int sssm_ldap_id_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
struct sdap_id_ctx *ctx = NULL;
const char *urls;
const char *backup_urls;
const char *dns_service_name;
const char *sasl_mech;
struct sdap_service *sdap_service;
struct sdap_options *opts = NULL;
int ret;
/* If we're already set up, just return that */
if(bectx->bet_info[BET_ID].mod_name &&
strcmp("ldap", bectx->bet_info[BET_ID].mod_name) == 0) {
DEBUG(8, ("Re-using sdap_id_ctx for this provider\n"));
*ops = bectx->bet_info[BET_ID].bet_ops;
*pvt_data = bectx->bet_info[BET_ID].pvt_bet_data;
return EOK;
}
ret = ldap_get_options(bectx, bectx->domain, bectx->cdb,
bectx->conf_path, &opts);
if (ret != EOK) {
goto done;
}
dns_service_name = dp_opt_get_string(opts->basic,
SDAP_DNS_SERVICE_NAME);
DEBUG(SSSDBG_CONF_SETTINGS,
("Service name for discovery set to %s\n", dns_service_name));
urls = dp_opt_get_string(opts->basic, SDAP_URI);
backup_urls = dp_opt_get_string(opts->basic, SDAP_BACKUP_URI);
ret = sdap_service_init(bectx, bectx, "LDAP",
dns_service_name, urls, backup_urls,
&sdap_service);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to initialize failover service!\n"));
goto done;
}
ctx = sdap_id_ctx_new(bectx, bectx, sdap_service);
if (!ctx) {
ret = ENOMEM;
goto done;
}
ctx->opts = talloc_steal(ctx, opts);
sasl_mech = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_MECH);
if (sasl_mech && strcasecmp(sasl_mech, "GSSAPI") == 0) {
if (dp_opt_get_bool(ctx->opts->basic, SDAP_KRB5_KINIT)) {
ret = sdap_gssapi_init(ctx, ctx->opts->basic,
ctx->be, ctx->conn->service,
&ctx->krb5_service);
if (ret != EOK) {
DEBUG(1, ("sdap_gssapi_init failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
}
}
ret = setup_tls_config(ctx->opts->basic);
if (ret != EOK) {
DEBUG(1, ("setup_tls_config failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
/* Set up the ID mapping object */
ret = sdap_idmap_init(ctx, ctx, &ctx->opts->idmap_ctx);
if (ret != EOK) goto done;
ret = ldap_id_setup_tasks(ctx);
if (ret != EOK) {
goto done;
}
ret = sdap_setup_child();
if (ret != EOK) {
DEBUG(1, ("setup_child failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
/* setup SRV lookup plugin */
ret = be_fo_set_dns_srv_lookup_plugin(bectx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, strerror(ret)));
goto done;
}
/* setup periodical refresh of expired records */
ret = be_refresh_add_cb(bectx->refresh_ctx, BE_REFRESH_TYPE_NETGROUPS,
sdap_refresh_netgroups_send,
sdap_refresh_netgroups_recv,
ctx);
if (ret != EOK && ret != EEXIST) {
DEBUG(SSSDBG_MINOR_FAILURE, ("Periodical refresh of netgroups "
"will not work [%d]: %s\n", ret, strerror(ret)));
}
*ops = &sdap_id_ops;
*pvt_data = ctx;
ret = EOK;
done:
if (ret != EOK) {
talloc_free(opts);
talloc_free(ctx);
}
return ret;
}
errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
struct data_provider *provider,
const char *module_name,
void **_module_data)
{
struct krb5_ctx *ctx;
const char *errstr;
int errval;
int errpos;
errno_t ret;
ctx = talloc_zero(mem_ctx, struct krb5_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n");
return ENOMEM;
}
/* Only needed to generate random ccache names for non-POSIX domains */
srand(time(NULL) * getpid());
ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, &ctx->opts);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
ctx->action = INIT_PW;
ctx->config_type = K5C_GENERIC;
ret = krb5_init_kdc(ctx, be_ctx);
if (ret != EOK) {
goto done;
}
ret = krb5_init_kpasswd(ctx, be_ctx);
if (ret != EOK) {
goto done;
}
ret = krb5_child_init(ctx, be_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
ctx->illegal_path_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0,
&errval, &errstr, &errpos, NULL);
if (ctx->illegal_path_re == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid Regular Expression pattern "
"at position %d. (Error: %d [%s])\n", errpos, errval, errstr);
ret = EFAULT;
goto done;
}
talloc_set_destructor(ctx, krb5_ctx_re_destructor);
ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
*_module_data = ctx;
ret = EOK;
done:
if (ret != EOK) {
talloc_free(ctx);
}
return ret;
}
int sssm_ipa_id_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
struct ipa_id_ctx *ipa_ctx;
struct sdap_id_ctx *sdap_ctx;
const char *hostname;
const char *ipa_domain;
const char *ipa_servers;
struct ipa_srv_plugin_ctx *srv_ctx;
bool server_mode;
int ret;
if (!ipa_options) {
ret = common_ipa_init(bectx);
if (ret != EOK) {
return ret;
}
}
if (ipa_options->id_ctx) {
/* already initialized */
*ops = &ipa_id_ops;
*pvt_data = ipa_options->id_ctx;
return EOK;
}
ipa_ctx = talloc_zero(ipa_options, struct ipa_id_ctx);
if (!ipa_ctx) {
return ENOMEM;
}
ipa_options->id_ctx = ipa_ctx;
ipa_ctx->ipa_options = ipa_options;
sdap_ctx = sdap_id_ctx_new(ipa_options, bectx, ipa_options->service->sdap);
if (sdap_ctx == NULL) {
return ENOMEM;
}
ipa_ctx->sdap_id_ctx = sdap_ctx;
ret = ipa_get_id_options(ipa_options, bectx->cdb,
bectx->conf_path,
&sdap_ctx->opts);
if (ret != EOK) {
goto done;
}
ret = ipa_get_dyndns_options(bectx, ipa_options);
if (ret != EOK) {
goto done;
}
if (dp_opt_get_bool(ipa_options->dyndns_ctx->opts, DP_OPT_DYNDNS_UPDATE)) {
/* Perform automatic DNS updates when the
* IP address changes.
* Register a callback for successful LDAP
* reconnections. This is the easiest way to
* identify that we have gone online.
*/
DEBUG(SSSDBG_CONF_SETTINGS,
"Dynamic DNS updates are on. Checking for nsupdate..\n");
ret = be_nsupdate_check();
if (ret == EOK) {
/* nsupdate is available. Dynamic updates
* are supported
*/
ret = ipa_dyndns_init(sdap_ctx->be, ipa_options);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failure setting up automatic DNS update\n");
/* We will continue without DNS updating */
}
}
}
ret = setup_tls_config(sdap_ctx->opts->basic);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n",
ret, strerror(ret));
goto done;
}
/* Set up the ID mapping object */
ret = ipa_idmap_init(sdap_ctx, sdap_ctx, &sdap_ctx->opts->idmap_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not initialize ID mapping. In case ID mapping properties "
"changed on the server, please remove the SSSD database\n");
goto done;
}
ret = ldap_id_setup_tasks(sdap_ctx);
if (ret != EOK) {
goto done;
}
ret = sdap_setup_child();
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "setup_child failed [%d][%s].\n",
ret, strerror(ret));
goto done;
}
/* setup SRV lookup plugin */
hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME);
server_mode = dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE);
if (server_mode == true) {
ipa_ctx->view_name = talloc_strdup(ipa_ctx, SYSDB_DEFAULT_VIEW_NAME);
if (ipa_ctx->view_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
goto done;
}
ret = sysdb_update_view_name(bectx->domain->sysdb, ipa_ctx->view_name);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot add/update view name to sysdb.\n");
goto done;
}
ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER);
if (srv_in_server_list(ipa_servers) == true
|| dp_opt_get_bool(ipa_options->basic,
IPA_ENABLE_DNS_SITES) == true) {
DEBUG(SSSDBG_MINOR_FAILURE, "SRV resolution or IPA sites enabled "
"on the IPA server. Site discovery of trusted AD servers "
"might not work\n");
/* If SRV discovery is enabled on the server and
* dns_discovery_domain is set explicitly, then
* the current failover code would use the dns_discovery
* domain to try to find AD servers and fail
*/
if (dp_opt_get_string(bectx->be_res->opts,
DP_RES_OPT_DNS_DOMAIN)) {
sss_log(SSS_LOG_ERR, ("SRV discovery is enabled on the IPA "
"server while using custom dns_discovery_domain. "
"DNS discovery of trusted AD domain will likely fail. "
"It is recommended not to use SRV discovery or the "
"dns_discovery_domain option for the IPA domain while "
"running on the server itself\n"));
DEBUG(SSSDBG_CRIT_FAILURE, "SRV discovery is enabled on IPA "
"server while using custom dns_discovery_domain. "
"DNS discovery of trusted AD domain will likely fail. "
"It is recommended not to use SRV discovery or the "
"dns_discovery_domain option for the IPA domain while "
"running on the server itself\n");
}
ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, strerror(ret));
goto done;
}
} else {
/* In server mode we need to ignore the dns_discovery_domain if set
* and only discover servers based on AD domains
*/
ret = dp_opt_set_string(bectx->be_res->opts, DP_RES_OPT_DNS_DOMAIN,
NULL);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Could not reset the "
"dns_discovery_domain, trusted AD domains discovery "
"might fail. Please remove dns_discovery_domain "
"from the config file and restart the SSSD\n");
} else {
DEBUG(SSSDBG_CONF_SETTINGS, "The value of dns_discovery_domain "
"will be ignored in ipa_server_mode\n");
}
}
} else {
ret = sysdb_get_view_name(ipa_ctx, bectx->domain->sysdb,
&ipa_ctx->view_name);
if (ret != EOK) {
if (ret == ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot find view name in the cache. " \
"Will do online lookup later.\n");
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");
goto done;
}
}
if (dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES)) {
/* use IPA plugin */
ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN);
srv_ctx = ipa_srv_plugin_ctx_init(bectx, bectx->be_res->resolv,
hostname, ipa_domain);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
ret = ENOMEM;
goto done;
}
be_fo_set_srv_lookup_plugin(bectx, ipa_srv_plugin_send,
ipa_srv_plugin_recv, srv_ctx, "IPA");
} else {
/* fall back to standard plugin on clients. */
ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, strerror(ret));
goto done;
}
}
}
/* setup periodical refresh of expired records */
ret = sdap_refresh_init(bectx->refresh_ctx, sdap_ctx);
if (ret != EOK && ret != EEXIST) {
DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
"will not work [%d]: %s\n", ret, strerror(ret));
}
ipa_ctx->sdap_id_ctx->opts->ext_ctx = ipa_create_ext_members_ctx(
ipa_ctx->sdap_id_ctx->opts,
ipa_ctx);
if (ipa_ctx->sdap_id_ctx->opts->ext_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to set SRV the extrernal group ctx\n");
ret = ENOMEM;
goto done;
}
*ops = &ipa_id_ops;
*pvt_data = ipa_ctx;
ret = EOK;
done:
if (ret != EOK) {
talloc_zfree(ipa_options->id_ctx);
}
return ret;
}
int sssm_ldap_id_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
struct sdap_id_ctx *ctx;
const char *urls;
const char *backup_urls;
const char *dns_service_name;
const char *sasl_mech;
int ret;
/* If we're already set up, just return that */
if(bectx->bet_info[BET_ID].mod_name &&
strcmp("ldap", bectx->bet_info[BET_ID].mod_name) == 0) {
DEBUG(8, ("Re-using sdap_id_ctx for this provider\n"));
*ops = bectx->bet_info[BET_ID].bet_ops;
*pvt_data = bectx->bet_info[BET_ID].pvt_bet_data;
return EOK;
}
ctx = talloc_zero(bectx, struct sdap_id_ctx);
if (!ctx) return ENOMEM;
ctx->be = bectx;
ret = ldap_get_options(ctx, bectx->cdb,
bectx->conf_path, &ctx->opts);
if (ret != EOK) {
goto done;
}
dns_service_name = dp_opt_get_string(ctx->opts->basic,
SDAP_DNS_SERVICE_NAME);
DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name));
urls = dp_opt_get_string(ctx->opts->basic, SDAP_URI);
backup_urls = dp_opt_get_string(ctx->opts->basic, SDAP_BACKUP_URI);
ret = sdap_service_init(ctx, ctx->be, "LDAP",
dns_service_name, urls, backup_urls,
&ctx->service);
if (ret != EOK) {
DEBUG(1, ("Failed to initialize failover service!\n"));
goto done;
}
sasl_mech = dp_opt_get_string(ctx->opts->basic, SDAP_SASL_MECH);
if (sasl_mech && strcasecmp(sasl_mech, "GSSAPI") == 0) {
if (dp_opt_get_bool(ctx->opts->basic, SDAP_KRB5_KINIT)) {
ret = sdap_gssapi_init(ctx, ctx->opts->basic,
ctx->be, ctx->service,
&ctx->krb5_service);
if (ret != EOK) {
DEBUG(1, ("sdap_gssapi_init failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
}
}
ret = setup_tls_config(ctx->opts->basic);
if (ret != EOK) {
DEBUG(1, ("setup_tls_config failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
ret = sdap_id_conn_cache_create(ctx, ctx, &ctx->conn_cache);
if (ret != EOK) {
goto done;
}
if (dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING)) {
/* Set up the ID mapping object */
ret = sdap_idmap_init(ctx, ctx, &ctx->opts->idmap_ctx);
if (ret != EOK) goto done;
}
ret = sdap_id_setup_tasks(ctx);
if (ret != EOK) {
goto done;
}
ret = setup_child(ctx);
if (ret != EOK) {
DEBUG(1, ("setup_child failed [%d][%s].\n",
ret, strerror(ret)));
goto done;
}
/* setup SRV lookup plugin */
ret = be_fo_set_dns_srv_lookup_plugin(bectx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, strerror(ret)));
goto done;
}
*ops = &sdap_id_ops;
*pvt_data = ctx;
ret = EOK;
done:
if (ret != EOK) {
talloc_free(ctx);
}
return ret;
}
