Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PAC responder: add basic infrastructure
This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.
- Loading branch information
1 parent
611b6fc
commit b9e5bd0
Showing
8 changed files
with
400 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
AC_SUBST(NDR_KRB5PAC_CFLAGS) | ||
AC_SUBST(NDR_KRB5PAC_LIBS) | ||
|
||
AC_ARG_ENABLE([experimental-pac-responder], | ||
[AS_HELP_STRING([--enable-experimental-pac-responder], | ||
[build experimental pac responder])], | ||
[build_pac_responder=$enableval], | ||
[build_pac_responder=no]) | ||
|
||
if test x$build_all_experimental_features != xno | ||
then | ||
build_pac_responder=yes | ||
fi | ||
|
||
if test x$build_pac_responder == xyes | ||
then | ||
PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac,, | ||
AC_MSG_ERROR([Cannot build pac responder without libndr_krb5pac])) | ||
|
||
AC_PATH_PROG(KRB5_CONFIG, krb5-config) | ||
AC_MSG_CHECKING(for supported MIT krb5 version) | ||
KRB5_VERSION="`$KRB5_CONFIG --version`" | ||
case $KRB5_VERSION in | ||
Kerberos\ 5\ release\ 1.9* | \ | ||
Kerberos\ 5\ release\ 1.10*) | ||
AC_MSG_RESULT(yes) | ||
;; | ||
*) | ||
AC_MSG_ERROR([Cannot build authdata plugin with this version of | ||
MIT Kerberos, please use 1.9.x or 1.10.x]) | ||
esac | ||
fi | ||
|
||
AM_CONDITIONAL([BUILD_PAC_RESPONDER], [test x$build_pac_responder = xyes ]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,227 @@ | ||
/* | ||
SSSD | ||
PAC Responder | ||
Copyright (C) Sumit Bose <sbose@redhat.com> 2011 | ||
This program is free software; you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation; either version 3 of the License, or | ||
(at your option) any later version. | ||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
|
||
#include <stdio.h> | ||
#include <unistd.h> | ||
#include <fcntl.h> | ||
#include <sys/types.h> | ||
#include <sys/stat.h> | ||
#include <sys/socket.h> | ||
#include <sys/un.h> | ||
#include <string.h> | ||
#include <sys/time.h> | ||
#include <errno.h> | ||
|
||
#include "popt.h" | ||
#include "util/util.h" | ||
#include "responder/pac/pacsrv.h" | ||
#include "db/sysdb.h" | ||
#include "confdb/confdb.h" | ||
#include "dbus/dbus.h" | ||
#include "sbus/sssd_dbus.h" | ||
#include "responder/common/responder_packet.h" | ||
#include "responder/common/responder.h" | ||
#include "providers/data_provider.h" | ||
#include "monitor/monitor_interfaces.h" | ||
#include "sbus/sbus_client.h" | ||
|
||
#define SSS_PAC_PIPE_NAME "pac" | ||
|
||
struct sbus_method monitor_pac_methods[] = { | ||
{ MON_CLI_METHOD_PING, monitor_common_pong }, | ||
{ MON_CLI_METHOD_RES_INIT, monitor_common_res_init }, | ||
{ MON_CLI_METHOD_ROTATE, monitor_common_rotate_logs }, | ||
{ NULL, NULL } | ||
}; | ||
|
||
struct sbus_interface monitor_pac_interface = { | ||
MONITOR_INTERFACE, | ||
MONITOR_PATH, | ||
SBUS_DEFAULT_VTABLE, | ||
monitor_pac_methods, | ||
NULL | ||
}; | ||
|
||
static struct sbus_method pac_dp_methods[] = { | ||
{ NULL, NULL } | ||
}; | ||
|
||
struct sbus_interface pac_dp_interface = { | ||
DP_INTERFACE, | ||
DP_PATH, | ||
SBUS_DEFAULT_VTABLE, | ||
pac_dp_methods, | ||
NULL | ||
}; | ||
|
||
|
||
/* TODO: check if this can be made generic for all responders */ | ||
static void pac_dp_reconnect_init(struct sbus_connection *conn, | ||
int status, void *pvt) | ||
{ | ||
struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); | ||
int ret; | ||
|
||
/* Did we reconnect successfully? */ | ||
if (status == SBUS_RECONNECT_SUCCESS) { | ||
DEBUG(SSSDBG_OP_FAILURE, ("Reconnected to the Data Provider.\n")); | ||
|
||
/* Identify ourselves to the data provider */ | ||
ret = dp_common_send_id(be_conn->conn, | ||
DATA_PROVIDER_VERSION, | ||
"PAC"); | ||
/* all fine */ | ||
if (ret == EOK) { | ||
handle_requests_after_reconnect(be_conn->rctx); | ||
return; | ||
} | ||
} | ||
|
||
/* Failed to reconnect */ | ||
DEBUG(SSSDBG_FATAL_FAILURE, ("Could not reconnect to %s provider.\n", | ||
be_conn->domain->name)); | ||
|
||
/* FIXME: kill the frontend and let the monitor restart it ? */ | ||
/* nss_shutdown(rctx); */ | ||
} | ||
|
||
static void *idmap_talloc(size_t size, void *pvt) | ||
{ | ||
return talloc_size(pvt, size); | ||
} | ||
|
||
static void idmap_free(void *ptr, void *pvt) | ||
{ | ||
talloc_free(ptr); | ||
} | ||
|
||
int pac_process_init(TALLOC_CTX *mem_ctx, | ||
struct tevent_context *ev, | ||
struct confdb_ctx *cdb) | ||
{ | ||
struct sss_cmd_table *pac_cmds; | ||
struct be_conn *iter; | ||
struct pac_ctx *pac_ctx; | ||
int ret, max_retries; | ||
enum idmap_error_code err; | ||
|
||
pac_ctx = talloc_zero(mem_ctx, struct pac_ctx); | ||
if (!pac_ctx) { | ||
DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error initializing pac_ctx\n")); | ||
return ENOMEM; | ||
} | ||
|
||
pac_cmds = get_pac_cmds(); | ||
|
||
ret = sss_process_init(pac_ctx, ev, cdb, | ||
pac_cmds, | ||
SSS_PAC_SOCKET_NAME, NULL, | ||
CONFDB_PAC_CONF_ENTRY, | ||
PAC_SBUS_SERVICE_NAME, | ||
PAC_SBUS_SERVICE_VERSION, | ||
&monitor_pac_interface, | ||
"PAC", &pac_dp_interface, | ||
&pac_ctx->rctx); | ||
if (ret != EOK) { | ||
return ret; | ||
} | ||
pac_ctx->rctx->pvt_ctx = pac_ctx; | ||
|
||
/* Enable automatic reconnection to the Data Provider */ | ||
ret = confdb_get_int(pac_ctx->rctx->cdb, | ||
CONFDB_PAC_CONF_ENTRY, | ||
CONFDB_SERVICE_RECON_RETRIES, | ||
3, &max_retries); | ||
if (ret != EOK) { | ||
DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to set up automatic reconnection\n")); | ||
return ret; | ||
} | ||
|
||
for (iter = pac_ctx->rctx->be_conns; iter; iter = iter->next) { | ||
sbus_reconnect_init(iter->conn, max_retries, | ||
pac_dp_reconnect_init, iter); | ||
} | ||
|
||
err = sss_idmap_init(idmap_talloc, pac_ctx, idmap_free, | ||
&pac_ctx->idmap_ctx); | ||
if (err != IDMAP_SUCCESS) { | ||
DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_init failed.\n")); | ||
return EFAULT; | ||
} | ||
|
||
DEBUG(SSSDBG_TRACE_FUNC, ("PAC Initialization complete\n")); | ||
|
||
return EOK; | ||
} | ||
|
||
int main(int argc, const char *argv[]) | ||
{ | ||
int opt; | ||
poptContext pc; | ||
struct main_context *main_ctx; | ||
int ret; | ||
|
||
struct poptOption long_options[] = { | ||
POPT_AUTOHELP | ||
SSSD_MAIN_OPTS | ||
POPT_TABLEEND | ||
}; | ||
|
||
/* Set debug level to invalid value so we can decide if -d 0 was used. */ | ||
debug_level = SSSDBG_INVALID; | ||
|
||
pc = poptGetContext(argv[0], argc, argv, long_options, 0); | ||
while((opt = poptGetNextOpt(pc)) != -1) { | ||
switch(opt) { | ||
default: | ||
fprintf(stderr, "\nInvalid option %s: %s\n\n", | ||
poptBadOption(pc, 0), poptStrerror(opt)); | ||
poptPrintUsage(pc, stderr, 0); | ||
return 1; | ||
} | ||
} | ||
|
||
poptFreeContext(pc); | ||
|
||
CONVERT_AND_SET_DEBUG_LEVEL(debug_level); | ||
|
||
/* set up things like debug, signals, daemonization, etc... */ | ||
debug_log_file = "sssd_pac"; | ||
|
||
ret = server_setup("sssd[pac]", 0, CONFDB_PAC_CONF_ENTRY, &main_ctx); | ||
if (ret != EOK) return 2; | ||
|
||
ret = die_if_parent_died(); | ||
if (ret != EOK) { | ||
/* This is not fatal, don't return */ | ||
DEBUG(SSSDBG_OP_FAILURE, ("Could not set up to exit when parent process does\n")); | ||
} | ||
|
||
ret = pac_process_init(main_ctx, | ||
main_ctx->event_ctx, | ||
main_ctx->confdb_ctx); | ||
if (ret != EOK) return 3; | ||
|
||
/* loop on main */ | ||
server_loop(main_ctx); | ||
|
||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
/* | ||
SSSD | ||
PAC Responder, header file | ||
Copyright (C) Sumit Bose <sbose@redhat.com> 2011 | ||
This program is free software; you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation; either version 3 of the License, or | ||
(at your option) any later version. | ||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
|
||
#ifndef __PACSRV_H__ | ||
#define __PACSRV_H__ | ||
|
||
#include <stdint.h> | ||
#include <sys/un.h> | ||
#include "config.h" | ||
#include "talloc.h" | ||
#include "tevent.h" | ||
#include "ldb.h" | ||
#include "dbus/dbus.h" | ||
#include "sbus/sssd_dbus.h" | ||
#include "responder/common/responder_packet.h" | ||
#include "responder/common/responder.h" | ||
#include "lib/idmap/sss_idmap.h" | ||
|
||
#define PAC_SBUS_SERVICE_VERSION 0x0001 | ||
#define PAC_SBUS_SERVICE_NAME "pac" | ||
|
||
#define PAC_PACKET_MAX_RECV_SIZE 1024 | ||
|
||
struct getent_ctx; | ||
|
||
struct pac_ctx { | ||
struct resp_ctx *rctx; | ||
}; | ||
|
||
int pac_cmd_execute(struct cli_ctx *cctx); | ||
|
||
struct sss_cmd_table *get_pac_cmds(void); | ||
|
||
#endif /* __PACSRV_H__ */ |
Oops, something went wrong.