ipa_subdomains.c revision 44e8e9660ff4db5873b0a7a3cff24ff78ff929e1
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor IPA Subdomains Module
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor Sumit Bose <sbose@redhat.com>
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor Copyright (C) 2011 Red Hat
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen This program is free software; you can redistribute it and/or modify
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen it under the terms of the GNU General Public License as published by
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen the Free Software Foundation; either version 3 of the License, or
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen (at your option) any later version.
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor This program is distributed in the hope that it will be useful,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor but WITHOUT ANY WARRANTY; without even the implied warranty of
d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3f08db06526d6901aa08c110b5bc7dde6bc39905nd GNU General Public License for more details.
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor You should have received a copy of the GNU General Public License
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor along with this program. If not, see <http://www.gnu.org/licenses/>.
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor#define SUBDOMAINS_FILTER "objectclass=ipaNTTrustedDomain"
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor#define MASTER_DOMAIN_FILTER "objectclass=ipaNTDomainAttrs"
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor/* do not refresh more often than every 5 seconds for now */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor const char *filter;
cae0359c9286c8e34cbccd15eee2da90562c1ee2sfstruct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx)
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf subdom_ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ad_options = ad_create_default_options(id_ctx, id_ctx->server_mode->realm,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize AD options\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("Cannot set AD domain\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM,
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* Set KRB5 realm to same as the one of IPA when IPA
f039cf01b271a31e317d5b84f24cb135f1c1b6d7nd * is able to attach PAC. For testing, use hardcoded. */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize AD failover\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh /* use AD plugin */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize sdap domain\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* Set up the ID mapping object */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = ipa_ad_ctx_new(be_ctx, id_ctx, subdom, &ad_id_ctx);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ("Cannot create ad_id_ctx for subdomain %s\n", subdom->name));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor trust_ctx = talloc(id_ctx->server_mode, struct ipa_ad_server_ctx);
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DLIST_ADD(id_ctx->server_mode->trusts, trust_ctx);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* Check if we already have an ID context for this subdomain */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DLIST_FOR_EACH(trust_iter, id_ctx->server_mode->trusts) {
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* Newly detected trust */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ("Cannot create ad_id_ctx for subdomain %s\n",
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DLIST_FOR_EACH(iter, ctx->id_ctx->server_mode->trusts) {
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_CRIT_FAILURE, ("No IPA-AD context for subdomain %s\n",
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DLIST_REMOVE(ctx->id_ctx->server_mode->trusts, iter);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* terminate all requests for this subdomain so we can free it */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor be_terminate_domain_requests(ctx->be_ctx, subdom->name);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzorconst char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor const char *name)
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor dom = find_subdomain_by_name(ctx->be_ctx->domain, name, true);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzorstatic errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor const char *value;
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list = talloc_array(mem_ctx, struct range_info *, count + 1);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor for (c = 0; c < count; c++) {
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list[c] = talloc_zero(range_list, struct range_info);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list[c]->name = talloc_strdup(range_list[c], value);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh ret = sysdb_attrs_get_string(reply[c], IPA_TRUSTED_DOMAIN_SID, &value);
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh range_list[c]->trusted_dom_sid = talloc_strdup(range_list[c],
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_ID,
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_uint32_t(reply[c], IPA_ID_RANGE_SIZE,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_RID,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_uint32_t(reply[c], IPA_SECONDARY_BASE_RID,
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_string(reply[c], IPA_RANGE_TYPE, &value);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list[c]->range_type = talloc_strdup(range_list[c], value);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* Older IPA servers might not have the range_type attribute, but
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor * only support local ranges and trusts with algorithmic mapping. */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list[c]->range_type = talloc_strdup(range_list[c],
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor range_list[c]->range_type = talloc_strdup(range_list[c],
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzorstatic errno_t ipa_subdom_enumerates(struct sss_domain_info *parent,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor const char *name;
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedoohstatic errno_t ipa_subdom_get_forest(TALLOC_CTX *mem_ctx,
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor const char *orig_dn;
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &orig_dn);
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_TRACE_ALL, ("Checking if we need the forest name for [%s].\n",
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh DEBUG(SSSDBG_OP_FAILURE, ("ldb_dn_new failed.\n"));
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor DEBUG(SSSDBG_OP_FAILURE, ("Original DN [%s] is not a valid DN.\n",
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor /* We are only interested in the member domain objects. In IPA the
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor * forest root object is stored as e.g.
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor * cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Member domains in the
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf * forest are children of the forest root object e.g.
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf * cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Since
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf * the forest name is not stored in the member objects we derive it
cae0359c9286c8e34cbccd15eee2da90562c1ee2sf * from the RDN of the forest root object. */
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor if (strncasecmp("trusts", (const char *) val->data, val->length) != 0) {
cc8190433d13f5e9de618c5d7f10c824c0c1919cgryzor ("4th component is not 'trust', nothing to do.\n"));
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh if (strncasecmp("ad", (const char *) val->data, val->length) != 0) {
ba543b319188dc1887607f6d59feddc00e38eee2humbedooh ("3rd component is not 'ad', nothing to do.\n"));
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh forest = talloc_strndup(mem_ctx, (const char *) val->data, val->length);
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh DEBUG(SSSDBG_OP_FAILURE, ("talloc_strndup failed.\n"));
bool enumerate)
const char *name;
char *realm;
const char *flat;
const char *id;
int ret;
bool mpg;
return ENOMEM;
goto done;
if (!realm) {
goto done;
if (ret) {
goto done;
if (ret) {
goto done;
goto done;
if (ret) {
goto done;
done:
return ret;
bool *changes)
const char *value;
int ret;
bool enumerate;
for (c = 0; c < count; c++) {
if (handled[c]) {
goto done;
if (c >= count) {
goto done;
goto done;
if (ret) {
handled[c] = true;
if (count == h) {
goto done;
*changes = true;
for (c = 0; c < count; c++) {
if (handled[c]) {
goto done;
if (ret) {
done:
return ret;
struct ipa_subdomains_req_ctx {
char *current_filter;
int search_base_iter;
static errno_t
{ RANGE_FILTER,
int ret;
goto done;
goto done;
goto done;
done:
int ret;
if (ret) {
goto fail;
goto fail;
fail:
static errno_t
return EINVAL;
return EOK;
return ENOMEM;
SDAP_SEARCH_TIMEOUT), false);
return ENOMEM;
return EAGAIN;
int ret;
bool refresh_has_changes = false;
goto done;
if (reply_count) {
goto done;
goto done;
goto done;
if (refresh_has_changes) {
goto done;
domain);
goto done;
goto done;
goto done;
done:
goto done;
goto done;
goto done;
goto done;
done:
goto done;
if (reply_count) {
goto done;
goto done;
goto done;
done:
void *pvt)
const char *errstr)
if (!ctx) {
if (ctx) {
bool *configured_explicit)
int ret;
char *tmp_str;
return ENOMEM;
&tmp_str);
goto done;
*configured_explicit = false;
*configured_explicit = true;
done:
return ret;
struct ipa_subdomains_ctx);
if (!ctx) {
void **pvt_data)
int ret;
bool configured_explicit = false;
return ret;
return ENOMEM;
NULL);
return EOK;
char *realm;
char *hostname;
IPA_SERVER_MODE) == false) {
return EOK;
CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) {
return EINVAL;
return EINVAL;
return ENOMEM;
return EOK;