Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -3452,10 +3452,13 @@ test_ipa_subdom_server_SOURCES = \
src/tests/cmocka/common_mock_sdap.c \
src/tests/cmocka/common_mock_be.c \
src/tests/cmocka/common_mock_krb5.c \
src/tests/cmocka/data_provider/mock_dp.c \
src/tests/cmocka/test_ipa_subdomains_server.c \
src/providers/ipa/ipa_subdomains_server.c \
src/providers/ipa/ipa_subdomains_utils.c \
src/providers/ipa/ipa_common.c \
src/providers/ipa/ipa_opts.c \
src/providers/ipa/ipa_srv.c \
src/providers/ldap/ldap_common.c \
$(NULL)
test_ipa_subdom_server_CFLAGS = \
Expand Down
1 change: 1 addition & 0 deletions src/confdb/confdb.h
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,7 @@ struct sss_domain_info {
char *dns_name;
char *domain_id;
uint32_t trust_direction;
uint32_t trust_type;
struct timeval subdomains_last_checked;

bool has_views;
Expand Down
3 changes: 3 additions & 0 deletions src/db/sysdb.h
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@
#define SYSDB_SUBDOMAIN_ENUM "enumerate"
#define SYSDB_SUBDOMAIN_FOREST "memberOfForest"
#define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection"
#define SYSDB_SUBDOMAIN_TRUST_TYPE "trustType"
#define SYSDB_UPN_SUFFIXES "upnSuffixes"
#define SYSDB_SITE "site"
#define SYSDB_ENABLED "enabled"
Expand Down Expand Up @@ -566,6 +567,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
uint32_t trust_type,
struct ldb_message_element *upn_suffixes);

errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
Expand Down Expand Up @@ -607,6 +609,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
uint32_t trust_type,
struct confdb_ctx *confdb,
bool enabled);

Expand Down
48 changes: 45 additions & 3 deletions src/db/sysdb_subdomains.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
uint32_t trust_type,
struct confdb_ctx *confdb,
bool enabled)
{
Expand Down Expand Up @@ -175,6 +176,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->case_preserve = inherit_option ? parent->case_preserve : false;

dom->trust_direction = trust_direction;
dom->trust_type = trust_type;
/* If the parent domain explicitly limits ID ranges, the subdomain
* should honour the limits as well.
*/
Expand Down Expand Up @@ -415,6 +417,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_ENUM,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
SYSDB_SUBDOMAIN_TRUST_TYPE,
SYSDB_UPN_SUFFIXES,
SYSDB_ENABLED,
NULL};
Expand All @@ -431,6 +434,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
enum sss_domain_mpg_mode mpg_mode;
bool enumerate;
uint32_t trust_direction;
uint32_t trust_type;
struct ldb_message_element *tmp_el;
const char **upn_suffixes;

Expand Down Expand Up @@ -519,6 +523,10 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
0);

trust_type = ldb_msg_find_attr_as_int(res->msgs[i],
SYSDB_SUBDOMAIN_TRUST_TYPE,
0);

enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);

for (dom = domain->subdomains; dom;
Expand Down Expand Up @@ -651,15 +659,21 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
dom->trust_direction = trust_direction;
}

if (dom->trust_type != trust_type) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Trust type change from [%d] to [%d]!\n",
dom->trust_type, trust_type);
dom->trust_type = trust_type;
}
break;
}
}
/* If not found in loop it is a new subdomain */
if (dom == NULL) {
dom = new_subdomain(domain, domain, name, realm,
flat, dns, id, mpg_mode, enumerate, forest,
upn_suffixes, trust_direction, confdb,
enabled);
upn_suffixes, trust_direction, trust_type,
confdb, enabled);
if (dom == NULL) {
ret = ENOMEM;
goto done;
Expand Down Expand Up @@ -1087,6 +1101,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum sss_domain_mpg_mode mpg_mode,
bool enumerate, const char *forest,
uint32_t trust_direction,
uint32_t trust_type,
struct ldb_message_element *upn_suffixes)
{
TALLOC_CTX *tmp_ctx;
Expand All @@ -1102,6 +1117,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
SYSDB_SUBDOMAIN_ENUM,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
SYSDB_SUBDOMAIN_TRUST_TYPE,
SYSDB_UPN_SUFFIXES,
NULL};
const char *tmp_str;
Expand All @@ -1116,8 +1132,10 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
int enum_flags = 0;
int forest_flags = 0;
int td_flags = 0;
int tt_flags = 0;
int upn_flags = 0;
uint32_t tmp_td;
uint32_t tmp_tt;
int ret;

tmp_ctx = talloc_new(NULL);
Expand Down Expand Up @@ -1151,6 +1169,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
enum_flags = LDB_FLAG_MOD_ADD;
if (forest) forest_flags = LDB_FLAG_MOD_ADD;
if (trust_direction) td_flags = LDB_FLAG_MOD_ADD;
if (trust_type) tt_flags = LDB_FLAG_MOD_ADD;
if (upn_suffixes) upn_flags = LDB_FLAG_MOD_ADD;
} else if (res->count != 1) {
ret = EINVAL;
Expand Down Expand Up @@ -1233,6 +1252,13 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
td_flags = LDB_FLAG_MOD_REPLACE;
}

tmp_tt = ldb_msg_find_attr_as_uint(res->msgs[0],
SYSDB_SUBDOMAIN_TRUST_TYPE,
0);
if (tmp_tt != trust_type) {
tt_flags = LDB_FLAG_MOD_REPLACE;
}

if (upn_suffixes) {
tmp_el = ldb_msg_find_element(res->msgs[0], SYSDB_UPN_SUFFIXES);
/* Luckily ldb_msg_element_compare() only compares the values and
Expand All @@ -1247,7 +1273,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
if (!store && realm_flags == 0 && flat_flags == 0
&& dns_flags == 0 && id_flags == 0
&& mpg_flags == 0 && enum_flags == 0 && forest_flags == 0
&& td_flags == 0 && upn_flags == 0) {
&& td_flags == 0 && tt_flags == 0 && upn_flags == 0) {
ret = EOK;
goto done;
}
Expand Down Expand Up @@ -1396,6 +1422,22 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
}
}

if (tt_flags) {
ret = ldb_msg_add_empty(msg, SYSDB_SUBDOMAIN_TRUST_TYPE,
tt_flags, NULL);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}

ret = ldb_msg_add_fmt(msg, SYSDB_SUBDOMAIN_TRUST_TYPE,
"%u", trust_type);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}
}

if (upn_flags) {
tmp_el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (tmp_el == NULL) {
Expand Down
12 changes: 11 additions & 1 deletion src/man/sssd-ipa.5.xml
Original file line number Diff line number Diff line change
Expand Up @@ -935,6 +935,12 @@ ad_server = dc.ad.domain.com
<listitem>
<para>ad_site</para>
</listitem>
<listitem>
<para>ipa_server</para>
</listitem>
<listitem>
<para>ipa_backup_server</para>
</listitem>
<listitem>
<para>ldap_search_base</para>
</listitem>
Expand All @@ -949,11 +955,15 @@ ad_server = dc.ad.domain.com
</listitem>
</itemizedlist>
</para>
<para>
Options prefixed with 'ad_' or 'ipa_' only apply to
their respective subdomain type.
</para>
</refsect2>
<refsect2 id='client_configuration'>
<title>OPTIONS TUNABLE ON IPA CLIENTS</title>
<para>
The following options can be set in a subdomain
The following options can be set in an AD subdomain
section on an IPA client:
<itemizedlist>
<listitem>
Expand Down
99 changes: 32 additions & 67 deletions src/providers/ad/ad_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -353,60 +353,21 @@ set_common_ad_trust_opts(struct ad_options *ad_options,
}

struct ad_options *
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
struct data_provider *dp,
const char *realm,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab)
ad_create_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
struct data_provider *dp,
struct sss_domain_info *subdom,
const char *realm,
const char *hostname,
const char *keytab,
const char *sasl_authid)
{
struct ad_options *ad_options;
errno_t ret;
const char *upper_realm = NULL;

DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
subdom->name);

ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
if (ad_options == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
return NULL;
}

ret = set_common_ad_trust_opts(ad_options, realm, subdom->name, hostname,
keytab);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_common_ad_trust_opts failed\n");
talloc_free(ad_options);
return NULL;
}

ret = ad_set_sdap_options(ad_options, ad_options->id);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed\n");
talloc_free(ad_options);
return NULL;
}

return ad_options;
}

struct ad_options *
ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
struct data_provider *dp,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab,
const char *sasl_authid)
{
struct ad_options *ad_options;
const char *realm;
errno_t ret;

DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
DEBUG(SSSDBG_TRACE_FUNC, "trust is defined to domain '%s'\n",
subdom->name);

ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
Expand All @@ -415,14 +376,16 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
return NULL;
}

realm = get_uppercase_realm(ad_options, subdom->name);
if (!realm) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n");
talloc_free(ad_options);
return NULL;
if (realm == NULL) {
upper_realm = get_uppercase_realm(ad_options, subdom->name);
if (upper_realm == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n");
talloc_free(ad_options);
return NULL;
}
}

ret = set_common_ad_trust_opts(ad_options, realm,
ret = set_common_ad_trust_opts(ad_options, (realm == NULL ? upper_realm : realm),
subdom->name, hostname, keytab);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
Expand All @@ -433,12 +396,14 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
}

/* Set SDAP_SASL_AUTHID to the trust principal */
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
talloc_free(ad_options);
return NULL;
if (sasl_authid != NULL) {
ret = dp_opt_set_string(ad_options->id->basic,
SDAP_SASL_AUTHID, sasl_authid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n");
talloc_free(ad_options);
return NULL;
}
}

ret = ad_set_sdap_options(ad_options, ad_options->id);
Expand Down Expand Up @@ -1656,11 +1621,11 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx,
return clist;
}

errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
struct dp_option *subdom_opts,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
int opt_id)
errno_t subdom_inherit_opts_if_needed(struct dp_option *parent_opts,
struct dp_option *subdom_opts,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
int opt_id)
{
int ret;
bool is_default = true;
Expand Down
Loading