Skip to content

Commit

Permalink
Add ipa_hbac_search_base config option
Browse files Browse the repository at this point in the history
  • Loading branch information
@sumit-bose @sgallagher
sumit-bose authored and sgallagher committed Jan 19, 2011
1 parent d73fcc5 commit 56789cf
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 54 deletions.
1 change: 1 addition & 0 deletions src/config/SSSDConfig.py
View file
Expand Up @@ -91,6 +91,7 @@ class ProviderSubtypeInUse(SSSDConfigException): pass
'ipa_hostname' : _('IPA client hostname'),
'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),

# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
Expand Down
1 change: 1 addition & 0 deletions src/config/etc/sssd.api.d/sssd-ipa.conf
View file
Expand Up @@ -4,6 +4,7 @@ ipa_server = str, None, false
ipa_hostname = str, None, false
ipa_dyndns_update = bool, None, false
ipa_dyndns_iface = str, None, false
ipa_hbac_search_base = str, None, false
ldap_uri = str, None, false
ldap_search_base = str, None, false
ldap_schema = str, None, false
Expand Down
13 changes: 13 additions & 0 deletions src/man/sssd-ipa.5.xml
View file
Expand Up @@ -131,6 +131,19 @@
</listitem>
</varlistentry>

<varlistentry>
<term>ipa_hbac_search_base (string)</term>
<listitem>
<para>
Optional. Use the given string as search base for
HBAC related objects.
</para>
<para>
Default: Use base DN
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>krb5_validate (boolean)</term>
<listitem>
Expand Down
91 changes: 39 additions & 52 deletions src/providers/ipa/ipa_access.c
View file
Expand Up @@ -60,6 +60,30 @@
#define HBAC_HOSTS_SUBDIR "hbac_hosts"
#define HBAC_SERVICES_SUBDIR "hbac_services"

static char *get_hbac_search_base(TALLOC_CTX *mem_ctx,
struct dp_option *ipa_options)
{
char *base;
int ret;

base = dp_opt_get_string(ipa_options, IPA_HBAC_SEARCH_BASE);
if (base != NULL) {
return talloc_strdup(mem_ctx, base);
}

DEBUG(9, ("ipa_hbac_search_base not available, trying base DN.\n"));

ret = domain_to_basedn(mem_ctx,
dp_opt_get_string(ipa_options, IPA_DOMAIN),
&base);
if (ret != EOK) {
DEBUG(1, ("domain_to_basedn failed.\n"));
return NULL;
}

return base;
}

static errno_t msgs2attrs_array(TALLOC_CTX *mem_ctx, size_t count,
struct ldb_message **msgs,
struct sysdb_attrs ***attrs)
Expand Down Expand Up @@ -441,11 +465,9 @@ static errno_t hbac_save_data_to_sysdb(struct hbac_ctx *hbac_ctx)

struct hbac_get_service_data_state {
struct hbac_ctx *hbac_ctx;
const char *basedn;
bool offline;

char *services_filter;
char *services_search_base;
const char **services_attrs;
struct sysdb_attrs **services_reply_list;
size_t services_reply_count;
Expand All @@ -456,8 +478,7 @@ struct hbac_get_service_data_state {
static void hbac_services_get_done(struct tevent_req *subreq);

struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
struct hbac_ctx *hbac_ctx,
const char *basedn)
struct hbac_ctx *hbac_ctx)
{
struct tevent_req *req = NULL;
struct tevent_req *subreq = NULL;
Expand All @@ -472,21 +493,12 @@ struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
}

state->hbac_ctx = hbac_ctx;
state->basedn = basedn;

state->services_reply_list = NULL;
state->services_reply_count = 0;

state->current_item = 0;

state->services_search_base = talloc_asprintf(state, IPA_SERVICES_BASE_TMPL,
basedn);
if (state->services_search_base == NULL) {
DEBUG(1, ("Failed to create service search base.\n"));
ret = ENOMEM;
goto fail;
}

state->services_attrs = talloc_array(state, const char *, 7);
if (state->services_attrs == NULL) {
DEBUG(1, ("Failed to allocate service attribute list.\n"));
Expand Down Expand Up @@ -538,7 +550,7 @@ struct tevent_req *hbac_get_service_data_send(TALLOC_CTX *memctx,
hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
state->services_search_base,
state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->services_filter,
state->services_attrs,
Expand Down Expand Up @@ -715,7 +727,6 @@ struct hbac_get_host_info_state {
struct hbac_ctx *hbac_ctx;

char *host_filter;
char *host_search_base;
const char **host_attrs;

struct sysdb_attrs **host_reply_list;
Expand All @@ -729,7 +740,6 @@ static void hbac_get_host_memberof_done(struct tevent_req *subreq);

static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
struct hbac_ctx *hbac_ctx,
const char *basedn,
const char **hostnames)
{
struct tevent_req *req = NULL;
Expand All @@ -740,8 +750,8 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
int ret;
int i;

if (hostnames == NULL || basedn == NULL) {
DEBUG(1, ("Missing hostnames or domain.\n"));
if (hostnames == NULL) {
DEBUG(1, ("Missing hostnames.\n"));
return NULL;
}

Expand Down Expand Up @@ -787,14 +797,6 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
goto fail;
}

state->host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL,
basedn);
if (state->host_search_base == NULL) {
DEBUG(1, ("Failed to create host search base.\n"));
ret = ENOMEM;
goto fail;
}

state->host_attrs = talloc_array(state, const char *, 8);
if (state->host_attrs == NULL) {
DEBUG(1, ("Failed to allocate host attribute list.\n"));
Expand Down Expand Up @@ -835,7 +837,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
subreq = sdap_get_generic_send(state, hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
state->host_search_base,
state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->host_filter,
state->host_attrs,
Expand Down Expand Up @@ -1019,7 +1021,6 @@ struct hbac_get_rules_state {
const char *host_dn;
const char **memberof;
char *hbac_filter;
char *hbac_search_base;
const char **hbac_attrs;

struct ldb_message *old_rules;
Expand All @@ -1032,7 +1033,6 @@ static void hbac_rule_get_done(struct tevent_req *subreq);

static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
struct hbac_ctx *hbac_ctx,
const char *basedn,
const char *host_dn,
const char **memberof)
{
Expand All @@ -1044,8 +1044,8 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
int ret;
int i;

if (host_dn == NULL || basedn == NULL) {
DEBUG(1, ("Missing host_dn or domain.\n"));
if (host_dn == NULL) {
DEBUG(1, ("Missing host_dn.\n"));
return NULL;
}

Expand All @@ -1064,14 +1064,6 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
state->hbac_reply_count = 0;
state->current_item = 0;

state->hbac_search_base = talloc_asprintf(state, IPA_HBAC_BASE_TMPL,
basedn);
if (state->hbac_search_base == NULL) {
DEBUG(1, ("Failed to create HBAC search base.\n"));
ret = ENOMEM;
goto fail;
}

state->hbac_attrs = talloc_array(state, const char *, 17);
if (state->hbac_attrs == NULL) {
DEBUG(1, ("Failed to allocate HBAC attribute list.\n"));
Expand Down Expand Up @@ -1156,7 +1148,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
subreq = sdap_get_generic_send(state, hbac_ctx_ev(state->hbac_ctx),
hbac_ctx_sdap_id_ctx(state->hbac_ctx)->opts,
sdap_handle,
state->hbac_search_base,
state->hbac_ctx->hbac_search_base,
LDAP_SCOPE_SUB,
state->hbac_filter,
state->hbac_attrs,
Expand Down Expand Up @@ -1682,11 +1674,10 @@ void ipa_access_handler(struct be_req *be_req)
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
ret = domain_to_basedn(hbac_ctx,
dp_opt_get_string(hbac_ctx->ipa_options, IPA_DOMAIN),
&hbac_ctx->ldap_basedn);
if (ret != EOK) {
DEBUG(1, ("domain_to_basedn failed.\n"));
hbac_ctx->hbac_search_base = get_hbac_search_base(hbac_ctx,
hbac_ctx->ipa_options);
if (hbac_ctx->hbac_search_base == NULL) {
DEBUG(1, ("No HBAC search base found.\n"));
goto fail;
}

Expand Down Expand Up @@ -1818,9 +1809,7 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
pd->rhost = discard_const_p(char, hostlist[0]);
}

subreq = hbac_get_host_info_send(hbac_ctx, hbac_ctx,
hbac_ctx->ldap_basedn,
hostlist);
subreq = hbac_get_host_info_send(hbac_ctx, hbac_ctx, hostlist);
if (!subreq) {
DEBUG(1, ("hbac_get_host_info_send failed.\n"));
return ENOMEM;
Expand Down Expand Up @@ -1866,8 +1855,7 @@ static void hbac_get_host_info_done(struct tevent_req *req)
pam_status = PAM_PERM_DENIED;
goto fail;
}
req = hbac_get_rules_send(hbac_ctx, hbac_ctx,
hbac_ctx->ldap_basedn, local_hhi->dn,
req = hbac_get_rules_send(hbac_ctx, hbac_ctx, local_hhi->dn,
local_hhi->memberof);
if (req == NULL) {
DEBUG(1, ("hbac_get_rules_send failed.\n"));
Expand Down Expand Up @@ -1898,8 +1886,7 @@ static void hbac_get_rules_done(struct tevent_req *req)
return;
}

req = hbac_get_service_data_send(hbac_ctx, hbac_ctx,
hbac_ctx->ldap_basedn);
req = hbac_get_service_data_send(hbac_ctx, hbac_ctx);
if (req == NULL) {
DEBUG(1, ("hbac_get_service_data_send failed.\n"));
goto failed;
Expand Down
2 changes: 1 addition & 1 deletion src/providers/ipa/ipa_access.h
View file
Expand Up @@ -60,7 +60,7 @@ struct hbac_ctx {
const char *user_dn;
size_t groups_count;
const char **groups;
char *ldap_basedn;
char *hbac_search_base;
struct sysdb_attrs **hbac_services_list;
size_t hbac_services_count;
};
Expand Down
3 changes: 2 additions & 1 deletion src/providers/ipa/ipa_common.c
View file
Expand Up @@ -34,7 +34,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}
};

struct dp_option ipa_def_ldap_opts[] = {
Expand Down
1 change: 1 addition & 0 deletions src/providers/ipa/ipa_common.h
View file
Expand Up @@ -48,6 +48,7 @@ enum ipa_basic_opt {
IPA_HOSTNAME,
IPA_DYNDNS_UPDATE,
IPA_DYNDNS_IFACE,
IPA_HBAC_SEARCH_BASE,

IPA_OPTS_BASIC /* opts counter */
};
Expand Down

0 comments on commit 56789cf

Please sign in to comment.