ldn = ldb_dn_new(tmp_ctx, ldb, unparsed_base);

1215N/A if (!ldn) {

1215N/A ret = ENOMEM;

1215N/A goto done;

1215N/A }

1215N/A

1215N/A if (!ldb_dn_validate(ldn)) {

1215N/A DEBUG(SSSDBG_CRIT_FAILURE,

301N/A ("Invalid base DN [%s]\n",

301N/A unparsed_base));

736N/A ret = EINVAL;

1215N/A goto done;

1215N/A }

1215N/A talloc_zfree(ldn);

1215N/A

1215N/A search_bases[0]->scope = LDAP_SCOPE_SUBTREE;

1215N/A

1215N/A /* Use a search filter specified in the old style if available */

736N/A search_bases[0]->filter = old_filter;

736N/A

736N/A DEBUG(SSSDBG_CONF_SETTINGS,

736N/A ("Search base added: [%s][%s][%s][%s]\n",

736N/A class_name,

736N/A search_bases[0]->basedn,

736N/A "SUBTREE",

736N/A search_bases[0]->filter ? search_bases[0]->filter : ""));

736N/A

736N/A search_bases[1] = NULL;

736N/A } else {

736N/A search_bases = talloc_array(tmp_ctx, struct sdap_search_base *,

741N/A (count / 3) + 1);

741N/A if (!search_bases) {

1215N/A ret = ENOMEM;

1215N/A goto done;

1215N/A }

1215N/A

1215N/A i = 0;

736N/A for (c = 0; c < count; c += 3) {

736N/A search_bases[i] = talloc_zero(search_bases,

336N/A struct sdap_search_base);

301N/A if (!search_bases[i]) {

301N/A ret = ENOMEM;

501N/A goto done;

301N/A }

301N/A

301N/A if (split_bases[c][0] == '\0') {

301N/A DEBUG(SSSDBG_CRIT_FAILURE,

301N/A ("Zero-length search base: [%s]\n", unparsed_base));

301N/A ret = EINVAL;

301N/A goto done;

301N/A }

301N/A

449N/A /* Validate the basedn */

624N/A ldn = ldb_dn_new(tmp_ctx, ldb, split_bases[c]);

624N/A if (!ldn) {

624N/A ret = ENOMEM;

624N/A goto done;

624N/A }

624N/A

624N/A if (!ldb_dn_validate(ldn)) {

624N/A DEBUG(SSSDBG_CRIT_FAILURE,

624N/A ("Invalid base DN [%s]\n",

624N/A split_bases[c]));

624N/A ret = EINVAL;

624N/A goto done;

624N/A }

624N/A talloc_zfree(ldn);

624N/A

624N/A /* Set the search base DN */

624N/A search_bases[i]->basedn = talloc_strdup(search_bases[i],

624N/A split_bases[c]);

624N/A if (!search_bases[i]->basedn) {

624N/A ret = ENOMEM;

624N/A goto done;

624N/A }

624N/A

801N/A /* Set the search scope for this base DN */

801N/A if ((split_bases[c+1][0] == '\0')

801N/A || strcasecmp(split_bases[c+1], "sub") == 0

801N/A || strcasecmp(split_bases[c+1], "subtree") == 0) {

801N/A /* If unspecified, default to subtree */

801N/A search_bases[i]->scope = LDAP_SCOPE_SUBTREE;

801N/A } else if (strcasecmp(split_bases[c+1], "one") == 0

801N/A || strcasecmp(split_bases[c+1], "onelevel") == 0) {

801N/A search_bases[i]->scope = LDAP_SCOPE_ONELEVEL;

801N/A } else if (strcasecmp(split_bases[c+1], "base") == 0) {

1095N/A search_bases[i]->scope = LDAP_SCOPE_BASE;

1095N/A } else {

1215N/A DEBUG(SSSDBG_CRIT_FAILURE,

1215N/A ("Unknown search scope: [%s]\n", split_bases[c+1]));

1099N/A ret = EINVAL;

1215N/A goto done;

1215N/A }

1215N/A

1095N/A /* Get a specialized filter if provided */

1095N/A if (split_bases[c+2][0] == '\0') {

1176N/A search_bases[i]->filter = NULL;

1176N/A } else {

1215N/A if (split_bases[c+2][0] != '(') {

1215N/A /* Filters need to be enclosed in parentheses

1215N/A filter = talloc_asprintf(tmp_ctx, "(%s)",

1215N/A split_bases[c+2]);

1215N/A } else {

1176N/A filter = talloc_strdup(tmp_ctx, split_bases[c+2]);

1215N/A }

1215N/A if (!filter) {

1215N/A ret = ENOMEM;

1176N/A goto done;

1215N/A }

1215N/A

1215N/A tree = ldb_parse_tree(tmp_ctx, filter);

1215N/A if(!tree) {

1215N/A DEBUG(SSSDBG_CRIT_FAILURE,

1215N/A ("Invalid search filter: [%s]\n", filter));

1215N/A ret = EINVAL;

1215N/A goto done;

1217N/A }

1215N/A talloc_zfree(tree);

1215N/A

1215N/A search_bases[i]->filter = talloc_steal(search_bases[i],

1176N/A filter);

1215N/A }

1215N/A

1215N/A DEBUG(SSSDBG_CONF_SETTINGS,

1215N/A ("Search base added: [%s][%s][%s][%s]\n",

1215N/A class_name,

1215N/A search_bases[i]->basedn,

1215N/A split_bases[c+1][0] ? split_bases[c+1] : "SUBTREE",

1215N/A search_bases[i]->filter ? search_bases[i]->filter : ""));

1215N/A

1215N/A i++;

1215N/A }

1215N/A search_bases[i] = NULL;

1215N/A }

1215N/A

1215N/A *_search_bases = talloc_steal(mem_ctx, search_bases);

1215N/A ret = EOK;

1215N/A

1176N/Adone:

1215N/A talloc_free(tmp_ctx);

1215N/A return ret;

1215N/A}

1215N/A

1176N/Avoid sdap_handler_done(struct be_req *req, int dp_err,

1215N/A int error, const char *errstr)

1215N/A{

1215N/A return req->fn(req, dp_err, error, errstr);

1215N/A}

1176N/A

1215N/Avoid sdap_mark_offline(struct sdap_id_ctx *ctx)

1215N/A{

1215N/A be_mark_offline(ctx->be);

1215N/A}

1215N/A

1176N/Aint sdap_id_setup_tasks(struct sdap_id_ctx *ctx)

1215N/A{

1215N/A struct timeval tv;

1176N/A int ret = EOK;

1215N/A int delay;

1215N/A bool has_enumerated;

1176N/A

1215N/A /* set up enumeration task */

1215N/A if (ctx->be->domain->enumerate) {

1215N/A /* If this is the first startup, we need to kick off

1215N/A ret = sysdb_has_enumerated(ctx->be->sysdb, &has_enumerated);

1215N/A if (ret != EOK) {

1176N/A return ret;

1176N/A }

1176N/A if (has_enumerated) {

1176N/A /* At least one enumeration has previously run,

1215N/A tv = tevent_timeval_current_ofs(10, 0);

1215N/A } else {

1176N/A /* This is our first startup. Schedule the

1215N/A tv = tevent_timeval_current();

1215N/A }

1215N/A

1176N/A ret = ldap_id_enumerate_set_timer(ctx, tv);

1215N/A } else {

1176N/A /* the enumeration task, runs the cleanup process by itself,

1215N/A delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);

1176N/A if (delay == 0) {

1176N/A /* Cleanup has been explicitly disabled, so we won't

1176N/A return EOK;

1215N/A }

1215N/A

1215N/A /* run the first one in a couple of seconds so that we have time to

1216N/A tv = tevent_timeval_current_ofs(10, 0);

132N/A ret = ldap_id_cleanup_set_timer(ctx, tv);

}

return ret;

}

static void sdap_uri_callback(void *private_data, struct fo_server *server)

{

TALLOC_CTX *tmp_ctx = NULL;

struct sdap_service *service;

struct resolv_hostent *srvaddr;

struct sockaddr_storage *sockaddr;

const char *tmp;

const char *srv_name;

char *new_uri;

tmp_ctx = talloc_new(NULL);

if (tmp_ctx == NULL) {

DEBUG(1, ("talloc_new failed\n"));

return;

}

service = talloc_get_type(private_data, struct sdap_service);

if (!service) {

talloc_free(tmp_ctx);

return;

}

tmp = (const char *)fo_get_server_user_data(server);

srvaddr = fo_get_server_hostent(server);

if (!srvaddr) {

DEBUG(1, ("FATAL: No hostent available for server (%s)\n",

fo_get_server_str_name(server)));

talloc_free(tmp_ctx);

return;

}

sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr,

fo_get_server_port(server));

if (sockaddr == NULL) {

DEBUG(1, ("resolv_get_sockaddr_address failed.\n"));

talloc_free(tmp_ctx);

return;

}

if (fo_is_srv_lookup(server)) {

if (!tmp) {

DEBUG(1, ("Unknown service, using ldap\n"));

tmp = SSS_LDAP_SRV_NAME;

}

srv_name = fo_get_server_name(server);

if (srv_name == NULL) {

DEBUG(1, ("Could not get server host name\n"));

talloc_free(tmp_ctx);

return;

}

new_uri = talloc_asprintf(service, "%s://%s:%d",

tmp, srv_name,

fo_get_server_port(server));

} else {

new_uri = talloc_strdup(service, tmp);

}

if (!new_uri) {

DEBUG(2, ("Failed to copy URI ...\n"));

talloc_free(tmp_ctx);

return;

}

DEBUG(6, ("Constructed uri '%s'\n", new_uri));

/* free old one and replace with new one */

talloc_zfree(service->uri);

service->uri = new_uri;

talloc_zfree(service->sockaddr);

service->sockaddr = talloc_steal(service, sockaddr);

talloc_free(tmp_ctx);

}

static void sdap_finalize(struct tevent_context *ev,

struct tevent_signal *se,

int signum,

int count,

void *siginfo,

void *private_data)

{

char *realm = (char *) private_data;

int ret;

ret = remove_krb5_info_files(se, realm);

if (ret != EOK) {

DEBUG(1, ("remove_krb5_info_files failed.\n"));

}

sig_term(signum);

}

errno_t sdap_install_sigterm_handler(TALLOC_CTX *mem_ctx,

struct tevent_context *ev,

const char *realm)

{

char *sig_realm;

struct tevent_signal *sige;

BlockSignals(false, SIGTERM);

sig_realm = talloc_strdup(mem_ctx, realm);

if (sig_realm == NULL) {

DEBUG(1, ("talloc_strdup failed!\n"));

return ENOMEM;

}

sige = tevent_add_signal(ev, mem_ctx, SIGTERM, SA_SIGINFO, sdap_finalize,

sig_realm);

if (sige == NULL) {

DEBUG(1, ("tevent_add_signal failed.\n"));

talloc_free(sig_realm);

return ENOMEM;

}

talloc_steal(sige, sig_realm);

return EOK;

}

void sdap_remove_kdcinfo_files_callback(void *pvt)

{

int ret;

TALLOC_CTX *tmp_ctx = NULL;

struct remove_info_files_ctx *ctx = talloc_get_type(pvt,

struct remove_info_files_ctx);

ret = be_fo_run_callbacks_at_next_request(ctx->be_ctx,

ctx->kdc_service_name);

if (ret != EOK) {

DEBUG(1, ("be_fo_run_callbacks_at_next_request failed, "

"krb5 info files will not be removed, because "

"it is unclear if they will be recreated properly.\n"));

return;

}

tmp_ctx = talloc_new(NULL);

if (tmp_ctx == NULL) {

DEBUG(1, ("talloc_new failed, cannot remove krb5 info files.\n"));

return;

}

ret = remove_krb5_info_files(tmp_ctx, ctx->realm);

if (ret != EOK) {

DEBUG(1, ("remove_krb5_info_files failed.\n"));

}

talloc_zfree(tmp_ctx);

}

errno_t sdap_install_offline_callback(TALLOC_CTX *mem_ctx,

struct be_ctx *be_ctx,

const char *realm,

const char *service_name)

{

int ret;

struct remove_info_files_ctx *ctx;

ctx = talloc_zero(mem_ctx, struct remove_info_files_ctx);

if (ctx == NULL) {

DEBUG(1, ("talloc_zfree failed.\n"));

return ENOMEM;

}

ctx->be_ctx = be_ctx;

ctx->realm = talloc_strdup(ctx, realm);

ctx->kdc_service_name = talloc_strdup(ctx, service_name);

if (ctx->realm == NULL || ctx->kdc_service_name == NULL) {

DEBUG(1, ("talloc_strdup failed!\n"));

ret = ENOMEM;

goto done;

}

ret = be_add_offline_cb(ctx, be_ctx,

sdap_remove_kdcinfo_files_callback,

ctx, NULL);

if (ret != EOK) {

DEBUG(1, ("be_add_offline_cb failed.\n"));

goto done;

}

ret = EOK;

done:

if (ret != EOK) {

talloc_zfree(ctx);

}

return ret;

}

static const char *

sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)

{

char *krb5_realm = NULL;

const char *realm = NULL;

krb5_error_code krberr;

krb5_context context = NULL;

krberr = krb5_init_context(&context);

if (krberr) {

DEBUG(2, ("Failed to init kerberos context\n"));

goto done;

}

krberr = krb5_get_default_realm(context, &krb5_realm);

if (krberr) {

DEBUG(2, ("Failed to get default realm name: %s\n",

sss_krb5_get_error_message(context, krberr)));

goto done;

}

realm = talloc_strdup(mem_ctx, krb5_realm);

krb5_free_default_realm(context, krb5_realm);

if (!realm) {

DEBUG(0, ("Out of memory\n"));

goto done;

}

DEBUG(7, ("Will use default realm %s\n", realm));

done:

if (context) krb5_free_context(context);

return realm;

}

int sdap_gssapi_init(TALLOC_CTX *mem_ctx,

struct dp_option *opts,

struct be_ctx *bectx,

struct sdap_service *sdap_service,

struct krb5_service **krb5_service)

{

int ret;

const char *krb5_servers;

const char *krb5_backup_servers;

const char *krb5_realm;

const char *krb5_opt_realm;

struct krb5_service *service = NULL;

TALLOC_CTX *tmp_ctx;

tmp_ctx = talloc_new(NULL);

if (tmp_ctx == NULL) return ENOMEM;

krb5_servers = dp_opt_get_string(opts, SDAP_KRB5_KDC);

krb5_backup_servers = dp_opt_get_string(opts, SDAP_KRB5_BACKUP_KDC);

krb5_opt_realm = dp_opt_get_string(opts, SDAP_KRB5_REALM);

if (krb5_opt_realm == NULL) {

DEBUG(2, ("Missing krb5_realm option, will use libkrb default\n"));

krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);

if (krb5_realm == NULL) {

DEBUG(0, ("Cannot determine the Kerberos realm, aborting\n"));

ret = EIO;

goto done;

}

} else {

krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm);

if (krb5_realm == NULL) {

ret = ENOMEM;

goto done;

}

}

ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,

krb5_backup_servers, krb5_realm, &service);

if (ret != EOK) {

DEBUG(0, ("Failed to init KRB5 failover service!\n"));

goto done;

}

ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);

if (ret != EOK) {

DEBUG(0, ("Failed to install sigterm handler\n"));

goto done;

}

ret = sdap_install_offline_callback(mem_ctx, bectx,

krb5_realm, SSS_KRB5KDC_FO_SRV);

if (ret != EOK) {

DEBUG(0, ("Failed to install sigterm handler\n"));

goto done;

}

sdap_service->kinit_service_name = talloc_strdup(sdap_service,

service->name);

if (sdap_service->kinit_service_name == NULL) {

ret = ENOMEM;

goto done;

}

ret = EOK;

*krb5_service = service;

done:

talloc_free(tmp_ctx);

if (ret != EOK) talloc_free(service);

return ret;

}

errno_t sdap_urls_init(struct be_ctx *ctx,

struct sdap_service *service,

const char *service_name,

const char *dns_service_name,

const char *urls,

bool primary)

{

TALLOC_CTX *tmp_ctx;

char *srv_user_data;

char **list = NULL;

LDAPURLDesc *lud;

errno_t ret = 0;

int i;

tmp_ctx = talloc_new(NULL);

if (!tmp_ctx) {

return ENOMEM;

}

/* split server parm into a list */

ret = split_on_separator(tmp_ctx, urls, ',', true, &list, NULL);

if (ret != EOK) {

DEBUG(1, ("Failed to parse server list!\n"));

goto done;

}

/* now for each URI add a new server to the failover service */

for (i = 0; list[i]; i++) {

if (be_fo_is_srv_identifier(list[i])) {

if (!primary) {

DEBUG(SSSDBG_MINOR_FAILURE,

("Failed to add server [%s] to failover service: "

"SRV resolution only allowed for primary servers!\n",

list[i]));

continue;

}

if (!dns_service_name) {

DEBUG(0, ("Missing DNS service name for service [%s].\n",

service_name));

ret = EINVAL;

goto done;

}

srv_user_data = talloc_strdup(service, dns_service_name);

if (!srv_user_data) {

ret = ENOMEM;

goto done;

}

ret = be_fo_add_srv_server(ctx, service_name,

dns_service_name, NULL,

BE_FO_PROTO_TCP, false, srv_user_data);

if (ret) {

DEBUG(0, ("Failed to add server\n"));

goto done;

}

DEBUG(6, ("Added service lookup\n"));

continue;

}

ret = ldap_url_parse(list[i], &lud);

if (ret != LDAP_SUCCESS) {

DEBUG(0, ("Failed to parse ldap URI (%s)!\n", list[i]));

ret = EINVAL;

goto done;

}

if (lud->lud_host == NULL) {

DEBUG(2, ("The LDAP URI (%s) did not contain a host name\n",

list[i]));

ldap_free_urldesc(lud);

continue;

}

DEBUG(6, ("Added URI %s\n", list[i]));

talloc_steal(service, list[i]);

/* It could be ipv6 address in square brackets. Remove

ret = remove_ipv6_brackets(lud->lud_host);

if (ret != EOK) {

goto done;

}

ret = be_fo_add_server(ctx, service->name, lud->lud_host,

lud->lud_port, list[i], primary);

ldap_free_urldesc(lud);

if (ret) {

goto done;

}

}

done:

talloc_free(tmp_ctx);

return ret;

}

static int ldap_user_data_cmp(void *ud1, void *ud2)

{

return strcasecmp((char*) ud1, (char*) ud2);

}

int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,

const char *service_name, const char *dns_service_name,

const char *urls, const char *backup_urls,

struct sdap_service **_service)

{

TALLOC_CTX *tmp_ctx;

struct sdap_service *service;

int ret;

tmp_ctx = talloc_new(NULL);

if (!tmp_ctx) {

return ENOMEM;

}

service = talloc_zero(tmp_ctx, struct sdap_service);

if (!service) {

ret = ENOMEM;

goto done;

}

ret = be_fo_add_service(ctx, service_name, ldap_user_data_cmp);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create failover service!\n"));

goto done;

}

service->name = talloc_strdup(service, service_name);

if (!service->name) {

ret = ENOMEM;

goto done;

}

if (!urls) {

DEBUG(SSSDBG_CONF_SETTINGS,

("No primary servers defined, using service discovery\n"));

urls = BE_SRV_IDENTIFIER;

}

ret = sdap_urls_init(ctx, service, service_name, dns_service_name,

urls, true);

if (ret != EOK) {

goto done;

}

if (backup_urls) {

ret = sdap_urls_init(ctx, service, service_name, dns_service_name,

backup_urls, false);

if (ret != EOK) {

goto done;

}

}

ret = be_fo_service_add_callback(memctx, ctx, service->name,

sdap_uri_callback, service);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to add failover callback!\n"));

goto done;

}

ret = EOK;

done:

if (ret == EOK) {

*_service = talloc_steal(memctx, service);

}

talloc_zfree(tmp_ctx);

return ret;

}

errno_t string_to_shadowpw_days(const char *s, long *d)

{

long l;

char *endptr;

if (s == NULL || *s == '\0') {

*d = -1;

return EOK;

}

errno = 0;

l = strtol(s, &endptr, 10);

if (errno != 0) {

DEBUG(1, ("strtol failed [%d][%s].\n", errno, strerror(errno)));

return errno;

}

if (*endptr != '\0') {

DEBUG(1, ("Input string [%s] is invalid.\n", s));

return EINVAL;

}

if (l < -1) {

DEBUG(1, ("Input string contains not allowed negative value [%d].\n",

l));

return EINVAL;

}

*d = l;

return EOK;

}

errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx,

struct sdap_attr_map *map,

size_t map_size,

const char *ldap_name,

char **sysdb_name)

{

size_t i;

for (i = 0; i < map_size; i++) {

/* Skip map entries with no name (may depend on

if (!map[i].name) continue;

/* Check if it is a mapped attribute */

if(strcasecmp(ldap_name, map[i].name) == 0) break;

}

if (i < map_size) {

/* We found a mapped name, return that */

*sysdb_name = talloc_strdup(mem_ctx, map[i].sys_name);

} else {

/* Not mapped, use the same name */

*sysdb_name = talloc_strdup(mem_ctx, ldap_name);

}

if (!*sysdb_name) {