Skip to content

Commit

Permalink
extdom: add extdom protocol documentation
Browse files Browse the repository at this point in the history 
Add the description of extdom protocol and its versions

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
  • Loading branch information
@thalman @abbra
thalman authored and abbra committed Sep 12, 2019
1 parent 0a1ad84 commit 9a140cd
Showing 1 changed file with 242 additions and 0 deletions.
242 changes: 242 additions & 0 deletions doc/designs/extdom-plugin-protocol.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
# Extdom plugin protocol

SSSD on ipa client uses extdom plugin to translate SID to names and POSIX IDs. It can
also return secondary groups for any user.

## EXTDOM V0 (2.16.840.1.113730.3.8.10.4)

### V0 request

/*
* ExtdomRequestValue ::= SEQUENCE {
* inputType ENUMERATED {
* sid (1),
* name (2),
* posix uid (3),
* posix gid (4)
* },
* requestType ENUMERATED {
* simple (1),
* full (2)
* },
* data InputData
* }
*
* InputData ::= CHOICE {
* sid OCTET STRING,
* name NameDomainData
* uid PosixUid,
* gid PosixGid
* }
*
* NameDomainData ::= SEQUENCE {
* domain_name OCTET STRING,
* object_name OCTET STRING
* }
*
* PosixUid ::= SEQUENCE {
* domain_name OCTET STRING,
* uid INTEGER
* }
*
* PosixGid ::= SEQUENCE {
* domain_name OCTET STRING,
* gid INTEGER
* }
*/

### V0 reply

/*
* ExtdomResponseValue ::= SEQUENCE {
* responseType ENUMERATED {
* sid (1),
* name (2),
* posix_user (3),
* posix_group (4)
* },
* data OutputData
* }
*
* OutputData ::= CHOICE {
* sid OCTET STRING,
* name NameDomainData,
* user PosixUser,
* group PosixGroup
* }
*
* NameDomainData ::= SEQUENCE {
* domain_name OCTET STRING,
* object_name OCTET STRING
* }
*
* PosixUser ::= SEQUENCE {
* domain_name OCTET STRING,
* user_name OCTET STRING,
* uid INTEGER
* gid INTEGER
* }
*
* PosixGroup ::= SEQUENCE {
* domain_name OCTET STRING,
* group_name OCTET STRING,
* gid INTEGER
* }
*/

## EXTDOM V1 (2.16.840.1.113730.3.8.10.4.1)

In V1 version the requestType is extended of `full_with_groups`.
The response introduces new type `posix_user_grouplist` containing
the list of groups

### V1 request

/*
* ExtdomRequestValue ::= SEQUENCE {
* inputType ENUMERATED {
* sid (1),
* name (2),
* posix uid (3),
* posix gid (4),
* },
* requestType ENUMERATED {
* simple (1),
* full (2),
* full_with_groups (3)
* },
* data InputData
* }
*
* InputData ::= CHOICE {
* sid OCTET STRING,
* name NameDomainData
* uid PosixUid,
* gid PosixGid
* }
*
* NameDomainData ::= SEQUENCE {
* domain_name OCTET STRING,
* object_name OCTET STRING
* }
*
* PosixUid ::= SEQUENCE {
* domain_name OCTET STRING,
* uid INTEGER
* }
*
* PosixGid ::= SEQUENCE {
* domain_name OCTET STRING,
* gid INTEGER
* }
*/

### V1 reply

/*
* ExtdomResponseValue ::= SEQUENCE {
* responseType ENUMERATED {
* sid (1),
* name (2),
* posix_user (3),
* posix_group (4),
* posix_user_grouplist (5)
* },
* data OutputData
* }
*
* OutputData ::= CHOICE {
* sid OCTET STRING,
* name NameDomainData,
* user PosixUser,
* group PosixGroup,
* user_grouplist PosixUserGrouplist
* }
*
* NameDomainData ::= SEQUENCE {
* domain_name OCTET STRING,
* object_name OCTET STRING
* }
*
* PosixUser ::= SEQUENCE {
* domain_name OCTET STRING,
* user_name OCTET STRING,
* uid INTEGER
* gid INTEGER
* }
*
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
*
* PosixGroup ::= SEQUENCE {
* domain_name OCTET STRING,
* group_name OCTET STRING,
* gid INTEGER
* }
*
* PosixUserGrouplist ::= SEQUENCE {
* domain_name OCTET STRING,
* user_name OCTET STRING,
* uid INTEGER
* gid INTEGER
* gecos OCTET STRING,
* home_directory OCTET STRING,
* shell OCTET STRING,
* grouplist GroupNameList
* }
*
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
*
*/

## EXTDOM V2 (2.16.840.1.113730.3.8.10.4.2)

The `name` request tries to translate name to ID. It first tries translate it
as if it is a user and when it fails, it tries to resolve is as group.

To make it more efficient when SSSD knows the type of requested object, two new
inputTypes are defined - username and groupname.

The response is the same as in V1

### V2 request

/*
* ExtdomRequestValue ::= SEQUENCE {
* inputType ENUMERATED {
* sid (1),
* name (2),
* posix uid (3),
* posix gid (4),
* username (5),
* groupname (6)
* },
* requestType ENUMERATED {
* simple (1),
* full (2),
* full_with_groups (3)
* },
* data InputData
* }
*
* InputData ::= CHOICE {
* sid OCTET STRING,
* name NameDomainData
* uid PosixUid,
* gid PosixGid
* }
*
* NameDomainData ::= SEQUENCE {
* domain_name OCTET STRING,
* object_name OCTET STRING
* }
*
* PosixUid ::= SEQUENCE {
* domain_name OCTET STRING,
* uid INTEGER
* }
*
* PosixGid ::= SEQUENCE {
* domain_name OCTET STRING,
* gid INTEGER
* }
*/

0 comments on commit 9a140cd

Please sign in to comment.