void opt_test_copy_default(void **state)
{
int ret;
TALLOC_CTX *mem_ctx;
struct dp_option *opts;
struct dp_opt_blob b;
mem_ctx = talloc_new(global_talloc_context);
assert_non_null(mem_ctx);
ret = dp_copy_defaults(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts);
assert_int_equal(ret, EOK);
assert_defaults(opts);
/* Test that copy_defaults would still copy defaults even if we
* change the values
*/
ret = dp_opt_set_string(opts, OPT_STRING_NODEFAULT, "str1");
assert_int_equal(ret, EOK);
ret = dp_opt_set_string(opts, OPT_STRING_DEFAULT, "str2");
assert_int_equal(ret, EOK);
b.data = discard_const_p(uint8_t, "blob1");
b.length = strlen("blob1");
ret = dp_opt_set_blob(opts, OPT_BLOB_NODEFAULT, b);
assert_int_equal(ret, EOK);
ret = dp_opt_set_blob(opts, OPT_BLOB_DEFAULT, b);
b.data = discard_const_p(uint8_t, "blob2");
b.length = strlen("blob2");
assert_int_equal(ret, EOK);
ret = dp_opt_set_int(opts, OPT_INT_NODEFAULT, 456);
assert_int_equal(ret, EOK);
ret = dp_opt_set_int(opts, OPT_INT_DEFAULT, 789);
assert_int_equal(ret, EOK);
ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false);
assert_int_equal(ret, EOK);
ret = dp_opt_set_bool(opts, OPT_BOOL_FALSE, true);
assert_int_equal(ret, EOK);
talloc_free(opts);
ret = dp_copy_defaults(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts);
assert_int_equal(ret, EOK);
assert_defaults(opts);
}
void opt_test_inherit(void **state)
{
struct dp_option *opts = talloc_get_type(*state, struct dp_option);
int ret;
struct dp_option *opts_copy;
const char *s;
const char *sd_inherit_match[] = { "string_nodefault",
"blob_nodefault",
"int_nodefault",
"bool_true",
NULL };
ret = dp_copy_defaults(opts, test_def_opts,
OPT_NUM_OPTS, &opts_copy);
assert_int_equal(ret, EOK);
assert_defaults(opts);
dp_option_inherit(NULL, OPT_STRING_NODEFAULT,
opts, opts_copy);
s = dp_opt_get_string(opts_copy, OPT_STRING_NODEFAULT);
assert_null(s);
/* string */
assert_nondefault_string_empty(opts_copy);
set_nondefault_string(opts);
dp_option_inherit(discard_const(sd_inherit_match),
OPT_STRING_NODEFAULT,
opts, opts_copy);
check_nondefault_string(opts_copy);
/* blob */
assert_nondefault_blob_empty(opts_copy);
set_nondefault_blob(opts);
dp_option_inherit(discard_const(sd_inherit_match),
OPT_BLOB_NODEFAULT,
opts, opts_copy);
check_nondefault_blob(opts_copy);
/* number */
assert_nondefault_int_notset(opts_copy);
set_nondefault_int(opts);
dp_option_inherit(discard_const(sd_inherit_match),
OPT_INT_NODEFAULT,
opts, opts_copy);
assert_nondefault_int_set(opts_copy);
/* bool */
assert_true(dp_opt_get_bool(opts_copy, OPT_BOOL_TRUE));
ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false);
assert_int_equal(ret, EOK);
dp_option_inherit(discard_const(sd_inherit_match),
OPT_BOOL_TRUE,
opts, opts_copy);
assert_false(dp_opt_get_bool(opts_copy, OPT_BOOL_TRUE));
}
void opt_test_copy_options(void **state)
{
int ret;
TALLOC_CTX *mem_ctx;
struct dp_option *opts;
char *s;
struct dp_opt_blob b;
int i;
bool bo;
mem_ctx = talloc_new(global_talloc_context);
assert_non_null(mem_ctx);
ret = dp_copy_options(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts);
assert_int_equal(ret, EOK);
assert_int_equal(ret, EOK);
ret = dp_opt_set_string(opts, OPT_STRING_NODEFAULT, "str1");
assert_int_equal(ret, EOK);
b.data = discard_const_p(uint8_t, "blob1");
b.length = strlen("blob1");
ret = dp_opt_set_blob(opts, OPT_BLOB_NODEFAULT, b);
assert_int_equal(ret, EOK);
ret = dp_opt_set_int(opts, OPT_INT_NODEFAULT, 456);
assert_int_equal(ret, EOK);
ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false);
assert_int_equal(ret, EOK);
/* Test that options set to an explicit value retain
* the value and even options with default value
* do not return the default unless explicitly set
*/
s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT);
assert_string_equal(s, "str1");
s = dp_opt_get_string(opts, OPT_STRING_DEFAULT);
assert_null(s);
b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT);
assert_non_null(b.data);
assert_int_equal(b.length, strlen("blob1"));
assert_memory_equal(b.data, "blob1", strlen("blob1"));
b = dp_opt_get_blob(opts, OPT_BLOB_DEFAULT);
assert_null(b.data);
assert_int_equal(b.length, 0);
i = dp_opt_get_int(opts, OPT_INT_NODEFAULT);
assert_int_equal(i, 456);
i = dp_opt_get_int(opts, OPT_INT_DEFAULT);
assert_int_equal(i, 0);
bo = dp_opt_get_bool(opts, OPT_BOOL_TRUE);
assert_false(bo == true);
}
void opt_test_getset_bool(void **state)
{
struct dp_option *opts = talloc_get_type(*state, struct dp_option);
int ret;
bool b;
b = dp_opt_get_bool(opts, OPT_BOOL_TRUE);
assert_true(b == true);
ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false);
assert_int_equal(ret, EOK);
b = dp_opt_get_bool(opts, OPT_BOOL_TRUE);
assert_false(b == true);
}
int ldap_get_options(TALLOC_CTX *memctx,
struct sss_domain_info *dom,
struct confdb_ctx *cdb,
const char *conf_path,
struct data_provider *dp,
struct sdap_options **_opts)
{
struct sdap_attr_map *default_attr_map;
struct sdap_attr_map *default_user_map;
struct sdap_attr_map *default_group_map;
struct sdap_attr_map *default_netgroup_map;
struct sdap_attr_map *default_host_map;
struct sdap_attr_map *default_service_map;
struct sdap_options *opts;
char *schema;
char *pwmodify;
const char *search_base;
const char *pwd_policy;
int ret;
int account_cache_expiration;
int offline_credentials_expiration;
const char *ldap_deref;
int ldap_deref_val;
int o;
const char *authtok_type;
struct dp_opt_blob authtok_blob;
char *cleartext;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
SDAP_GROUP_SEARCH_BASE,
SDAP_NETGROUP_SEARCH_BASE,
SDAP_HOST_SEARCH_BASE,
SDAP_SERVICE_SEARCH_BASE,
-1 };
opts = talloc_zero(memctx, struct sdap_options);
if (!opts) return ENOMEM;
opts->dp = dp;
ret = sdap_domain_add(opts, dom, NULL);
if (ret != EOK) {
goto done;
}
ret = dp_get_options(opts, cdb, conf_path,
default_basic_opts,
SDAP_OPTS_BASIC,
&opts->basic);
if (ret != EOK) {
goto done;
}
/* Handle search bases */
search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);
if (search_base != NULL) {
/* set user/group/netgroup search bases if they are not */
for (o = 0; search_base_options[o] != -1; o++) {
if (NULL == dp_opt_get_string(opts->basic, search_base_options[o])) {
ret = dp_opt_set_string(opts->basic, search_base_options[o],
search_base);
if (ret != EOK) {
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",
opts->basic[search_base_options[o]].opt_name,
dp_opt_get_string(opts->basic,
search_base_options[o]));
}
}
} else {
DEBUG(SSSDBG_FUNC_DATA,
"Search base not set, trying to discover it later when "
"connecting to the LDAP server.\n");
}
/* Default search */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_SEARCH_BASE,
&opts->sdom->search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* User search */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_USER_SEARCH_BASE,
&opts->sdom->user_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Group search base */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_GROUP_SEARCH_BASE,
&opts->sdom->group_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Netgroup search */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_NETGROUP_SEARCH_BASE,
&opts->sdom->netgroup_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Netgroup search */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_HOST_SEARCH_BASE,
&opts->sdom->host_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Service search */
ret = sdap_parse_search_base(opts, opts->basic,
SDAP_SERVICE_SEARCH_BASE,
&opts->sdom->service_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY);
if (pwd_policy == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Missing password policy, this may not happen.\n");
ret = EINVAL;
goto done;
}
if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) != 0 &&
strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) != 0 &&
strcasecmp(pwd_policy, PWD_POL_OPT_MIT) != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unsupported password policy [%s].\n", pwd_policy);
ret = EINVAL;
goto done;
}
/* account_cache_expiration must be >= than offline_credentials_expiration */
ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_CRED_TIMEOUT, 0,
&offline_credentials_expiration);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get value of %s from confdb \n",
CONFDB_PAM_CRED_TIMEOUT);
goto done;
}
account_cache_expiration = dp_opt_get_int(opts->basic,
SDAP_ACCOUNT_CACHE_EXPIRATION);
/* account cache_expiration must not be smaller than
* offline_credentials_expiration to prevent deleting entries that
* still contain credentials valid for offline login.
*
* offline_credentials_expiration == 0 is a special case that says
* that the cached credentials are valid forever. Therefore, the cached
* entries must not be purged from cache.
*/
if (!offline_credentials_expiration && account_cache_expiration) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Conflicting values for options %s (unlimited) "
"and %s (%d)\n",
opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
CONFDB_PAM_CRED_TIMEOUT,
offline_credentials_expiration);
ret = EINVAL;
goto done;
}
if (offline_credentials_expiration && account_cache_expiration &&
offline_credentials_expiration > account_cache_expiration) {
DEBUG(SSSDBG_CRIT_FAILURE, "Value of %s (now %d) must be larger "
"than value of %s (now %d)\n",
opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
account_cache_expiration,
CONFDB_PAM_CRED_TIMEOUT,
offline_credentials_expiration);
ret = EINVAL;
goto done;
}
ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF);
if (ldap_deref != NULL) {
ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to verify ldap_deref option.\n");
goto done;
}
}
#ifndef HAVE_LDAP_CONNCB
bool ldap_referrals;
ldap_referrals = dp_opt_get_bool(opts->basic, SDAP_REFERRALS);
if (ldap_referrals) {
DEBUG(SSSDBG_CRIT_FAILURE,
"LDAP referrals are not supported, because the LDAP library "
"is too old, see sssd-ldap(5) for details.\n");
ret = dp_opt_set_bool(opts->basic, SDAP_REFERRALS, false);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
goto done;
}
}
#endif
/* schema type */
schema = dp_opt_get_string(opts->basic, SDAP_SCHEMA);
if (strcasecmp(schema, "rfc2307") == 0) {
opts->schema_type = SDAP_SCHEMA_RFC2307;
default_attr_map = generic_attr_map;
default_user_map = rfc2307_user_map;
default_group_map = rfc2307_group_map;
default_netgroup_map = netgroup_map;
default_host_map = host_map;
default_service_map = service_map;
} else
if (strcasecmp(schema, "rfc2307bis") == 0) {
opts->schema_type = SDAP_SCHEMA_RFC2307BIS;
default_attr_map = generic_attr_map;
default_user_map = rfc2307bis_user_map;
default_group_map = rfc2307bis_group_map;
default_netgroup_map = netgroup_map;
default_host_map = host_map;
default_service_map = service_map;
} else
if (strcasecmp(schema, "IPA") == 0) {
opts->schema_type = SDAP_SCHEMA_IPA_V1;
default_attr_map = gen_ipa_attr_map;
default_user_map = rfc2307bis_user_map;
default_group_map = rfc2307bis_group_map;
default_netgroup_map = netgroup_map;
default_host_map = host_map;
default_service_map = service_map;
} else
if (strcasecmp(schema, "AD") == 0) {
opts->schema_type = SDAP_SCHEMA_AD;
default_attr_map = gen_ad_attr_map;
default_user_map = gen_ad2008r2_user_map;
default_group_map = gen_ad2008r2_group_map;
default_netgroup_map = netgroup_map;
default_host_map = host_map;
default_service_map = service_map;
} else {
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized schema type: %s\n", schema);
ret = EINVAL;
goto done;
}
/* pwmodify mode */
pwmodify = dp_opt_get_string(opts->basic, SDAP_PWMODIFY_MODE);
if (strcasecmp(pwmodify, "exop") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
} else {
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
ret = EINVAL;
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_attr_map,
SDAP_AT_GENERAL,
&opts->gen_map);
if (ret != EOK) {
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_user_map,
SDAP_OPTS_USER,
&opts->user_map);
if (ret != EOK) {
goto done;
}
ret = sdap_extend_map_with_list(opts, opts, SDAP_USER_EXTRA_ATTRS,
opts->user_map, SDAP_OPTS_USER,
&opts->user_map, &opts->user_map_cnt);
if (ret != EOK) {
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_group_map,
SDAP_OPTS_GROUP,
&opts->group_map);
if (ret != EOK) {
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_netgroup_map,
SDAP_OPTS_NETGROUP,
&opts->netgroup_map);
if (ret != EOK) {
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_host_map,
SDAP_OPTS_HOST,
&opts->host_map);
if (ret != EOK) {
goto done;
}
ret = sdap_get_map(opts, cdb, conf_path,
default_service_map,
SDAP_OPTS_SERVICES,
&opts->service_map);
if (ret != EOK) {
goto done;
}
/* If there is no KDC, try the deprecated krb5_kdcip option, too */
/* FIXME - this can be removed in a future version */
ret = krb5_try_kdcip(cdb, conf_path, opts->basic, SDAP_KRB5_KDC);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_try_kdcip failed.\n");
goto done;
}
authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE);
if (authtok_type != NULL &&
strcasecmp(authtok_type,"obfuscated_password") == 0) {
DEBUG(SSSDBG_TRACE_ALL, "Found obfuscated password, "
"trying to convert to cleartext.\n");
authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK);
if (authtok_blob.data == NULL || authtok_blob.length == 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing obfuscated password string.\n");
ret = EINVAL;
goto done;
}
ret = sss_password_decrypt(memctx, (char *) authtok_blob.data,
&cleartext);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot convert the obfuscated "
"password back to cleartext\n");
goto done;
}
authtok_blob.data = (uint8_t *) cleartext;
authtok_blob.length = strlen(cleartext);
ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob);
talloc_free(cleartext);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
goto done;
}
ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE,
"password");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n");
goto done;
}
}
ret = EOK;
*_opts = opts;
done:
if (ret != EOK) {
talloc_zfree(opts);
}
return ret;
}