Line data Source code
1 : /*
2 : SSSD
3 :
4 : IPA Provider Initialization functions
5 :
6 : Authors:
7 : Simo Sorce <ssorce@redhat.com>
8 :
9 : Copyright (C) 2009 Red Hat
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include <sys/types.h>
26 : #include <unistd.h>
27 : #include <sys/stat.h>
28 : #include <fcntl.h>
29 :
30 : #include "util/child_common.h"
31 : #include "providers/ipa/ipa_common.h"
32 : #include "providers/krb5/krb5_auth.h"
33 : #include "providers/krb5/krb5_init_shared.h"
34 : #include "providers/ipa/ipa_id.h"
35 : #include "providers/ipa/ipa_auth.h"
36 : #include "providers/ipa/ipa_access.h"
37 : #include "providers/ipa/ipa_hostid.h"
38 : #include "providers/ipa/ipa_dyndns.h"
39 : #include "providers/ipa/ipa_selinux.h"
40 : #include "providers/ldap/sdap_access.h"
41 : #include "providers/ldap/sdap_idmap.h"
42 : #include "providers/ipa/ipa_subdomains.h"
43 : #include "providers/ipa/ipa_srv.h"
44 : #include "providers/dp_dyndns.h"
45 :
46 : struct ipa_options *ipa_options = NULL;
47 :
48 : /* Id Handler */
49 : struct bet_ops ipa_id_ops = {
50 : .handler = ipa_account_info_handler,
51 : .finalize = NULL,
52 : .check_online = ipa_check_online
53 : };
54 :
55 : struct bet_ops ipa_auth_ops = {
56 : .handler = ipa_auth,
57 : .finalize = NULL,
58 : };
59 :
60 : struct bet_ops ipa_chpass_ops = {
61 : .handler = ipa_auth,
62 : .finalize = NULL,
63 : };
64 :
65 : struct bet_ops ipa_access_ops = {
66 : .handler = ipa_access_handler,
67 : .finalize = NULL
68 : };
69 :
70 : struct bet_ops ipa_selinux_ops = {
71 : .handler = ipa_selinux_handler,
72 : .finalize = NULL
73 : };
74 :
75 : #ifdef BUILD_SSH
76 : struct bet_ops ipa_hostid_ops = {
77 : .handler = ipa_host_info_handler,
78 : .finalize = NULL
79 : };
80 : #endif
81 :
82 0 : static bool srv_in_server_list(const char *servers)
83 : {
84 : TALLOC_CTX *tmp_ctx;
85 0 : char **list = NULL;
86 0 : int ret = 0;
87 0 : bool has_srv = false;
88 :
89 0 : if (servers == NULL) return true;
90 :
91 0 : tmp_ctx = talloc_new(NULL);
92 0 : if (!tmp_ctx) {
93 0 : return false;
94 : }
95 :
96 : /* split server parm into a list */
97 0 : ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL);
98 0 : if (ret != EOK) {
99 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n");
100 0 : goto done;
101 : }
102 :
103 0 : for (int i = 0; list[i]; i++) {
104 0 : has_srv = be_fo_is_srv_identifier(list[i]);
105 0 : if (has_srv == true) {
106 0 : break;
107 : }
108 : }
109 :
110 : done:
111 0 : talloc_free(tmp_ctx);
112 0 : return has_srv;
113 : }
114 :
115 0 : int common_ipa_init(struct be_ctx *bectx)
116 : {
117 : const char *ipa_servers;
118 : const char *ipa_backup_servers;
119 : int ret;
120 :
121 0 : ret = ipa_get_options(bectx, bectx->cdb,
122 : bectx->conf_path,
123 : bectx->domain, &ipa_options);
124 0 : if (ret != EOK) {
125 0 : return ret;
126 : }
127 :
128 0 : ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER);
129 0 : ipa_backup_servers = dp_opt_get_string(ipa_options->basic, IPA_BACKUP_SERVER);
130 :
131 0 : ret = ipa_service_init(ipa_options, bectx, ipa_servers,
132 : ipa_backup_servers, ipa_options,
133 0 : &ipa_options->service);
134 0 : if (ret != EOK) {
135 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init IPA failover service!\n");
136 0 : return ret;
137 : }
138 :
139 0 : return EOK;
140 : }
141 :
142 0 : int sssm_ipa_id_init(struct be_ctx *bectx,
143 : struct bet_ops **ops,
144 : void **pvt_data)
145 : {
146 : struct ipa_id_ctx *ipa_ctx;
147 : struct sdap_id_ctx *sdap_ctx;
148 : const char *hostname;
149 : const char *ipa_domain;
150 : const char *ipa_servers;
151 : struct ipa_srv_plugin_ctx *srv_ctx;
152 : bool server_mode;
153 : int ret;
154 :
155 0 : if (!ipa_options) {
156 0 : ret = common_ipa_init(bectx);
157 0 : if (ret != EOK) {
158 0 : return ret;
159 : }
160 : }
161 :
162 0 : if (ipa_options->id_ctx) {
163 : /* already initialized */
164 0 : *ops = &ipa_id_ops;
165 0 : *pvt_data = ipa_options->id_ctx;
166 0 : return EOK;
167 : }
168 :
169 0 : ipa_ctx = talloc_zero(ipa_options, struct ipa_id_ctx);
170 0 : if (!ipa_ctx) {
171 0 : return ENOMEM;
172 : }
173 0 : ipa_options->id_ctx = ipa_ctx;
174 0 : ipa_ctx->ipa_options = ipa_options;
175 :
176 0 : sdap_ctx = sdap_id_ctx_new(ipa_options, bectx, ipa_options->service->sdap);
177 0 : if (sdap_ctx == NULL) {
178 0 : return ENOMEM;
179 : }
180 0 : ipa_ctx->sdap_id_ctx = sdap_ctx;
181 :
182 0 : ret = ipa_get_id_options(ipa_options, bectx->cdb,
183 : bectx->conf_path,
184 : &sdap_ctx->opts);
185 0 : if (ret != EOK) {
186 0 : goto done;
187 : }
188 :
189 0 : ret = ipa_get_dyndns_options(bectx, ipa_options);
190 0 : if (ret != EOK) {
191 0 : goto done;
192 : }
193 :
194 0 : if (dp_opt_get_bool(ipa_options->dyndns_ctx->opts, DP_OPT_DYNDNS_UPDATE)) {
195 : /* Perform automatic DNS updates when the
196 : * IP address changes.
197 : * Register a callback for successful LDAP
198 : * reconnections. This is the easiest way to
199 : * identify that we have gone online.
200 : */
201 :
202 0 : DEBUG(SSSDBG_CONF_SETTINGS,
203 : "Dynamic DNS updates are on. Checking for nsupdate..\n");
204 0 : ret = be_nsupdate_check();
205 0 : if (ret == EOK) {
206 : /* nsupdate is available. Dynamic updates
207 : * are supported
208 : */
209 0 : ret = ipa_dyndns_init(sdap_ctx->be, ipa_options);
210 0 : if (ret != EOK) {
211 0 : DEBUG(SSSDBG_CRIT_FAILURE,
212 : "Failure setting up automatic DNS update\n");
213 : /* We will continue without DNS updating */
214 : }
215 : }
216 : }
217 :
218 0 : ret = setup_tls_config(sdap_ctx->opts->basic);
219 0 : if (ret != EOK) {
220 0 : DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n",
221 : ret, strerror(ret));
222 0 : goto done;
223 : }
224 :
225 :
226 : /* Set up the ID mapping object */
227 0 : ret = ipa_idmap_init(sdap_ctx, sdap_ctx, &sdap_ctx->opts->idmap_ctx);
228 0 : if (ret != EOK) {
229 0 : DEBUG(SSSDBG_FATAL_FAILURE,
230 : "Could not initialize ID mapping. In case ID mapping properties "
231 : "changed on the server, please remove the SSSD database\n");
232 0 : goto done;
233 : }
234 :
235 :
236 0 : ret = ldap_id_setup_tasks(sdap_ctx);
237 0 : if (ret != EOK) {
238 0 : goto done;
239 : }
240 :
241 0 : ret = sdap_setup_child();
242 0 : if (ret != EOK) {
243 0 : DEBUG(SSSDBG_CRIT_FAILURE, "setup_child failed [%d][%s].\n",
244 : ret, strerror(ret));
245 0 : goto done;
246 : }
247 :
248 : /* setup SRV lookup plugin */
249 0 : hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME);
250 0 : server_mode = dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE);
251 :
252 0 : if (server_mode == true) {
253 0 : ipa_ctx->view_name = talloc_strdup(ipa_ctx, SYSDB_DEFAULT_VIEW_NAME);
254 0 : if (ipa_ctx->view_name == NULL) {
255 0 : DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
256 0 : ret = ENOMEM;
257 0 : goto done;
258 : }
259 :
260 0 : ret = sysdb_update_view_name(bectx->domain->sysdb, ipa_ctx->view_name);
261 0 : if (ret != EOK) {
262 0 : DEBUG(SSSDBG_CRIT_FAILURE,
263 : "Cannot add/update view name to sysdb.\n");
264 0 : goto done;
265 : }
266 :
267 0 : ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER);
268 0 : if (srv_in_server_list(ipa_servers) == true
269 0 : || dp_opt_get_bool(ipa_options->basic,
270 : IPA_ENABLE_DNS_SITES) == true) {
271 0 : DEBUG(SSSDBG_MINOR_FAILURE, "SRV resolution or IPA sites enabled "
272 : "on the IPA server. Site discovery of trusted AD servers "
273 : "might not work\n");
274 :
275 : /* If SRV discovery is enabled on the server and
276 : * dns_discovery_domain is set explicitly, then
277 : * the current failover code would use the dns_discovery
278 : * domain to try to find AD servers and fail
279 : */
280 0 : if (dp_opt_get_string(bectx->be_res->opts,
281 : DP_RES_OPT_DNS_DOMAIN)) {
282 0 : sss_log(SSS_LOG_ERR, ("SRV discovery is enabled on the IPA "
283 : "server while using custom dns_discovery_domain. "
284 : "DNS discovery of trusted AD domain will likely fail. "
285 : "It is recommended not to use SRV discovery or the "
286 : "dns_discovery_domain option for the IPA domain while "
287 : "running on the server itself\n"));
288 0 : DEBUG(SSSDBG_CRIT_FAILURE, "SRV discovery is enabled on IPA "
289 : "server while using custom dns_discovery_domain. "
290 : "DNS discovery of trusted AD domain will likely fail. "
291 : "It is recommended not to use SRV discovery or the "
292 : "dns_discovery_domain option for the IPA domain while "
293 : "running on the server itself\n");
294 : }
295 :
296 0 : ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
297 0 : if (ret != EOK) {
298 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
299 : "[%d]: %s\n", ret, strerror(ret));
300 0 : goto done;
301 : }
302 : } else {
303 : /* In server mode we need to ignore the dns_discovery_domain if set
304 : * and only discover servers based on AD domains
305 : */
306 0 : ret = dp_opt_set_string(bectx->be_res->opts, DP_RES_OPT_DNS_DOMAIN,
307 : NULL);
308 0 : if (ret != EOK) {
309 0 : DEBUG(SSSDBG_MINOR_FAILURE, "Could not reset the "
310 : "dns_discovery_domain, trusted AD domains discovery "
311 : "might fail. Please remove dns_discovery_domain "
312 : "from the config file and restart the SSSD\n");
313 : } else {
314 0 : DEBUG(SSSDBG_CONF_SETTINGS, "The value of dns_discovery_domain "
315 : "will be ignored in ipa_server_mode\n");
316 : }
317 : }
318 : } else {
319 0 : ret = sysdb_get_view_name(ipa_ctx, bectx->domain->sysdb,
320 : &ipa_ctx->view_name);
321 0 : if (ret != EOK) {
322 0 : if (ret == ENOENT) {
323 0 : DEBUG(SSSDBG_CRIT_FAILURE,
324 : "Cannot find view name in the cache. " \
325 : "Will do online lookup later.\n");
326 : } else {
327 0 : DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");
328 0 : goto done;
329 : }
330 : }
331 :
332 0 : if (dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES)) {
333 : /* use IPA plugin */
334 0 : ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN);
335 0 : srv_ctx = ipa_srv_plugin_ctx_init(bectx, bectx->be_res->resolv,
336 : hostname, ipa_domain);
337 0 : if (srv_ctx == NULL) {
338 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
339 0 : ret = ENOMEM;
340 0 : goto done;
341 : }
342 :
343 0 : be_fo_set_srv_lookup_plugin(bectx, ipa_srv_plugin_send,
344 : ipa_srv_plugin_recv, srv_ctx, "IPA");
345 : } else {
346 : /* fall back to standard plugin on clients. */
347 0 : ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
348 0 : if (ret != EOK) {
349 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
350 : "[%d]: %s\n", ret, strerror(ret));
351 0 : goto done;
352 : }
353 : }
354 : }
355 :
356 : /* setup periodical refresh of expired records */
357 0 : ret = sdap_refresh_init(bectx->refresh_ctx, sdap_ctx);
358 0 : if (ret != EOK && ret != EEXIST) {
359 0 : DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
360 : "will not work [%d]: %s\n", ret, strerror(ret));
361 : }
362 :
363 0 : *ops = &ipa_id_ops;
364 0 : *pvt_data = ipa_ctx;
365 0 : ret = EOK;
366 :
367 : done:
368 0 : if (ret != EOK) {
369 0 : talloc_zfree(ipa_options->id_ctx);
370 : }
371 0 : return ret;
372 : }
373 :
374 0 : void cleanup_ipa_preauth_indicator(void)
375 : {
376 : int ret;
377 :
378 0 : ret = unlink(PAM_PREAUTH_INDICATOR);
379 0 : if (ret != EOK) {
380 0 : DEBUG(SSSDBG_OP_FAILURE,
381 : "Failed to remove preauth indicator file [%s].\n",
382 : PAM_PREAUTH_INDICATOR);
383 : }
384 0 : }
385 :
386 0 : static errno_t create_ipa_preauth_indicator(void)
387 : {
388 : int ret;
389 0 : TALLOC_CTX *tmp_ctx = NULL;
390 : int fd;
391 :
392 0 : tmp_ctx = talloc_new(NULL);
393 0 : if (tmp_ctx == NULL) {
394 0 : DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
395 0 : return ENOMEM;
396 : }
397 :
398 0 : fd = open(PAM_PREAUTH_INDICATOR, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW,
399 : 0644);
400 0 : if (fd < 0) {
401 0 : if (errno != EEXIST) {
402 0 : DEBUG(SSSDBG_OP_FAILURE,
403 : "Failed to create preauth indicator file [%s].\n",
404 : PAM_PREAUTH_INDICATOR);
405 0 : ret = EOK;
406 0 : goto done;
407 : }
408 :
409 0 : DEBUG(SSSDBG_CRIT_FAILURE,
410 : "Preauth indicator file [%s] already exists. "
411 : "Maybe it is left after an unplanned exit. Continuing.\n",
412 : PAM_PREAUTH_INDICATOR);
413 : } else {
414 0 : close(fd);
415 : }
416 :
417 0 : ret = atexit(cleanup_ipa_preauth_indicator);
418 0 : if (ret != EOK) {
419 0 : DEBUG(SSSDBG_OP_FAILURE, "atexit failed. Continuing.\n");
420 : }
421 :
422 0 : ret = EOK;
423 :
424 : done:
425 0 : talloc_free(tmp_ctx);
426 :
427 0 : return ret;
428 : }
429 :
430 0 : int sssm_ipa_auth_init(struct be_ctx *bectx,
431 : struct bet_ops **ops,
432 : void **pvt_data)
433 : {
434 : struct ipa_auth_ctx *ipa_auth_ctx;
435 : struct ipa_id_ctx *id_ctx;
436 : struct krb5_ctx *krb5_auth_ctx;
437 : struct sdap_auth_ctx *sdap_auth_ctx;
438 : struct bet_ops *id_ops;
439 : int ret;
440 :
441 0 : if (!ipa_options) {
442 0 : ret = common_ipa_init(bectx);
443 0 : if (ret != EOK) {
444 0 : return ret;
445 : }
446 : }
447 :
448 0 : if (ipa_options->auth_ctx) {
449 : /* already initialized */
450 0 : *ops = &ipa_auth_ops;
451 0 : *pvt_data = ipa_options->auth_ctx;
452 0 : return EOK;
453 : }
454 :
455 0 : ipa_auth_ctx = talloc_zero(ipa_options, struct ipa_auth_ctx);
456 0 : if (!ipa_auth_ctx) {
457 0 : return ENOMEM;
458 : }
459 0 : ipa_options->auth_ctx = ipa_auth_ctx;
460 :
461 0 : ret = sssm_ipa_id_init(bectx, &id_ops, (void **) &id_ctx);
462 0 : if (ret != EOK) {
463 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
464 0 : goto done;
465 : }
466 0 : ipa_auth_ctx->sdap_id_ctx = id_ctx->sdap_id_ctx;
467 :
468 0 : ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic,
469 : IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options);
470 0 : if (ret != EOK) {
471 0 : DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options failed.\n");
472 0 : goto done;
473 : }
474 :
475 0 : krb5_auth_ctx = talloc_zero(ipa_auth_ctx, struct krb5_ctx);
476 0 : if (!krb5_auth_ctx) {
477 0 : ret = ENOMEM;
478 0 : goto done;
479 : }
480 0 : krb5_auth_ctx->service = ipa_options->service->krb5_service;
481 :
482 0 : if (dp_opt_get_bool(id_ctx->ipa_options->basic,
483 : IPA_SERVER_MODE) == true) {
484 0 : krb5_auth_ctx->config_type = K5C_IPA_SERVER;
485 : } else {
486 0 : krb5_auth_ctx->config_type = K5C_IPA_CLIENT;
487 : }
488 0 : ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx;
489 :
490 0 : ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path,
491 : &krb5_auth_ctx->opts);
492 0 : if (ret != EOK) {
493 0 : goto done;
494 : }
495 :
496 0 : sdap_auth_ctx = talloc_zero(ipa_auth_ctx, struct sdap_auth_ctx);
497 0 : if (!sdap_auth_ctx) {
498 0 : ret = ENOMEM;
499 0 : goto done;
500 : }
501 0 : sdap_auth_ctx->be = bectx;
502 0 : sdap_auth_ctx->service = ipa_options->service->sdap;
503 :
504 0 : if (ipa_options->id == NULL) {
505 0 : ret = EINVAL;
506 0 : goto done;
507 : }
508 0 : sdap_auth_ctx->opts = ipa_options->id;
509 :
510 0 : ipa_options->auth_ctx->sdap_auth_ctx = sdap_auth_ctx;
511 :
512 0 : ret = setup_tls_config(sdap_auth_ctx->opts->basic);
513 0 : if (ret != EOK) {
514 0 : DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d][%s].\n",
515 : ret, strerror(ret));
516 0 : goto done;
517 : }
518 :
519 : /* Initialize features needed by the krb5_child */
520 0 : ret = krb5_child_init(krb5_auth_ctx, bectx);
521 0 : if (ret != EOK) {
522 0 : DEBUG(SSSDBG_FATAL_FAILURE,
523 : "Could not initialize krb5_child settings: [%s]\n",
524 : strerror(ret));
525 0 : goto done;
526 : }
527 :
528 0 : ret = create_ipa_preauth_indicator();
529 0 : if (ret != EOK) {
530 0 : DEBUG(SSSDBG_CRIT_FAILURE,
531 : "Failed to create preauth indicator file, special password "
532 : "prompting might not be available.\n");
533 0 : sss_log(SSSDBG_CRIT_FAILURE,
534 : "Failed to create preauth indicator file, special password "
535 : "prompting might not be available.\n");
536 : }
537 :
538 0 : *ops = &ipa_auth_ops;
539 0 : *pvt_data = ipa_auth_ctx;
540 0 : ret = EOK;
541 :
542 : done:
543 0 : if (ret != EOK) {
544 0 : talloc_zfree(ipa_options->auth_ctx);
545 : }
546 0 : return ret;
547 : }
548 :
549 0 : int sssm_ipa_chpass_init(struct be_ctx *bectx,
550 : struct bet_ops **ops,
551 : void **pvt_data)
552 : {
553 : int ret;
554 0 : ret = sssm_ipa_auth_init(bectx, ops, pvt_data);
555 0 : *ops = &ipa_chpass_ops;
556 0 : return ret;
557 : }
558 :
559 0 : int sssm_ipa_access_init(struct be_ctx *bectx,
560 : struct bet_ops **ops,
561 : void **pvt_data)
562 : {
563 : int ret;
564 : struct ipa_access_ctx *ipa_access_ctx;
565 : struct ipa_id_ctx *id_ctx;
566 :
567 0 : ipa_access_ctx = talloc_zero(bectx, struct ipa_access_ctx);
568 0 : if (ipa_access_ctx == NULL) {
569 0 : DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
570 0 : return ENOMEM;
571 : }
572 :
573 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
574 0 : if (ret != EOK) {
575 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
576 0 : goto done;
577 : }
578 0 : ipa_access_ctx->sdap_ctx = id_ctx->sdap_id_ctx;
579 0 : ipa_access_ctx->host_map = id_ctx->ipa_options->host_map;
580 0 : ipa_access_ctx->hostgroup_map = id_ctx->ipa_options->hostgroup_map;
581 0 : ipa_access_ctx->host_search_bases = id_ctx->ipa_options->host_search_bases;
582 0 : ipa_access_ctx->hbac_search_bases = id_ctx->ipa_options->hbac_search_bases;
583 :
584 0 : ret = dp_copy_options(ipa_access_ctx, ipa_options->basic,
585 : IPA_OPTS_BASIC, &ipa_access_ctx->ipa_options);
586 0 : if (ret != EOK) {
587 0 : DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options failed.\n");
588 0 : goto done;
589 : }
590 :
591 : /* Set up an sdap_access_ctx for checking expired/locked
592 : * accounts.
593 : */
594 0 : ipa_access_ctx->sdap_access_ctx =
595 0 : talloc_zero(ipa_access_ctx, struct sdap_access_ctx);
596 :
597 0 : ipa_access_ctx->sdap_access_ctx->id_ctx = ipa_access_ctx->sdap_ctx;
598 0 : ipa_access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
599 0 : ipa_access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
600 :
601 0 : *ops = &ipa_access_ops;
602 0 : *pvt_data = ipa_access_ctx;
603 :
604 : done:
605 0 : if (ret != EOK) {
606 0 : talloc_free(ipa_access_ctx);
607 : }
608 0 : return ret;
609 : }
610 :
611 0 : int sssm_ipa_selinux_init(struct be_ctx *bectx,
612 : struct bet_ops **ops,
613 : void **pvt_data)
614 : {
615 : int ret;
616 : struct ipa_selinux_ctx *selinux_ctx;
617 : struct ipa_options *opts;
618 :
619 0 : selinux_ctx = talloc_zero(bectx, struct ipa_selinux_ctx);
620 0 : if (selinux_ctx == NULL) {
621 0 : DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
622 0 : return ENOMEM;
623 : }
624 :
625 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &selinux_ctx->id_ctx);
626 0 : if (ret != EOK) {
627 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
628 0 : goto done;
629 : }
630 :
631 0 : opts = selinux_ctx->id_ctx->ipa_options;
632 :
633 0 : selinux_ctx->hbac_search_bases = opts->hbac_search_bases;
634 0 : selinux_ctx->host_search_bases = opts->host_search_bases;
635 0 : selinux_ctx->selinux_search_bases = opts->selinux_search_bases;
636 :
637 0 : *ops = &ipa_selinux_ops;
638 0 : *pvt_data = selinux_ctx;
639 :
640 : done:
641 0 : if (ret != EOK) {
642 0 : talloc_free(selinux_ctx);
643 : }
644 0 : return ret;
645 : }
646 :
647 : #ifdef BUILD_SSH
648 0 : int sssm_ipa_hostid_init(struct be_ctx *bectx,
649 : struct bet_ops **ops,
650 : void **pvt_data)
651 : {
652 : int ret;
653 : struct ipa_hostid_ctx *hostid_ctx;
654 : struct ipa_id_ctx *id_ctx;
655 :
656 0 : hostid_ctx = talloc_zero(bectx, struct ipa_hostid_ctx);
657 0 : if (hostid_ctx == NULL) {
658 0 : DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
659 0 : return ENOMEM;
660 : }
661 :
662 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
663 0 : if (ret != EOK) {
664 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
665 0 : goto done;
666 : }
667 0 : hostid_ctx->sdap_id_ctx = id_ctx->sdap_id_ctx;
668 0 : hostid_ctx->host_search_bases = id_ctx->ipa_options->host_search_bases;
669 0 : hostid_ctx->ipa_opts = ipa_options;
670 :
671 0 : *ops = &ipa_hostid_ops;
672 0 : *pvt_data = hostid_ctx;
673 :
674 : done:
675 0 : if (ret != EOK) {
676 0 : talloc_free(hostid_ctx);
677 : }
678 0 : return ret;
679 : }
680 : #endif
681 :
682 0 : int sssm_ipa_autofs_init(struct be_ctx *bectx,
683 : struct bet_ops **ops,
684 : void **pvt_data)
685 : {
686 : #ifdef BUILD_AUTOFS
687 : struct ipa_id_ctx *id_ctx;
688 : int ret;
689 :
690 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA autofs handler\n");
691 :
692 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
693 0 : if (ret != EOK) {
694 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
695 0 : return ret;
696 : }
697 :
698 0 : return ipa_autofs_init(bectx, id_ctx, ops, pvt_data);
699 : #else
700 : DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
701 : "built without autofs support, ignoring\n");
702 : return EOK;
703 : #endif
704 : }
705 :
706 0 : int sssm_ipa_subdomains_init(struct be_ctx *bectx,
707 : struct bet_ops **ops,
708 : void **pvt_data)
709 : {
710 : int ret;
711 : struct ipa_id_ctx *id_ctx;
712 :
713 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
714 0 : if (ret != EOK) {
715 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
716 0 : return ret;
717 : }
718 :
719 0 : ret = ipa_subdom_init(bectx, id_ctx, ops, pvt_data);
720 0 : if (ret != EOK) {
721 0 : DEBUG(SSSDBG_CRIT_FAILURE, "ipa_subdom_init failed.\n");
722 0 : return ret;
723 : }
724 :
725 0 : return EOK;
726 : }
727 :
728 0 : int sssm_ipa_sudo_init(struct be_ctx *bectx,
729 : struct bet_ops **ops,
730 : void **pvt_data)
731 : {
732 : #ifdef BUILD_SUDO
733 : struct ipa_id_ctx *id_ctx;
734 : int ret;
735 :
736 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo handler\n");
737 :
738 0 : ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx);
739 0 : if (ret != EOK) {
740 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ipa_id_init failed.\n");
741 0 : return ret;
742 : }
743 :
744 0 : return ipa_sudo_init(bectx, id_ctx, ops, pvt_data);
745 : #else
746 : DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
747 : "built without sudo support, ignoring\n");
748 : return EOK;
749 : #endif
750 : }
|
