Line data Source code
1 : /*
2 : SSSD
3 :
4 : Authors:
5 : Stephen Gallagher <sgallagh@redhat.com>
6 :
7 : Copyright (C) 2012 Red Hat
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 :
24 : #include <sys/types.h>
25 : #include <unistd.h>
26 : #include <sys/stat.h>
27 : #include <fcntl.h>
28 :
29 : #include <sasl/sasl.h>
30 :
31 : #include "util/util.h"
32 : #include "providers/ad/ad_common.h"
33 : #include "providers/ad/ad_access.h"
34 : #include "providers/ldap/ldap_common.h"
35 : #include "providers/ldap/sdap_access.h"
36 : #include "providers/ldap/sdap_idmap.h"
37 : #include "providers/krb5/krb5_auth.h"
38 : #include "providers/krb5/krb5_init_shared.h"
39 : #include "providers/ad/ad_id.h"
40 : #include "providers/ad/ad_srv.h"
41 : #include "providers/be_dyndns.h"
42 : #include "providers/ad/ad_subdomains.h"
43 : #include "providers/ad/ad_domain_info.h"
44 :
45 : struct ad_init_ctx {
46 : struct ad_options *options;
47 : struct ad_id_ctx *id_ctx;
48 : struct krb5_ctx *auth_ctx;
49 : };
50 :
51 : #define AD_COMPAT_ON "1"
52 0 : static int ad_sasl_getopt(void *context, const char *plugin_name,
53 : const char *option,
54 : const char **result, unsigned *len)
55 : {
56 0 : if (!plugin_name || !result) {
57 0 : return SASL_FAIL;
58 : }
59 0 : if (strcmp(plugin_name, "GSSAPI") != 0) {
60 0 : return SASL_FAIL;
61 : }
62 0 : if (strcmp(option, "ad_compat") != 0) {
63 0 : return SASL_FAIL;
64 : }
65 0 : *result = AD_COMPAT_ON;
66 0 : if (len) {
67 0 : *len = 2;
68 : }
69 0 : return SASL_OK;
70 : }
71 :
72 : typedef int (*sss_sasl_gen_cb_fn)(void);
73 :
74 0 : static int map_sasl2sssd_log_level(int sasl_level)
75 : {
76 : int sssd_level;
77 :
78 0 : switch(sasl_level) {
79 : case SASL_LOG_ERR: /* log unusual errors (default) */
80 0 : sssd_level = SSSDBG_CRIT_FAILURE;
81 0 : break;
82 : case SASL_LOG_FAIL: /* log all authentication failures */
83 0 : sssd_level = SSSDBG_OP_FAILURE;
84 0 : break;
85 : case SASL_LOG_WARN: /* log non-fatal warnings */
86 0 : sssd_level = SSSDBG_MINOR_FAILURE;
87 0 : break;
88 : case SASL_LOG_NOTE: /* more verbose than LOG_WARN */
89 : case SASL_LOG_DEBUG: /* more verbose than LOG_NOTE */
90 : case SASL_LOG_TRACE: /* traces of internal protocols */
91 : case SASL_LOG_PASS: /* traces of internal protocols, including */
92 0 : sssd_level = SSSDBG_TRACE_ALL;
93 0 : break;
94 : default:
95 0 : sssd_level = SSSDBG_TRACE_ALL;
96 0 : break;
97 : }
98 :
99 0 : return sssd_level;
100 : }
101 :
102 0 : static int ad_sasl_log(void *context, int level, const char *message)
103 : {
104 : int sssd_level;
105 :
106 0 : if (level == SASL_LOG_ERR || level == SASL_LOG_FAIL) {
107 0 : sss_log(SSS_LOG_ERR, "%s\n", message);
108 : }
109 :
110 0 : sssd_level = map_sasl2sssd_log_level(level);
111 0 : DEBUG(sssd_level, "SASL: %s\n", message);
112 0 : return SASL_OK;
113 : }
114 :
115 : static const sasl_callback_t ad_sasl_callbacks[] = {
116 : { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)ad_sasl_getopt, NULL },
117 : { SASL_CB_LOG, (sss_sasl_gen_cb_fn)ad_sasl_log, NULL },
118 : { SASL_CB_LIST_END, NULL, NULL }
119 : };
120 :
121 : /* This is quite a hack, we *try* to fool openldap libraries by initializing
122 : * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some
123 : * options. Should be removed as soon as openldap exposes a way to do that */
124 0 : static void ad_sasl_initialize(void)
125 : {
126 : /* NOTE: this may fail if soe other library in the system happens to
127 : * initialize and use openldap libraries or directly the cyrus-sasl
128 : * library as this initialization function can be called only once per
129 : * process */
130 0 : (void)sasl_client_init(ad_sasl_callbacks);
131 0 : }
132 :
133 0 : static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
134 : struct be_ctx *be_ctx,
135 : struct ad_options **_ad_options)
136 : {
137 : struct ad_options *ad_options;
138 0 : char *ad_servers = NULL;
139 0 : char *ad_backup_servers = NULL;
140 : char *ad_realm;
141 : errno_t ret;
142 :
143 0 : ad_sasl_initialize();
144 :
145 : /* Get AD-specific options */
146 0 : ret = ad_get_common_options(mem_ctx, be_ctx->cdb, be_ctx->conf_path,
147 : be_ctx->domain, &ad_options);
148 0 : if (ret != EOK) {
149 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse common options "
150 : "[%d]: %s\n", ret, sss_strerror(ret));
151 0 : return ret;
152 : }
153 :
154 0 : ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
155 0 : ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
156 0 : ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
157 :
158 : /* Set up the failover service */
159 0 : ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
160 : ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
161 0 : dp_opt_get_string(ad_options->basic, AD_DOMAIN),
162 0 : &ad_options->service);
163 0 : if (ret != EOK) {
164 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: "
165 : "[%d]: %s\n", ret, sss_strerror(ret));
166 0 : talloc_free(ad_options);
167 0 : return ret;
168 : }
169 :
170 0 : *_ad_options = ad_options;
171 :
172 0 : return EOK;
173 : }
174 :
175 0 : static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
176 : struct ad_options *ad_options)
177 : {
178 : struct ad_srv_plugin_ctx *srv_ctx;
179 : const char *hostname;
180 : const char *ad_domain;
181 : const char *ad_site_override;
182 : bool sites_enabled;
183 : errno_t ret;
184 :
185 0 : hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
186 0 : ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
187 0 : ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
188 0 : sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
189 :
190 :
191 0 : if (!sites_enabled) {
192 0 : ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, hostname);
193 0 : if (ret != EOK) {
194 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
195 : "[%d]: %s\n", ret, sss_strerror(ret));
196 0 : return ret;
197 : }
198 :
199 0 : return EOK;
200 : }
201 :
202 0 : srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
203 : default_host_dbs, ad_options->id,
204 : hostname, ad_domain,
205 : ad_site_override);
206 0 : if (srv_ctx == NULL) {
207 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
208 0 : return ENOMEM;
209 : }
210 :
211 0 : be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send,
212 : ad_srv_plugin_recv, srv_ctx, "AD");
213 :
214 0 : return EOK;
215 : }
216 :
217 0 : static errno_t ad_init_sdap_access_ctx(struct ad_access_ctx *access_ctx)
218 : {
219 0 : struct dp_option *options = access_ctx->ad_options;
220 0 : struct sdap_id_ctx *sdap_id_ctx = access_ctx->ad_id_ctx->sdap_id_ctx;
221 : struct sdap_access_ctx *sdap_access_ctx;
222 : const char *filter;
223 :
224 0 : sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx);
225 0 : if (sdap_access_ctx == NULL) {
226 0 : return ENOMEM;
227 : }
228 :
229 0 : sdap_access_ctx->id_ctx = sdap_id_ctx;
230 :
231 :
232 : /* If ad_access_filter is set, the value of ldap_acess_order is
233 : * expire, filter, otherwise only expire.
234 : */
235 0 : sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
236 0 : filter = dp_opt_get_cstring(options, AD_ACCESS_FILTER);
237 0 : if (filter != NULL) {
238 : /* The processing of the extended filter is performed during the access
239 : * check itself.
240 : */
241 0 : sdap_access_ctx->filter = talloc_strdup(sdap_access_ctx, filter);
242 0 : if (sdap_access_ctx->filter == NULL) {
243 0 : talloc_free(sdap_access_ctx);
244 0 : return ENOMEM;
245 : }
246 :
247 0 : sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
248 0 : sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
249 : } else {
250 0 : sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
251 : }
252 :
253 0 : access_ctx->sdap_access_ctx = sdap_access_ctx;
254 :
255 0 : return EOK;
256 : }
257 :
258 : errno_t ad_gpo_parse_map_options(struct ad_access_ctx *access_ctx);
259 :
260 0 : static errno_t ad_init_gpo(struct ad_access_ctx *access_ctx)
261 : {
262 : struct dp_option *options;
263 : const char *gpo_access_control_mode;
264 : int gpo_cache_timeout;
265 : errno_t ret;
266 :
267 0 : options = access_ctx->ad_options;
268 :
269 : /* GPO access control mode */
270 0 : gpo_access_control_mode = dp_opt_get_string(options, AD_GPO_ACCESS_CONTROL);
271 0 : if (gpo_access_control_mode == NULL) {
272 0 : return EINVAL;
273 0 : } else if (strcasecmp(gpo_access_control_mode, "disabled") == 0) {
274 0 : access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_DISABLED;
275 0 : } else if (strcasecmp(gpo_access_control_mode, "permissive") == 0) {
276 0 : access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_PERMISSIVE;
277 0 : } else if (strcasecmp(gpo_access_control_mode, "enforcing") == 0) {
278 0 : access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_ENFORCING;
279 : } else {
280 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized GPO access control mode: "
281 : "%s\n", gpo_access_control_mode);
282 0 : return EINVAL;
283 : }
284 :
285 : /* GPO cache timeout */
286 0 : gpo_cache_timeout = dp_opt_get_int(options, AD_GPO_CACHE_TIMEOUT);
287 0 : access_ctx->gpo_cache_timeout = gpo_cache_timeout;
288 :
289 : /* GPO logon maps */
290 0 : ret = sss_hash_create(access_ctx, 10, &access_ctx->gpo_map_options_table);
291 0 : if (ret != EOK) {
292 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Could not create gpo_map_options "
293 : "hash table [%d]: %s\n", ret, sss_strerror(ret));
294 0 : return ret;
295 : }
296 :
297 0 : ret = ad_gpo_parse_map_options(access_ctx);
298 0 : if (ret != EOK) {
299 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse gpo_map_options "
300 : "(invalid config) [%d]: %s\n", ret, sss_strerror(ret));
301 0 : talloc_zfree(access_ctx->gpo_map_options_table);
302 0 : return ret;
303 : }
304 :
305 0 : return EOK;
306 : }
307 :
308 0 : static errno_t ad_init_auth_ctx(TALLOC_CTX *mem_ctx,
309 : struct be_ctx *be_ctx,
310 : struct ad_options *ad_options,
311 : struct krb5_ctx **_auth_ctx)
312 : {
313 : struct krb5_ctx *krb5_auth_ctx;
314 : errno_t ret;
315 :
316 0 : krb5_auth_ctx = talloc_zero(mem_ctx, struct krb5_ctx);
317 0 : if (krb5_auth_ctx == NULL) {
318 0 : ret = ENOMEM;
319 0 : goto done;
320 : }
321 :
322 0 : krb5_auth_ctx->config_type = K5C_GENERIC;
323 0 : krb5_auth_ctx->service = ad_options->service->krb5_service;
324 :
325 0 : ret = ad_get_auth_options(krb5_auth_ctx, ad_options, be_ctx,
326 : &krb5_auth_ctx->opts);
327 0 : if (ret != EOK) {
328 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Could not determine Kerberos options\n");
329 0 : goto done;
330 : }
331 :
332 0 : ret = krb5_child_init(krb5_auth_ctx, be_ctx);
333 0 : if (ret != EOK) {
334 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings: "
335 : "[%d]: %s\n", ret, sss_strerror(ret));
336 0 : goto done;
337 : }
338 :
339 0 : ad_options->auth_ctx = krb5_auth_ctx;
340 0 : *_auth_ctx = krb5_auth_ctx;
341 :
342 0 : ret = EOK;
343 :
344 : done:
345 0 : if (ret != EOK) {
346 0 : talloc_free(krb5_auth_ctx);
347 : }
348 :
349 0 : return ret;
350 : }
351 :
352 0 : static errno_t ad_init_misc(struct be_ctx *be_ctx,
353 : struct ad_options *ad_options,
354 : struct ad_id_ctx *ad_id_ctx,
355 : struct sdap_id_ctx *sdap_id_ctx)
356 : {
357 : errno_t ret;
358 :
359 0 : ret = ad_dyndns_init(be_ctx, ad_options);
360 0 : if (ret != EOK) {
361 0 : DEBUG(SSSDBG_MINOR_FAILURE,
362 : "Failure setting up automatic DNS update\n");
363 : /* Continue without DNS updates */
364 : }
365 :
366 0 : ret = setup_tls_config(sdap_id_ctx->opts->basic);
367 0 : if (ret != EOK) {
368 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n",
369 : ret, sss_strerror(ret));
370 0 : return ret;
371 : }
372 :
373 0 : ret = sdap_idmap_init(sdap_id_ctx, sdap_id_ctx,
374 0 : &sdap_id_ctx->opts->idmap_ctx);
375 0 : if (ret != EOK) {
376 0 : DEBUG(SSSDBG_FATAL_FAILURE,
377 : "Could not initialize ID mapping. In case ID mapping properties "
378 : "changed on the server, please remove the SSSD database\n");
379 0 : return ret;
380 : }
381 :
382 0 : ret = sdap_id_setup_tasks(be_ctx, sdap_id_ctx, sdap_id_ctx->opts->sdom,
383 : ad_enumeration_send, ad_enumeration_recv,
384 : ad_id_ctx);
385 0 : if (ret != EOK) {
386 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks "
387 : "[%d]: %s\n", ret, sss_strerror(ret));
388 0 : return ret;
389 : }
390 :
391 0 : sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
392 :
393 0 : ret = sdap_setup_child();
394 0 : if (ret != EOK) {
395 0 : DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
396 : ret, sss_strerror(ret));
397 0 : return ret;
398 : }
399 :
400 0 : ret = ad_init_srv_plugin(be_ctx, ad_options);
401 0 : if (ret != EOK) {
402 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
403 : ret, sss_strerror(ret));
404 0 : return ret;
405 : }
406 :
407 0 : ret = sdap_refresh_init(be_ctx->refresh_ctx, sdap_id_ctx);
408 0 : if (ret != EOK && ret != EEXIST) {
409 0 : DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
410 : "will not work [%d]: %s\n", ret, sss_strerror(ret));
411 : }
412 :
413 0 : ret = ad_machine_account_password_renewal_init(be_ctx, ad_options);
414 0 : if (ret != EOK) {
415 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Cannot setup task for machine account "
416 : "password renewal.\n");
417 0 : return ret;
418 : }
419 :
420 0 : return EOK;
421 : }
422 :
423 0 : errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
424 : struct be_ctx *be_ctx,
425 : struct data_provider *provider,
426 : const char *module_name,
427 : void **_module_data)
428 : {
429 : struct ad_init_ctx *init_ctx;
430 : errno_t ret;
431 :
432 0 : init_ctx = talloc_zero(mem_ctx, struct ad_init_ctx);
433 0 : if (init_ctx == NULL) {
434 0 : return ENOMEM;
435 : }
436 :
437 : /* Always initialize options since it is needed everywhere. */
438 0 : ret = ad_init_options(mem_ctx, be_ctx, &init_ctx->options);
439 0 : if (ret != EOK) {
440 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD options [%d]: %s\n",
441 : ret, sss_strerror(ret));
442 0 : return ret;
443 : }
444 :
445 : /* Always initialize id_ctx since it is needed everywhere. */
446 0 : init_ctx->id_ctx = ad_id_ctx_init(init_ctx->options, be_ctx);
447 0 : if (init_ctx->id_ctx == NULL) {
448 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize AD ID context\n");
449 0 : ret = ENOMEM;
450 0 : goto done;
451 : }
452 :
453 0 : init_ctx->options->id_ctx = init_ctx->id_ctx;
454 :
455 0 : ret = ad_get_id_options(init_ctx->options, be_ctx->cdb, be_ctx->conf_path,
456 0 : &init_ctx->id_ctx->sdap_id_ctx->opts);
457 0 : if (ret != EOK) {
458 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
459 0 : return ret;
460 : }
461 :
462 : /* Setup miscellaneous things. */
463 0 : ret = ad_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx,
464 0 : init_ctx->id_ctx->sdap_id_ctx);
465 0 : if (ret != EOK) {
466 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD module "
467 : "[%d]: %s\n", ret, sss_strerror(ret));
468 0 : goto done;
469 : }
470 :
471 : /* Initialize auth_ctx only if one of the target is enabled. */
472 0 : if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) {
473 0 : ret = ad_init_auth_ctx(init_ctx, be_ctx, init_ctx->options,
474 : &init_ctx->auth_ctx);
475 0 : if (ret != EOK) {
476 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context "
477 : "[%d]: %s\n", ret, sss_strerror(ret));
478 0 : return ret;
479 : }
480 : }
481 :
482 0 : *_module_data = init_ctx;
483 :
484 0 : ret = EOK;
485 :
486 : done:
487 0 : if (ret != EOK) {
488 0 : talloc_free(init_ctx);
489 : }
490 :
491 0 : return ret;
492 : }
493 :
494 0 : errno_t sssm_ad_id_init(TALLOC_CTX *mem_ctx,
495 : struct be_ctx *be_ctx,
496 : void *module_data,
497 : struct dp_method *dp_methods)
498 : {
499 : struct ad_init_ctx *init_ctx;
500 : struct ad_id_ctx *id_ctx;
501 :
502 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
503 0 : id_ctx = init_ctx->id_ctx;
504 :
505 0 : dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER,
506 : ad_account_info_handler_send, ad_account_info_handler_recv, id_ctx,
507 : struct ad_id_ctx, struct be_acct_req, struct dp_reply_std);
508 :
509 0 : dp_set_method(dp_methods, DPM_CHECK_ONLINE,
510 : sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx->sdap_id_ctx,
511 : struct sdap_id_ctx, void, struct dp_reply_std);
512 :
513 0 : return EOK;
514 : }
515 :
516 0 : errno_t sssm_ad_auth_init(TALLOC_CTX *mem_ctx,
517 : struct be_ctx *be_ctx,
518 : void *module_data,
519 : struct dp_method *dp_methods)
520 : {
521 : struct ad_init_ctx *init_ctx;
522 : struct krb5_ctx *auth_ctx;
523 :
524 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
525 0 : auth_ctx = init_ctx->auth_ctx;
526 :
527 0 : dp_set_method(dp_methods, DPM_AUTH_HANDLER,
528 : krb5_pam_handler_send, krb5_pam_handler_recv, auth_ctx,
529 : struct krb5_ctx, struct pam_data, struct pam_data *);
530 :
531 0 : return EOK;
532 : }
533 :
534 0 : errno_t sssm_ad_chpass_init(TALLOC_CTX *mem_ctx,
535 : struct be_ctx *be_ctx,
536 : void *module_data,
537 : struct dp_method *dp_methods)
538 : {
539 0 : return sssm_ad_auth_init(mem_ctx, be_ctx, module_data, dp_methods);
540 : }
541 :
542 0 : errno_t sssm_ad_access_init(TALLOC_CTX *mem_ctx,
543 : struct be_ctx *be_ctx,
544 : void *module_data,
545 : struct dp_method *dp_methods)
546 : {
547 : struct ad_init_ctx *init_ctx;
548 : struct ad_access_ctx *access_ctx;
549 : errno_t ret;
550 :
551 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
552 :
553 0 : access_ctx = talloc_zero(mem_ctx, struct ad_access_ctx);
554 0 : if (access_ctx == NULL) {
555 0 : return ENOMEM;
556 : }
557 :
558 0 : access_ctx->ad_id_ctx = init_ctx->id_ctx;
559 :
560 0 : ret = dp_copy_options(access_ctx, init_ctx->options->basic, AD_OPTS_BASIC,
561 : &access_ctx->ad_options);
562 0 : if (ret != EOK) {
563 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize access provider "
564 : "options [%d]: %s\n", ret, sss_strerror(ret));
565 0 : goto done;
566 : }
567 :
568 0 : ret = ad_init_sdap_access_ctx(access_ctx);
569 0 : if (ret != EOK) {
570 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize sdap access context "
571 : "[%d]: %s\n", ret, sss_strerror(ret));
572 0 : goto done;
573 : }
574 :
575 0 : ret = ad_init_gpo(access_ctx);
576 0 : if (ret != EOK) {
577 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize GPO "
578 : "[%d]: %s\n", ret, sss_strerror(ret));
579 0 : goto done;
580 : }
581 :
582 0 : dp_set_method(dp_methods, DPM_ACCESS_HANDLER,
583 : ad_pam_access_handler_send, ad_pam_access_handler_recv, access_ctx,
584 : struct ad_access_ctx, struct pam_data, struct pam_data *);
585 :
586 0 : ret = EOK;
587 :
588 : done:
589 0 : if (ret != EOK) {
590 0 : talloc_free(access_ctx);
591 : }
592 :
593 0 : return ret;
594 : }
595 :
596 0 : errno_t sssm_ad_autofs_init(TALLOC_CTX *mem_ctx,
597 : struct be_ctx *be_ctx,
598 : void *module_data,
599 : struct dp_method *dp_methods)
600 : {
601 : #ifdef BUILD_AUTOFS
602 : struct ad_init_ctx *init_ctx;
603 :
604 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n");
605 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
606 :
607 0 : return ad_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
608 : #else
609 : DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
610 : "built without autofs support, ignoring\n");
611 : return EOK;
612 : #endif
613 : }
614 :
615 0 : errno_t sssm_ad_subdomains_init(TALLOC_CTX *mem_ctx,
616 : struct be_ctx *be_ctx,
617 : void *module_data,
618 : struct dp_method *dp_methods)
619 : {
620 : struct ad_init_ctx *init_ctx;
621 :
622 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD subdomains handler\n");
623 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
624 :
625 0 : return ad_subdomains_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
626 : }
627 :
628 0 : errno_t sssm_ad_sudo_init(TALLOC_CTX *mem_ctx,
629 : struct be_ctx *be_ctx,
630 : void *module_data,
631 : struct dp_method *dp_methods)
632 : {
633 : #ifdef BUILD_SUDO
634 : struct ad_init_ctx *init_ctx;
635 :
636 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD sudo handler\n");
637 0 : init_ctx = talloc_get_type(module_data, struct ad_init_ctx);
638 :
639 0 : return ad_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
640 : #else
641 : DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
642 : "built without sudo support, ignoring\n");
643 : return EOK;
644 : #endif
645 : }
|
