|
 |
ecf709 |
From 26b838f2229483952aeec92a3446acef828244c4 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ecf709 |
Date: Sun, 26 Mar 2017 03:00:14 +0200
|
|
|
ecf709 |
Subject: [PATCH 54/54] Add domain_resolution_order config option
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
This is the local equivalent of option of ipaDomainResolutionOrder and
|
|
|
ecf709 |
has precedence over the ones set on IPA side making the precedence order
|
|
|
ecf709 |
to be like: Local > View > Globally.
|
|
|
ecf709 |
|
|
|
ecf709 |
As done for the IPA side configurations, the domains which were not
|
|
|
ecf709 |
explicitly set up will be apennded to the final of the
|
|
|
ecf709 |
domain_resolution_order list in the very same order they're presented in
|
|
|
ecf709 |
the "domains" option of [sssd] section in the config file. There's no
|
|
|
ecf709 |
guarantee of order for the subdomains though.
|
|
|
ecf709 |
|
|
|
ecf709 |
It's also important to mention that no expansion magic is performed on
|
|
|
ecf709 |
our side. It means that if 'example.com' is set it does *not* stand for
|
|
|
ecf709 |
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
|
|
|
ecf709 |
etc).
|
|
|
ecf709 |
|
|
|
ecf709 |
Related:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3001
|
|
|
ecf709 |
|
|
|
ecf709 |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/confdb/confdb.h | 1 +
|
|
|
ecf709 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
ecf709 |
src/config/SSSDConfigTest.py | 7 ++++++-
|
|
|
ecf709 |
src/config/cfg_rules.ini | 1 +
|
|
|
ecf709 |
src/config/etc/sssd.api.conf | 1 +
|
|
|
ecf709 |
src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++
|
|
|
ecf709 |
src/responder/common/responder.h | 1 +
|
|
|
ecf709 |
src/responder/common/responder_common.c | 27 +++++++++++++++++++++++++++
|
|
|
ecf709 |
8 files changed, 58 insertions(+), 1 deletion(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
ecf709 |
index fb60675ca8beb2c2a157bf021ed9cad362742988..56a603652d6c8256735e7f8b125300ff7b254645 100644
|
|
|
ecf709 |
--- a/src/confdb/confdb.h
|
|
|
ecf709 |
+++ b/src/confdb/confdb.h
|
|
|
ecf709 |
@@ -74,6 +74,7 @@
|
|
|
ecf709 |
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
|
|
|
ecf709 |
#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
|
|
|
ecf709 |
#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
|
|
|
ecf709 |
+#define CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER "domain_resolution_order"
|
|
|
ecf709 |
|
|
|
ecf709 |
/* Both monitor and domains */
|
|
|
ecf709 |
#define CONFDB_NAME_REGEX "re_expression"
|
|
|
ecf709 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
ecf709 |
index 03a1a43336604bb815626e64cb54052bdf87acf2..e7fb7673d393d4f12910f355d3edf33f4390c1f1 100644
|
|
|
ecf709 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
ecf709 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
ecf709 |
@@ -66,6 +66,7 @@ option_strings = {
|
|
|
ecf709 |
'override_space': _('All spaces in group or user names will be replaced with this character'),
|
|
|
ecf709 |
'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
|
|
|
ecf709 |
'enable_files_domain' : _('Enable or disable the implicit files domain'),
|
|
|
ecf709 |
+ 'domain_resolution_order': _('A specific order of the domains to be looked up'),
|
|
|
ecf709 |
|
|
|
ecf709 |
# [nss]
|
|
|
ecf709 |
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
|
|
|
ecf709 |
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
|
ecf709 |
index 457a6f0a09e7139a05f29f8bef7e475fe3b58ec2..6899bf8ae04bf210546c8cbdba8235f094e23dc0 100755
|
|
|
ecf709 |
--- a/src/config/SSSDConfigTest.py
|
|
|
ecf709 |
+++ b/src/config/SSSDConfigTest.py
|
|
|
ecf709 |
@@ -94,6 +94,10 @@ class SSSDConfigTestValid(unittest.TestCase):
|
|
|
ecf709 |
self.assertTrue('default_domain_suffix' in new_options)
|
|
|
ecf709 |
self.assertEquals(new_options['default_domain_suffix'][0], str)
|
|
|
ecf709 |
|
|
|
ecf709 |
+ self.assertTrue('domain_resolution_order' in new_options)
|
|
|
ecf709 |
+ self.assertEquals(new_options['domain_resolution_order'][0], list)
|
|
|
ecf709 |
+ self.assertEquals(new_options['domain_resolution_order'][1], str)
|
|
|
ecf709 |
+
|
|
|
ecf709 |
del sssdconfig
|
|
|
ecf709 |
|
|
|
ecf709 |
def testDomains(self):
|
|
|
ecf709 |
@@ -314,7 +318,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
|
|
ecf709 |
'certificate_verification',
|
|
|
ecf709 |
'override_space',
|
|
|
ecf709 |
'disable_netlink',
|
|
|
ecf709 |
- 'enable_files_domain']
|
|
|
ecf709 |
+ 'enable_files_domain',
|
|
|
ecf709 |
+ 'domain_resolution_order']
|
|
|
ecf709 |
|
|
|
ecf709 |
self.assertTrue(type(options) == dict,
|
|
|
ecf709 |
"Options should be a dictionary")
|
|
|
ecf709 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
ecf709 |
index 933ebccd828189d923d2186753dfbc0b5c0814ce..41efcea552a82c5492a0d21a8d0797ee42cdc8c7 100644
|
|
|
ecf709 |
--- a/src/config/cfg_rules.ini
|
|
|
ecf709 |
+++ b/src/config/cfg_rules.ini
|
|
|
ecf709 |
@@ -43,6 +43,7 @@ option = override_space
|
|
|
ecf709 |
option = config_file_version
|
|
|
ecf709 |
option = disable_netlink
|
|
|
ecf709 |
option = enable_files_domain
|
|
|
ecf709 |
+option = domain_resolution_order
|
|
|
ecf709 |
|
|
|
ecf709 |
[rule/allowed_nss_options]
|
|
|
ecf709 |
validator = ini_allowed_options
|
|
|
ecf709 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
ecf709 |
index 08cecf00367aaaab3794a48bd1e728421a996e49..6965028e1ca748f8b6677d9fc1faa66d5c307a0c 100644
|
|
|
ecf709 |
--- a/src/config/etc/sssd.api.conf
|
|
|
ecf709 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
ecf709 |
@@ -32,6 +32,7 @@ certificate_verification = str, None, false
|
|
|
ecf709 |
override_space = str, None, false
|
|
|
ecf709 |
disable_netlink = bool, None, false
|
|
|
ecf709 |
enable_files_domain = str, None, false
|
|
|
ecf709 |
+domain_resolution_order = list, str, false
|
|
|
ecf709 |
|
|
|
ecf709 |
[nss]
|
|
|
ecf709 |
# Name service
|
|
|
ecf709 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
ecf709 |
index 1c27742cf0c1b6ffad23ab5b044bf4a168ed8f69..4fe13b85d511fb6a2ccc9b4de956710b05bc898c 100644
|
|
|
ecf709 |
--- a/src/man/sssd.conf.5.xml
|
|
|
ecf709 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
ecf709 |
@@ -542,6 +542,26 @@
|
|
|
ecf709 |
</para>
|
|
|
ecf709 |
</listitem>
|
|
|
ecf709 |
</varlistentry>
|
|
|
ecf709 |
+ <varlistentry>
|
|
|
ecf709 |
+ <term>domain_resolution_order</term>
|
|
|
ecf709 |
+ <listitem>
|
|
|
ecf709 |
+ <para>
|
|
|
ecf709 |
+ Comma separated list of domains and subdomains
|
|
|
ecf709 |
+ representing the lookup order that will be
|
|
|
ecf709 |
+ followed.
|
|
|
ecf709 |
+ The list doesn't have to include all possible
|
|
|
ecf709 |
+ domains as the missing domains will be looked
|
|
|
ecf709 |
+ up based on the order they're presented in the
|
|
|
ecf709 |
+ <quote>domains</quote> configuration option.
|
|
|
ecf709 |
+ The subdomains which are not listed as part of
|
|
|
ecf709 |
+ <quote>lookup_order</quote> will be looked up
|
|
|
ecf709 |
+ in a random order for each parent domain.
|
|
|
ecf709 |
+ </para>
|
|
|
ecf709 |
+ <para>
|
|
|
ecf709 |
+ Default: Not set
|
|
|
ecf709 |
+ </para>
|
|
|
ecf709 |
+ </listitem>
|
|
|
ecf709 |
+ </varlistentry>
|
|
|
ecf709 |
</variablelist>
|
|
|
ecf709 |
</para>
|
|
|
ecf709 |
</refsect2>
|
|
|
ecf709 |
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
|
|
ecf709 |
index 29e3f95caf484f43307c9c28d4abd3f50f360a95..4210307489fe25829a1674f254ecc7d185029698 100644
|
|
|
ecf709 |
--- a/src/responder/common/responder.h
|
|
|
ecf709 |
+++ b/src/responder/common/responder.h
|
|
|
ecf709 |
@@ -115,6 +115,7 @@ struct resp_ctx {
|
|
|
ecf709 |
int client_idle_timeout;
|
|
|
ecf709 |
|
|
|
ecf709 |
struct cache_req_domain *cr_domains;
|
|
|
ecf709 |
+ const char *domain_resolution_order;
|
|
|
ecf709 |
|
|
|
ecf709 |
time_t last_request_time;
|
|
|
ecf709 |
int idle_timeout;
|
|
|
ecf709 |
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
|
|
ecf709 |
index 1792a4c3771fa326c7cca31e1981dce315c03758..154d7dc7718c437d10e152fcba98161e2034fb14 100644
|
|
|
ecf709 |
--- a/src/responder/common/responder_common.c
|
|
|
ecf709 |
+++ b/src/responder/common/responder_common.c
|
|
|
ecf709 |
@@ -1163,6 +1163,19 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
rctx->override_space = tmp[0];
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ ret = confdb_get_string(rctx->cdb, rctx,
|
|
|
ecf709 |
+ CONFDB_MONITOR_CONF_ENTRY,
|
|
|
ecf709 |
+ CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER, NULL,
|
|
|
ecf709 |
+ &tmp);
|
|
|
ecf709 |
+ if (ret == EOK) {
|
|
|
ecf709 |
+ rctx->domain_resolution_order = sss_replace_char(rctx, tmp, ',', ':');
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
+ "Cannot get the \"domain_resolution_order\" option.\n"
|
|
|
ecf709 |
+ "The set up lookup_order won't be followed [%d]: %s.\n",
|
|
|
ecf709 |
+ ret, sss_strerror(ret));
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
ret = sss_monitor_init(rctx, rctx->ev, monitor_intf,
|
|
|
ecf709 |
svc_name, svc_version, MT_SVC_SERVICE,
|
|
|
ecf709 |
rctx, &rctx->last_request_time,
|
|
|
ecf709 |
@@ -1546,6 +1559,20 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
|
|
|
ecf709 |
struct sss_domain_info *dom;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ if (rctx->domain_resolution_order != NULL) {
|
|
|
ecf709 |
+ cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ rctx, rctx->domains, rctx->domain_resolution_order);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (cr_domains == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
+ "Failed to use domain_resolution_order set in the config file.\n"
|
|
|
ecf709 |
+ "Trying to fallback to use ipaDomainOrderResolution setup by "
|
|
|
ecf709 |
+ "IPA.\n");
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
for (dom = rctx->domains; dom != NULL; dom = dom->next) {
|
|
|
ecf709 |
if (dom->provider != NULL && strcmp(dom->provider, "ipa") == 0) {
|
|
|
ecf709 |
break;
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|