From a15ab6146ebba795e3b58d5f32cf7a1d8653c082 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 28 Feb 2014 10:05:34 +0100
Subject: [PATCH 103/104] SUDO: AD provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
---
Makefile.am | 5 ++++
src/config/SSSDConfigTest.py | 2 +-
src/config/etc/sssd.api.d/sssd-ad.conf | 21 ++++++++++++++
src/man/sssd-ad.5.xml | 6 ++--
src/man/sssd.conf.5.xml | 15 ++++++++--
src/providers/ad/ad_common.h | 4 +++
src/providers/ad/ad_init.c | 25 +++++++++++++++++
src/providers/ad/ad_sudo.c | 51 ++++++++++++++++++++++++++++++++++
8 files changed, 122 insertions(+), 7 deletions(-)
create mode 100644 src/providers/ad/ad_sudo.c
diff --git a/Makefile.am b/Makefile.am
index 879054c2fb96f937fbd58ca0757d703cdea218d8..b37c04067d34569ad357327b7d463cc5b052f065 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1803,6 +1803,11 @@ libsss_ad_la_SOURCES = \
src/util/sss_krb5.c \
src/util/sss_ldap.c
+if BUILD_SUDO
+libsss_ad_la_SOURCES += \
+ src/providers/ad/ad_sudo.c
+endif
+
libsss_ad_la_CFLAGS = \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index e6cf663ec86396a3d50dcbc14d4cf4d1157b0d5d..98b2fee63d519201047b0c576295863d59b0a37a 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -730,7 +730,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
control_provider_dict = {
'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs',
'session', 'hostid', 'subdomains'],
- 'ad': ['id', 'auth', 'access', 'chpass', 'subdomains'],
+ 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'subdomains'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 6b136f2ec88614092cf1ceb4e2cea79db064d468..aa20ca0bb5b70818525d61a1480a6b56bd8c4e48 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -132,3 +132,24 @@ krb5_kpasswd = str, None, false
krb5_backup_kpasswd = str, None, false
[provider/ad/subdomains]
+
+[provider/ad/sudo]
+ldap_sudo_search_base = str, None, false
+ldap_sudo_full_refresh_interval = int, None, false
+ldap_sudo_smart_refresh_interval = int, None, false
+ldap_sudo_use_host_filter = bool, None, false
+ldap_sudo_hostnames = str, None, false
+ldap_sudo_ip = str, None, false
+ldap_sudo_include_netgroups = bool, None, false
+ldap_sudo_include_regexp = bool, None, false
+ldap_sudorule_object_class = str, None, false
+ldap_sudorule_name = str, None, false
+ldap_sudorule_command = str, None, false
+ldap_sudorule_host = str, None, false
+ldap_sudorule_user = str, None, false
+ldap_sudorule_option = str, None, false
+ldap_sudorule_runasuser = str, None, false
+ldap_sudorule_runasgroup = str, None, false
+ldap_sudorule_notbefore = str, None, false
+ldap_sudorule_notafter = str, None, false
+ldap_sudorule_order = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 38cc31278cf87c98ca9e53cf91fda7b141bff78d..8cd94d4aeaf553ecb54e0e4c866be5fb7a44fa8e 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -60,9 +60,9 @@
</para>
<para>
However, it is neither necessary nor recommended to set these
- options. The AD provider can also be used as an access and chpass
- provider. No configuration of the access provider is required on
- the client side.
+ options. The AD provider can also be used as an access, chpass and
+ sudo provider. No configuration of the access provider is required
+ on the client side.
</para>
<para>
By default, the AD provider will map UID and GID values from the
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 5d861c73cfeb41920619d95e5c1e5c1975dcc45b..29b08d53d2568f2fce47b37ea0b88c9dc233c12e 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1450,14 +1450,23 @@ fallback_homedir = /home/%u
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
- </citerefentry> for more information on configuring LDAP.
+ </citerefentry> for more information on configuring
+ LDAP.
+ </para>
+ <para>
+ <quote>ipa</quote> the same as <quote>ldap</quote>
+ but with IPA default settings.
+ </para>
+ <para>
+ <quote>ad</quote> the same as <quote>ldap</quote>
+ but with AD default settings.
</para>
<para>
<quote>none</quote> disables SUDO explicitly.
</para>
<para>
- Default: The value of <quote>id_provider</quote> is used if it
- is set.
+ Default: The value of <quote>id_provider</quote> is
+ used if it is set.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index d370cef69124c127f41d7c4cbaa25713363e7752..bc11e54b0c4903c876f23bfea3ef573f06ba8c69 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -128,4 +128,8 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
struct ad_options *ctx);
void ad_dyndns_timer(void *pvt);
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data);
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index eff6d990d131e3aba124d252d001dd39e78b45cf..500d807e9c44e92089d31c81f3b22c9606c476e5 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -467,3 +467,28 @@ int sssm_ad_subdomains_init(struct be_ctx *bectx,
return EOK;
}
+
+
+int sssm_ad_sudo_init(struct be_ctx *bectx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+#ifdef BUILD_SUDO
+ struct ad_id_ctx *id_ctx;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing AD sudo handler\n"));
+
+ ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ad_id_init failed.\n"));
+ return ret;
+ }
+
+ return ad_sudo_init(bectx, id_ctx, ops, pvt_data);
+#else
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Sudo init handler called but SSSD is "
+ "built without sudo support, ignoring\n"));
+ return EOK;
+#endif
+}
diff --git a/src/providers/ad/ad_sudo.c b/src/providers/ad/ad_sudo.c
new file mode 100644
index 0000000000000000000000000000000000000000..b85c95c5c2f44e116a75bc24e073c067806621dd
--- /dev/null
+++ b/src/providers/ad/ad_sudo.c
@@ -0,0 +1,51 @@
+/*
+ SSSD
+
+ AD SUDO Provider Initialization functions
+
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/ad/ad_common.h"
+#include "providers/ldap/sdap_sudo.h"
+
+int ad_sudo_init(struct be_ctx *be_ctx,
+ struct ad_id_ctx *id_ctx,
+ struct bet_ops **ops,
+ void **pvt_data)
+{
+ int ret;
+ struct ad_options *ad_options;
+ struct sdap_options *ldap_options;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo AD back end\n"));
+
+ ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Cannot initialize LDAP SUDO [%d]: %s\n",
+ ret, strerror(ret)));
+ return ret;
+ }
+
+ ad_options = id_ctx->ad_options;
+ ldap_options = id_ctx->sdap_id_ctx->opts;
+
+ ad_options->id->sudorule_map = ldap_options->sudorule_map;
+ return EOK;
+}
--
1.8.5.3