ad_common.c revision 0051296f67bd7d8e2e3094638ddff4e641324d04
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina Stephen Gallagher <sgallagh@redhat.com>
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina Copyright (C) 2012 Red Hat
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina This program is free software; you can redistribute it and/or modify
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina it under the terms of the GNU General Public License as published by
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina the Free Software Foundation; either version 3 of the License, or
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina (at your option) any later version.
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina This program is distributed in the hope that it will be useful,
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina but WITHOUT ANY WARRANTY; without even the implied warranty of
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina GNU General Public License for more details.
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina You should have received a copy of the GNU General Public License
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina along with this program. If not, see <http://www.gnu.org/licenses/>.
a6cd927f298ff5c9a603db5acb6c1b0ebea178c0Pavel Březina opts = talloc_zero(mem_ctx, struct ad_options);
bda8039465a0084fb380e878c8f9ea3e900505eaPavel Březina /* If the AD domain name wasn't explicitly set, assume that it
bda8039465a0084fb380e878c8f9ea3e900505eaPavel Březina * matches the SSSD domain name
bda8039465a0084fb380e878c8f9ea3e900505eaPavel Březina domain = dp_opt_get_string(opts->basic, AD_DOMAIN);
bda8039465a0084fb380e878c8f9ea3e900505eaPavel Březina ret = dp_opt_set_string(opts->basic, AD_DOMAIN, dom->name);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Did we get an explicit server name, or are we discovering it? */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina server = dp_opt_get_string(opts->basic, AD_SERVER);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("No AD server set, will use service discovery!\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Set the machine's hostname to the local host name if it
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina * wasn't explicitly specified.
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("gethostname failed [%s].\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Setting ad_hostname to [%s].\n", hostname));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Setting ad_hostname failed [%s].\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Always use the upper-case AD domain for the kerberos realm */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = dp_opt_set_string(opts->basic, AD_KRB5_REALM, realm);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Active Directory is always case-insensitive */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Set this in the confdb so that the responders pick it
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina * up when they start up.
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = confdb_set_bool(cdb, conf_path, "case_sensitive",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Could not set domain case-sensitive: [%s]\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Setting domain case-insensitive\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březinaad_resolve_callback(void *private_data, struct fo_server *server);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Split the server list */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = split_on_separator(tmp_ctx, servers, ',', true, &list, NULL);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to parse server list!\n"));
877b92e80bde510d5cd9f03dbf01e2bcf73ab072Michal Židek ad_domain = dp_opt_get_string(options->basic, AD_DOMAIN);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Add each of these servers to the failover service */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina for (i = 0; list[i]; i++) {
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Failed to add server [%s] to failover service: "
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina "SRV resolution only allowed for primary servers!\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "ldap",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Failed to add service discovery to failover: [%s]",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CONF_SETTINGS, ("Added service discovery for AD\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = be_fo_add_server(bectx, AD_SERVICE_NAME, list[i], 0, NULL, primary);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to add server\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CONF_SETTINGS, ("Added failover server %s\n", list[i]));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březinastatic int ad_user_data_cmp(void *ud1, void *ud2)
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březinaad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina service = talloc_zero(tmp_ctx, struct ad_service);
b03ccb2764a4ccdadb77599cb624b6a17b633438Pavel Březina service->sdap = talloc_zero(service, struct sdap_service);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina service->krb5_service = talloc_zero(service, struct krb5_service);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = be_fo_add_service(bectx, AD_SERVICE_NAME, ad_user_data_cmp);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create failover service!\n"));
b03ccb2764a4ccdadb77599cb624b6a17b633438Pavel Březina service->sdap->name = talloc_strdup(service, AD_SERVICE_NAME);
cf3ba77997dfbd076a1f30fdbb33c7973766ac03Pavel Březina service->krb5_service->name = talloc_strdup(service, AD_SERVICE_NAME);
5e2ffb69dcdd157ea422c6aec256111653e4206bPavel Březina service->sdap->kinit_service_name = service->krb5_service->name;
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina realm = dp_opt_get_string(options->basic, AD_KRB5_REALM);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("No Kerberos realm set\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("No primary servers defined but backup are present, "
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina "setting backup servers as primary\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("No primary or backup servers defined but backup are present, "
b03ccb2764a4ccdadb77599cb624b6a17b633438Pavel Březina "setting backup servers as primary\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = ad_servers_init(mem_ctx, bectx, primary_servers, options, true);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = ad_servers_init(mem_ctx, bectx, backup_servers, options, false);
16065cc731687eb8779d31b79436bbf79c5e3ed3Pavel Březina ret = be_fo_service_add_callback(mem_ctx, bectx, AD_SERVICE_NAME,
16065cc731687eb8779d31b79436bbf79c5e3ed3Pavel Březina ("Failed to add failover callback! [%s]\n", strerror(ret)));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březinaad_resolve_callback(void *private_data, struct fo_server *server)
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Out of memory\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina service = talloc_get_type(private_data, struct ad_service);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("No hostent available for server (%s)\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("resolv_get_sockaddr_address failed.\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina address = resolv_get_string_address(tmp_ctx, srvaddr);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("resolv_get_string_address failed.\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Could not get server host name\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina new_uri = talloc_asprintf(service, "ldap://%s", srv_name);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to copy URI\n"));
4940ba14100ad11b0ed1f2a8a4fea5daa34d56eePavel Březina DEBUG(SSSDBG_CONF_SETTINGS, ("Constructed uri '%s'\n", new_uri));
4940ba14100ad11b0ed1f2a8a4fea5daa34d56eePavel Březina /* free old one and replace with new one */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina service->sdap->sockaddr = talloc_steal(service, sockaddr);
bda8039465a0084fb380e878c8f9ea3e900505eaPavel Březina DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
4940ba14100ad11b0ed1f2a8a4fea5daa34d56eePavel Březina ret = write_krb5info_file(service->krb5_service->realm, safe_address,
4940ba14100ad11b0ed1f2a8a4fea5daa34d56eePavel Březina ("write_krb5info_file failed, authentication might fail.\n"));
3bc651a611a3e5be508875f3ae58bfb5ece2525cPavel Březinaad_set_search_bases(struct sdap_options *id_opts);
3bc651a611a3e5be508875f3ae58bfb5ece2525cPavel Březina id_opts = talloc_zero(tmp_ctx, struct sdap_options);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Set up search bases if they were assigned explicitly */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* We only support Kerberos password policy with AD, so
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina * force that on.
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_FATAL_FAILURE, ("Could not set password policy\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Set the Kerberos Realm for GSSAPI */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Should be impossible, this is set in ad_get_common_options() */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Option %s set to %s\n",
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina /* Configuration of SASL auth ID and realm */
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina desired_primary = dp_opt_get_string(id_opts->basic, SDAP_SASL_AUTHID);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina desired_primary = dp_opt_get_string(ad_opts->basic, AD_HOSTNAME);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina desired_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_KEYTAB,
284937e6b5b0c9d7a1d3382d0d2820d1168842fbPavel Březina ("Option %s set to %s\n",
goto done;
sasl_primary));
sasl_realm));
goto done;
goto done;
goto done;
goto done;
goto done;
done:
return ret;
char *default_search_base;
size_t o;
if (default_search_base) {
search_base_options[o])) {
goto done;
search_base_options[o])));
done:
return ret;
const char *ad_servers;
const char *krb5_realm;
&krb5_options);
goto done;
ad_servers));
if (!krb5_realm) {
goto done;
krb5_realm));
done:
return ret;