Skip to content

Initial support for IDM IDM Trust #7679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
justin-stephenson wants to merge 13 commits into from
Closed

Initial support for IDM IDM Trust #7679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
52517f3
SYSDB: Store IPA trust type
justin-stephenson Apr 23, 2024
9e1f91d
Rename struct ipa_ad_server_ctx, and add id_ctx union member
justin-stephenson Apr 24, 2024
f01c3f5
ipa: Make ipa_service_init() like ad_failover_init()
justin-stephenson Apr 26, 2024
2d87ed0
ad: Combine 1+2way trust options creation functions
justin-stephenson May 1, 2024
dd803a9
ipa: Make ipa server ad* functions generic
justin-stephenson Apr 22, 2024
1e2e504
ipa: Add ipa subdomain provider initialization
justin-stephenson Apr 10, 2024
522c93c
ipa: Support ipa subdomain account info requests
justin-stephenson Apr 22, 2024
f7f7622
ipa s2n: Remove check for SYSDB_UPN
justin-stephenson Apr 30, 2024
752f175
ipa: Rename ipa_create_ad_1way_trust_ctx()
justin-stephenson May 1, 2024
764f4ef
Handle missing SID for user private group
justin-stephenson Jul 8, 2024
aa088e1
ipa s2n: Ignore trusted IPA user private group
justin-stephenson Aug 9, 2024
409ca34
AD: Remove unused AD_AT_TRUST_TYPE attribute
justin-stephenson Sep 17, 2024
48c14d3
man: IPA subdomain changes to sssd-ipa
justin-stephenson Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3452,10 +3452,13 @@ test_ipa_subdom_server_SOURCES = \
src/tests/cmocka/common_mock_sdap.c \
src/tests/cmocka/common_mock_be.c \
src/tests/cmocka/common_mock_krb5.c \
src/tests/cmocka/data_provider/mock_dp.c \
src/tests/cmocka/test_ipa_subdomains_server.c \
src/providers/ipa/ipa_subdomains_server.c \
src/providers/ipa/ipa_subdomains_utils.c \
src/providers/ipa/ipa_common.c \
src/providers/ipa/ipa_opts.c \
src/providers/ipa/ipa_srv.c \
src/providers/ldap/ldap_common.c \
$(NULL)
test_ipa_subdom_server_CFLAGS = \
Expand Down
1 change: 1 addition & 0 deletions src/confdb/confdb.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,7 @@ struct sss_domain_info {
char *dns_name;
char *domain_id;
uint32_t trust_direction;
uint32_t trust_type;
struct timeval subdomains_last_checked;

bool has_views;
Expand Down
3 changes: 3 additions & 0 deletions src/db/sysdb.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@
#define SYSDB_SUBDOMAIN_ENUM "enumerate"
#define SYSDB_SUBDOMAIN_FOREST "memberOfForest"
#define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection"
#define SYSDB_SUBDOMAIN_TRUST_TYPE "trustType"
#define SYSDB_UPN_SUFFIXES "upnSuffixes"
#define SYSDB_SITE "site"
#define SYSDB_ENABLED "enabled"
Expand Down Expand Up @@ -566,6 +567,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
uint32_t trust_type,
struct ldb_message_element *upn_suffixes);

errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
Expand Down Expand Up @@ -607,6 +609,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
uint32_t trust_type,
struct confdb_ctx *confdb,
bool enabled);

Expand Down
48 changes: 45 additions & 3 deletions src/db/sysdb_subdomains.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
uint32_t trust_type,
struct confdb_ctx *confdb,
bool enabled)
{
Expand Down Expand Up @@ -175,6 +176,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->case_preserve = inherit_option ? parent->case_preserve : false;

dom->trust_direction = trust_direction;
dom->trust_type = trust_type;
/* If the parent domain explicitly limits ID ranges, the subdomain
* should honour the limits as well.
*/
Expand Down Expand Up @@ -415,6 +417,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_ENUM,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
SYSDB_SUBDOMAIN_TRUST_TYPE,
SYSDB_UPN_SUFFIXES,
SYSDB_ENABLED,
NULL};
Expand All @@ -431,6 +434,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
enum sss_domain_mpg_mode mpg_mode;
bool enumerate;
uint32_t trust_direction;
uint32_t trust_type;
struct ldb_message_element *tmp_el;
const char **upn_suffixes;

Expand Down Expand Up @@ -519,6 +523,10 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
0);

trust_type = ldb_msg_find_attr_as_int(res->msgs[i],
SYSDB_SUBDOMAIN_TRUST_TYPE,
0);

enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);

for (dom = domain->subdomains; dom;
Expand Down Expand Up @@ -651,15 +659,21 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
dom->trust_direction = trust_direction;
}

if (dom->trust_type != trust_type) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Trust type change from [%d] to [%d]!\n",
dom->trust_type, trust_type);
dom->trust_type = trust_type;
}
break;
}
}
/* If not found in loop it is a new subdomain */
if (dom == NULL) {
dom = new_subdomain(domain, domain, name, realm,
flat, dns, id, mpg_mode, enumerate, forest,
upn_suffixes, trust_direction, confdb,
enabled);
upn_suffixes, trust_direction, trust_type,
confdb, enabled);
if (dom == NULL) {
ret = ENOMEM;
goto done;
Expand Down Expand Up @@ -1087,6 +1101,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
uint32_t trust_type,
struct ldb_message_element *upn_suffixes)
{
TALLOC_CTX *tmp_ctx;
Expand All @@ -1102,6 +1117,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
SYSDB_SUBDOMAIN_ENUM,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
SYSDB_SUBDOMAIN_TRUST_TYPE,
SYSDB_UPN_SUFFIXES,
NULL};
const char *tmp_str;
Expand All @@ -1116,8 +1132,10 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
int enum_flags = 0;
int forest_flags = 0;
int td_flags = 0;
int tt_flags = 0;
int upn_flags = 0;
uint32_t tmp_td;
uint32_t tmp_tt;
int ret;

tmp_ctx = talloc_new(NULL);
Expand Down Expand Up @@ -1151,6 +1169,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum_flags = LDB_FLAG_MOD_ADD;
if (forest) forest_flags = LDB_FLAG_MOD_ADD;
if (trust_direction) td_flags = LDB_FLAG_MOD_ADD;
if (trust_type) tt_flags = LDB_FLAG_MOD_ADD;
if (upn_suffixes) upn_flags = LDB_FLAG_MOD_ADD;
} else if (res->count != 1) {
ret = EINVAL;
Expand Down Expand Up @@ -1233,6 +1252,13 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
td_flags = LDB_FLAG_MOD_REPLACE;
}

tmp_tt = ldb_msg_find_attr_as_uint(res->msgs[0],
SYSDB_SUBDOMAIN_TRUST_TYPE,
0);
if (tmp_tt != trust_type) {
tt_flags = LDB_FLAG_MOD_REPLACE;
}

if (upn_suffixes) {
tmp_el = ldb_msg_find_element(res->msgs[0], SYSDB_UPN_SUFFIXES);
/* Luckily ldb_msg_element_compare() only compares the values and
Expand All @@ -1247,7 +1273,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
if (!store && realm_flags == 0 && flat_flags == 0
&& dns_flags == 0 && id_flags == 0
&& mpg_flags == 0 && enum_flags == 0 && forest_flags == 0
&& td_flags == 0 && upn_flags == 0) {
&& td_flags == 0 && tt_flags == 0 && upn_flags == 0) {
ret = EOK;
goto done;
}
Expand Down Expand Up @@ -1396,6 +1422,22 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
}
}

if (tt_flags) {
ret = ldb_msg_add_empty(msg, SYSDB_SUBDOMAIN_TRUST_TYPE,
tt_flags, NULL);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}

ret = ldb_msg_add_fmt(msg, SYSDB_SUBDOMAIN_TRUST_TYPE,
"%u", trust_type);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}
}

if (upn_flags) {
tmp_el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (tmp_el == NULL) {
Expand Down
12 changes: 11 additions & 1 deletion src/man/sssd-ipa.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -935,6 +935,12 @@ ad_server = dc.ad.domain.com
<listitem>
<para>ad_site</para>
</listitem>
<listitem>
<para>ipa_server</para>
</listitem>
<listitem>
<para>ipa_backup_server</para>
</listitem>
<listitem>
<para>ldap_search_base</para>
</listitem>
Expand All @@ -949,11 +955,15 @@ ad_server = dc.ad.domain.com
</listitem>
</itemizedlist>
</para>
<para>
Options prefixed with 'ad_' or 'ipa_' only apply to
their respective subdomain type.
</para>
</refsect2>
<refsect2 id='client_configuration'>
<title>OPTIONS TUNABLE ON IPA CLIENTS</title>
<para>
The following options can be set in a subdomain
The following options can be set in an AD subdomain
section on an IPA client:
<itemizedlist>
<listitem>
Expand Down
99 changes: 32 additions & 67 deletions src/providers/ad/ad_common.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,60 +353,21 @@ set_common_ad_trust_opts(struct ad_options *ad_options,
}

struct ad_options *
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
struct data_provider *dp,
const char *realm,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab)
ad_create_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
struct data_provider *dp,
struct sss_domain_info *subdom,
const char *realm,
const char *hostname,
const char *keytab,
const char *sasl_authid)
{
struct ad_options *ad_options;
errno_t ret;
const char *upper_realm = NULL;

DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
subdom->name);

ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
if (ad_options == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
return NULL;
}

ret = set_common_ad_trust_opts(ad_options, realm, subdom->name, hostname,
keytab);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_common_ad_trust_opts failed\n");
talloc_free(ad_options);
return NULL;
}

ret = ad_set_sdap_options(ad_options, ad_options->id);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed\n");
talloc_free(ad_options);
return NULL;
}

return ad_options;
}

struct ad_options *
ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
struct data_provider *dp,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab,
const char *sasl_authid)
{
struct ad_options *ad_options;
const char *realm;
errno_t ret;

DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
DEBUG(SSSDBG_TRACE_FUNC, "trust is defined to domain '%s'\n",
subdom->name);

ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
Expand All @@ -415,14 +376,16 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
return NULL;
}

realm = get_uppercase_realm(ad_options, subdom->name);
if (!realm) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n");
talloc_free(ad_options);
return NULL;
if (realm == NULL) {
upper_realm = get_uppercase_realm(ad_options, subdom->name);
if (upper_realm == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n");
talloc_free(ad_options);
return NULL;
}
}

ret = set_common_ad_trust_opts(ad_options, realm,
ret = set_common_ad_trust_opts(ad_options, (realm == NULL ? upper_realm : realm),
subdom->name, hostname, keytab);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
Expand All @@ -433,12 +396,14 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
}

/* Set SDAP_SASL_AUTHID to the trust principal */
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
talloc_free(ad_options);
return NULL;
if (sasl_authid != NULL) {
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
talloc_free(ad_options);
return NULL;
}
}

ret = ad_set_sdap_options(ad_options, ad_options->id);
Expand Down Expand Up @@ -1656,11 +1621,11 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx,
return clist;
}

errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
struct dp_option *subdom_opts,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
int opt_id)
errno_t subdom_inherit_opts_if_needed(struct dp_option *parent_opts,
struct dp_option *subdom_opts,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
int opt_id)
{
int ret;
bool is_default = true;
Expand Down
Loading