ldap_options.c revision 999d6066c7a96f102b692d31435d76114478e874
/*
Authors:
Simo Sorce <ssorce@redhat.com>
Copyright (C) 2008-2010 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/ldap_opts.h"
#include "providers/ldap/sdap_async_private.h"
#include "util/crypto/sss_crypto.h"
struct sss_domain_info *dom,
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options **_opts)
{
struct sdap_attr_map *default_attr_map;
struct sdap_attr_map *default_user_map;
struct sdap_attr_map *default_group_map;
struct sdap_attr_map *default_netgroup_map;
struct sdap_attr_map *default_service_map;
struct sdap_options *opts;
char *schema;
const char *search_base;
const char *pwd_policy;
int ret;
const char *ldap_deref;
int ldap_deref_val;
int o;
const char *authtok_type;
struct dp_opt_blob authtok_blob;
char *cleartext;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
-1 };
goto done;
}
goto done;
}
/* Handle search bases */
if (search_base != NULL) {
for (o = 0; search_base_options[o] != -1; o++) {
goto done;
}
search_base_options[o]));
}
}
} else {
"Search base not set, trying to discover it later when "
"connecting to the LDAP server.\n");
}
/* Default search */
/* User search */
/* Group search base */
/* Netgroup search */
/* Service search */
if (pwd_policy == NULL) {
"Missing password policy, this may not happen.\n");
goto done;
}
"Unsupported password policy [%s].\n", pwd_policy);
goto done;
}
/* account_cache_expiration must be >= than offline_credentials_expiration */
goto done;
}
/* account cache_expiration must not be smaller than
* offline_credentials_expiration to prevent deleting entries that
* still contain credentials valid for offline login.
*
* offline_credentials_expiration == 0 is a special case that says
* that the cached credentials are valid forever. Therefore, the cached
* entries must not be purged from cache.
*/
"Conflicting values for options %s (unlimited) "
"and %s (%d)\n",
goto done;
}
"than value of %s (now %d)\n",
goto done;
}
if (ldap_deref != NULL) {
goto done;
}
}
#ifndef HAVE_LDAP_CONNCB
bool ldap_referrals;
if (ldap_referrals) {
"LDAP referrals are not supported, because the LDAP library "
"is too old, see sssd-ldap(5) for details.\n");
goto done;
}
}
#endif
/* schema type */
} else
} else
} else
} else {
goto done;
}
goto done;
}
goto done;
}
goto done;
}
goto done;
}
&opts->netgroup_map);
goto done;
}
&opts->service_map);
goto done;
}
/* If there is no KDC, try the deprecated krb5_kdcip option, too */
/* FIXME - this can be removed in a future version */
goto done;
}
if (authtok_type != NULL &&
"trying to convert to cleartext.\n");
goto done;
}
&cleartext);
"password back to cleartext\n");
goto done;
}
goto done;
}
"password");
goto done;
}
}
done:
}
return ret;
}
const char *conf_path,
struct sdap_options *opts,
bool *use_host_filter,
bool *include_regexp,
bool *include_netgroups)
{
const char *search_base;
int ret;
/* search base */
if (search_base != NULL) {
/* set sudo search bases if they are not */
"to default value\n");
return ret;
}
}
} else {
"connecting to the LDAP server.\n");
}
return ret;
}
/* attrs map */
&opts->sudorule_map);
return ret;
}
/* host filter */
return EOK;
}
const char *conf_path,
const char *attrs[])
{
char *val;
bool found_default = false;
return false;
}
continue;
}
found_default = true;
break;
}
}
return found_default;
}
/* Return true if rfc2307 schema is used and all autofs options use
* defaults. Should be removed in future, see
*/
const char *conf_path)
{
const char *attrs[] = {
/* SDAP_AT_AUTOFS_ENTRY_KEY missing on purpose, its value was
* the same between the wrong and correct schema
*/
NULL,
};
}
struct confdb_ctx *cdb,
const char *conf_path,
struct sdap_options *opts)
{
const char *search_base;
struct sdap_attr_map *default_entry_map;
struct sdap_attr_map *default_mobject_map;
int ret;
/* search base */
if (search_base != NULL) {
/* set autofs search bases if they are not */
"to default value\n");
return ret;
}
}
} else {
"connecting to the LDAP server.\n");
}
"Your configuration uses the autofs provider "
"with schema set to rfc2307 and default attribute mappings. "
"The default map has changed in this release, please make "
"sure the configuration matches the server attributes.\n");
_("Your configuration uses the autofs provider "
"with schema set to rfc2307 and default attribute mappings. "
"The default map has changed in this release, please make "
"sure the configuration matches the server attributes.\n"));
}
return ret;
}
/* attribute maps */
switch (opts->schema_type) {
case SDAP_SCHEMA_RFC2307:
break;
case SDAP_SCHEMA_RFC2307BIS:
case SDAP_SCHEMA_IPA_V1:
case SDAP_SCHEMA_AD:
break;
default:
return EINVAL;
}
"Could not get autofs map object attribute map\n");
return ret;
}
&opts->autofs_entry_map);
"Could not get autofs entry object attribute map\n");
return ret;
}
return EOK;
}
struct sdap_search_base ***_search_bases)
{
const char *class_name;
char *unparsed_base;
const char *old_filter = NULL;
*_search_bases = NULL;
switch (class) {
case SDAP_SEARCH_BASE:
class_name = "DEFAULT";
break;
case SDAP_USER_SEARCH_BASE:
class_name = "USER";
break;
case SDAP_GROUP_SEARCH_BASE:
class_name = "GROUP";
break;
class_name = "NETGROUP";
break;
case SDAP_SUDO_SEARCH_BASE:
class_name = "SUDO";
break;
case SDAP_SERVICE_SEARCH_BASE:
class_name = "SERVICE";
break;
case SDAP_AUTOFS_SEARCH_BASE:
class_name = "AUTOFS";
break;
default:
"Unknown search base type: [%d]\n", class);
class_name = "UNKNOWN";
/* Non-fatal */
break;
}
}
const char *unparsed_base,
const char *class_name,
const char *old_filter,
struct sdap_search_base ***_search_bases)
{
struct sdap_search_base **search_bases;
struct ldb_context *ldb;
struct ldb_parse_tree *tree;
char **split_bases;
char *filter;
int count;
int i, c;
if (!tmp_ctx) {
goto done;
}
/* Create a throwaway LDB context for validating the DN */
if (!ldb) {
goto done;
}
&split_bases, &count);
/* The split must be either exactly one value or a multiple of
* three in order to be valid.
* One value: just a base, backwards-compatible with pre-1.7.0 versions
* Multiple: search_base?scope?filter[?search_base?scope?filter]*
*/
goto done;
}
if (count == 1) {
if (!search_bases) {
goto done;
}
if (old_filter != NULL) {
/* Using a deprecated ldap_{user,group}_search_filter */
"option for %s. Please see the documentation on LDAP search "
"bases to see how the obsolete option can be migrated\n",
"for %s. Please see the documentation on LDAP search bases "
"to see how the obsolete option can be migrated\n",
}
&search_bases[0]);
goto done;
}
"Search base added: [%s][%s][%s][%s]\n",
search_bases[0]->basedn,
"SUBTREE",
} else {
if (!search_bases) {
goto done;
}
i = 0;
for (c = 0; c < count; c += 3) {
struct sdap_search_base);
if (!search_bases[i]) {
goto done;
}
if (split_bases[c][0] == '\0') {
"Zero-length search base: [%s]\n", unparsed_base);
goto done;
}
/* Validate the basedn */
if (!ldn) {
goto done;
}
if (!ldb_dn_validate(ldn)) {
"Invalid base DN [%s]\n",
split_bases[c]);
goto done;
}
/* Set the search base DN */
split_bases[c]);
if (!search_bases[i]->basedn) {
goto done;
}
/* Set the search scope for this base DN */
/* If unspecified, default to subtree */
} else {
goto done;
}
/* Get a specialized filter if provided */
} else {
/* Filters need to be enclosed in parentheses
* to be validated properly by ldb_parse_tree()
*/
split_bases[c+2]);
} else {
}
if (!filter) {
goto done;
}
if(!tree) {
"Invalid search filter: [%s]\n", filter);
goto done;
}
filter);
}
"Search base added: [%s][%s][%s][%s]\n",
search_bases[i]->basedn,
i++;
}
search_bases[i] = NULL;
}
done:
return ret;
}