Line data Source code
1 : /*
2 : SSSD
3 :
4 : LDAP Provider Initialization functions
5 :
6 : Authors:
7 : Simo Sorce <ssorce@redhat.com>
8 :
9 : Copyright (C) 2009 Red Hat
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include "util/child_common.h"
26 : #include "providers/ldap/ldap_common.h"
27 : #include "providers/ldap/sdap_async_private.h"
28 : #include "providers/ldap/sdap_access.h"
29 : #include "providers/ldap/sdap_sudo.h"
30 : #include "providers/ldap/sdap_autofs.h"
31 : #include "providers/ldap/sdap_idmap.h"
32 : #include "providers/fail_over_srv.h"
33 : #include "providers/be_refresh.h"
34 :
35 : struct ldap_init_ctx {
36 : struct sdap_options *options;
37 : struct sdap_id_ctx *id_ctx;
38 : struct sdap_auth_ctx *auth_ctx;
39 : };
40 :
41 : /* Please use this only for short lists */
42 0 : errno_t check_order_list_for_duplicates(char **list,
43 : bool case_sensitive)
44 : {
45 : size_t c;
46 : size_t d;
47 : int cmp;
48 :
49 0 : for (c = 0; list[c] != NULL; c++) {
50 0 : for (d = c + 1; list[d] != NULL; d++) {
51 0 : if (case_sensitive) {
52 0 : cmp = strcmp(list[c], list[d]);
53 : } else {
54 0 : cmp = strcasecmp(list[c], list[d]);
55 : }
56 0 : if (cmp == 0) {
57 0 : DEBUG(SSSDBG_CRIT_FAILURE,
58 : "Duplicate string [%s] found.\n", list[c]);
59 0 : return EINVAL;
60 : }
61 : }
62 : }
63 :
64 0 : return EOK;
65 : }
66 :
67 0 : static errno_t ldap_init_auth_ctx(TALLOC_CTX *mem_ctx,
68 : struct be_ctx *be_ctx,
69 : struct sdap_id_ctx *id_ctx,
70 : struct sdap_options *options,
71 : struct sdap_auth_ctx **_auth_ctx)
72 : {
73 : struct sdap_auth_ctx *auth_ctx;
74 :
75 0 : auth_ctx = talloc(mem_ctx, struct sdap_auth_ctx);
76 0 : if (auth_ctx == NULL) {
77 0 : return ENOMEM;
78 : }
79 :
80 0 : auth_ctx->be = be_ctx;
81 0 : auth_ctx->opts = options;
82 0 : auth_ctx->service = id_ctx->conn->service;
83 0 : auth_ctx->chpass_service = NULL;
84 :
85 0 : *_auth_ctx = auth_ctx;
86 :
87 0 : return EOK;
88 : }
89 :
90 0 : static errno_t init_chpass_service(TALLOC_CTX *mem_ctx,
91 : struct be_ctx *be_ctx,
92 : struct sdap_options *opts,
93 : struct sdap_service **_chpass_service)
94 : {
95 : errno_t ret;
96 : const char *urls;
97 : const char *backup_urls;
98 : const char *dns_service_name;
99 : struct sdap_service *chpass_service;
100 :
101 0 : dns_service_name = dp_opt_get_string(opts->basic,
102 : SDAP_CHPASS_DNS_SERVICE_NAME);
103 0 : if (dns_service_name != NULL) {
104 0 : DEBUG(SSSDBG_TRACE_LIBS,
105 : "Service name for chpass discovery set to %s\n",
106 : dns_service_name);
107 : }
108 :
109 0 : urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_URI);
110 0 : backup_urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_BACKUP_URI);
111 :
112 0 : if (urls != NULL || backup_urls != NULL || dns_service_name != NULL) {
113 0 : ret = sdap_service_init(mem_ctx,
114 : be_ctx,
115 : "LDAP_CHPASS",
116 : dns_service_name,
117 : urls,
118 : backup_urls,
119 : &chpass_service);
120 0 : if (ret != EOK) {
121 0 : DEBUG(SSSDBG_CRIT_FAILURE,
122 : "Failed to initialize failover service!\n");
123 0 : return ret;
124 : }
125 : } else {
126 0 : DEBUG(SSSDBG_TRACE_ALL,
127 : "ldap_chpass_uri and ldap_chpass_dns_service_name not set, "
128 : "using ldap_uri.\n");
129 0 : chpass_service = NULL;
130 : }
131 :
132 0 : *_chpass_service = chpass_service;
133 0 : return EOK;
134 : }
135 :
136 0 : static errno_t get_access_order_list(TALLOC_CTX *mem_ctx,
137 : const char *order,
138 : char ***_order_list)
139 : {
140 : errno_t ret;
141 : char **order_list;
142 : int order_list_len;
143 :
144 0 : ret = split_on_separator(mem_ctx, order, ',', true, true,
145 : &order_list, &order_list_len);
146 0 : if (ret != EOK) {
147 0 : DEBUG(SSSDBG_CRIT_FAILURE, "split_on_separator failed.\n");
148 0 : goto done;
149 : }
150 :
151 0 : ret = check_order_list_for_duplicates(order_list, false);
152 0 : if (ret != EOK) {
153 0 : DEBUG(SSSDBG_CRIT_FAILURE,
154 : "check_order_list_for_duplicates failed.\n");
155 0 : goto done;
156 : }
157 :
158 0 : if (order_list_len > LDAP_ACCESS_LAST) {
159 0 : DEBUG(SSSDBG_CRIT_FAILURE,
160 : "Currently only [%d] different access rules are supported.\n",
161 : LDAP_ACCESS_LAST);
162 0 : ret = EINVAL;
163 0 : goto done;
164 : }
165 :
166 0 : *_order_list = order_list;
167 :
168 : done:
169 0 : if (ret != EOK) {
170 0 : talloc_free(order_list);
171 : }
172 :
173 0 : return ret;
174 : }
175 :
176 0 : static errno_t check_expire_policy(struct sdap_options *opts)
177 : {
178 : const char *expire_policy;
179 0 : bool matched_policy = false;
180 0 : const char *policies[] = {LDAP_ACCOUNT_EXPIRE_SHADOW,
181 : LDAP_ACCOUNT_EXPIRE_AD,
182 : LDAP_ACCOUNT_EXPIRE_NDS,
183 : LDAP_ACCOUNT_EXPIRE_RHDS,
184 : LDAP_ACCOUNT_EXPIRE_IPA,
185 : LDAP_ACCOUNT_EXPIRE_389DS,
186 : NULL};
187 :
188 0 : expire_policy = dp_opt_get_cstring(opts->basic,
189 : SDAP_ACCOUNT_EXPIRE_POLICY);
190 0 : if (expire_policy == NULL) {
191 0 : DEBUG(SSSDBG_FATAL_FAILURE,
192 : "Warning: LDAP access rule 'expire' is set, "
193 : "but no ldap_account_expire_policy configured. "
194 : "All domain users will be denied access.\n");
195 0 : return EOK;
196 : }
197 :
198 0 : for (unsigned i = 0; policies[i] != NULL; i++) {
199 0 : if (strcasecmp(expire_policy, policies[i]) == 0) {
200 0 : matched_policy = true;
201 0 : break;
202 : }
203 : }
204 :
205 0 : if (matched_policy == false) {
206 0 : DEBUG(SSSDBG_CRIT_FAILURE,
207 : "Unsupported LDAP account expire policy [%s].\n",
208 : expire_policy);
209 0 : return EINVAL;
210 : }
211 :
212 0 : return EOK;
213 : }
214 :
215 0 : static errno_t get_access_filter(TALLOC_CTX *mem_ctx,
216 : struct sdap_options *opts,
217 : const char **_filter)
218 : {
219 : const char *filter;
220 :
221 0 : filter = dp_opt_get_cstring(opts->basic, SDAP_ACCESS_FILTER);
222 0 : if (filter == NULL) {
223 : /* It's okay if this is NULL. In that case we will simply act
224 : * like the 'deny' provider.
225 : */
226 0 : DEBUG(SSSDBG_FATAL_FAILURE,
227 : "Warning: LDAP access rule 'filter' is set, "
228 : "but no ldap_access_filter configured. "
229 : "All domain users will be denied access.\n");
230 0 : return EOK;
231 : }
232 :
233 0 : filter = sdap_get_access_filter(mem_ctx, filter);
234 0 : if (filter == NULL) {
235 0 : return ENOMEM;
236 : }
237 :
238 0 : *_filter = filter;
239 :
240 0 : return EOK;
241 : }
242 :
243 0 : static errno_t set_access_rules(TALLOC_CTX *mem_ctx,
244 : struct sdap_access_ctx *access_ctx,
245 : struct sdap_options *opts)
246 : {
247 : errno_t ret;
248 0 : char **order_list = NULL;
249 : const char *order;
250 : size_t c;
251 :
252 : /* To make sure that in case of failure it's safe to be freed */
253 0 : access_ctx->filter = NULL;
254 :
255 0 : order = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
256 : SDAP_ACCESS_ORDER);
257 0 : if (order == NULL) {
258 0 : DEBUG(SSSDBG_CRIT_FAILURE,
259 : "ldap_access_order not given, using 'filter'.\n");
260 0 : order = "filter";
261 : }
262 :
263 0 : ret = get_access_order_list(mem_ctx, order, &order_list);
264 0 : if (ret != EOK) {
265 0 : DEBUG(SSSDBG_CRIT_FAILURE,
266 : "get_access_order_list failed: [%d][%s].\n",
267 : ret, sss_strerror(ret));
268 0 : goto done;
269 : }
270 :
271 0 : for (c = 0; order_list[c] != NULL; c++) {
272 :
273 0 : if (strcasecmp(order_list[c], LDAP_ACCESS_FILTER_NAME) == 0) {
274 0 : access_ctx->access_rule[c] = LDAP_ACCESS_FILTER;
275 0 : if (get_access_filter(mem_ctx, opts, &access_ctx->filter) != EOK) {
276 0 : goto done;
277 : }
278 :
279 0 : } else if (strcasecmp(order_list[c], LDAP_ACCESS_EXPIRE_NAME) == 0) {
280 0 : access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE;
281 0 : if (check_expire_policy(opts) != EOK) {
282 0 : goto done;
283 : }
284 :
285 0 : } else if (strcasecmp(order_list[c], LDAP_ACCESS_SERVICE_NAME) == 0) {
286 0 : access_ctx->access_rule[c] = LDAP_ACCESS_SERVICE;
287 0 : } else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) {
288 0 : access_ctx->access_rule[c] = LDAP_ACCESS_HOST;
289 0 : } else if (strcasecmp(order_list[c], LDAP_ACCESS_LOCK_NAME) == 0) {
290 0 : access_ctx->access_rule[c] = LDAP_ACCESS_LOCKOUT;
291 0 : } else if (strcasecmp(order_list[c],
292 : LDAP_ACCESS_EXPIRE_POLICY_REJECT_NAME) == 0) {
293 0 : access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_REJECT;
294 0 : } else if (strcasecmp(order_list[c],
295 : LDAP_ACCESS_EXPIRE_POLICY_WARN_NAME) == 0) {
296 0 : access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_WARN;
297 0 : } else if (strcasecmp(order_list[c],
298 : LDAP_ACCESS_EXPIRE_POLICY_RENEW_NAME) == 0) {
299 0 : access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_RENEW;
300 0 : } else if (strcasecmp(order_list[c], LDAP_ACCESS_PPOLICY_NAME) == 0) {
301 0 : access_ctx->access_rule[c] = LDAP_ACCESS_PPOLICY;
302 : } else {
303 0 : DEBUG(SSSDBG_CRIT_FAILURE,
304 : "Unexpected access rule name [%s].\n", order_list[c]);
305 0 : ret = EINVAL;
306 0 : goto done;
307 : }
308 : }
309 0 : access_ctx->access_rule[c] = LDAP_ACCESS_EMPTY;
310 0 : if (c == 0) {
311 0 : DEBUG(SSSDBG_FATAL_FAILURE, "Warning: access_provider=ldap set, "
312 : "but ldap_access_order is empty. "
313 : "All domain users will be denied access.\n");
314 : }
315 :
316 : done:
317 0 : talloc_free(order_list);
318 0 : if (ret != EOK) {
319 0 : talloc_zfree(access_ctx->filter);
320 : }
321 0 : return ret;
322 : }
323 :
324 0 : static errno_t get_sdap_service(TALLOC_CTX *mem_ctx,
325 : struct be_ctx *be_ctx,
326 : struct sdap_options *opts,
327 : struct sdap_service **_sdap_service)
328 : {
329 : errno_t ret;
330 : const char *urls;
331 : const char *backup_urls;
332 : const char *dns_service_name;
333 : struct sdap_service *sdap_service;
334 :
335 0 : urls = dp_opt_get_string(opts->basic, SDAP_URI);
336 0 : backup_urls = dp_opt_get_string(opts->basic, SDAP_BACKUP_URI);
337 0 : dns_service_name = dp_opt_get_string(opts->basic, SDAP_DNS_SERVICE_NAME);
338 0 : if (dns_service_name != NULL) {
339 0 : DEBUG(SSSDBG_CONF_SETTINGS,
340 : "Service name for discovery set to %s\n", dns_service_name);
341 : }
342 :
343 0 : ret = sdap_service_init(mem_ctx, be_ctx, "LDAP",
344 : dns_service_name,
345 : urls,
346 : backup_urls,
347 : &sdap_service);
348 0 : if (ret != EOK) {
349 0 : return ret;
350 : }
351 :
352 0 : *_sdap_service = sdap_service;
353 0 : return EOK;
354 : }
355 :
356 0 : static bool should_call_gssapi_init(struct sdap_options *opts)
357 : {
358 : const char *sasl_mech;
359 :
360 0 : sasl_mech = dp_opt_get_string(opts->basic, SDAP_SASL_MECH);
361 0 : if (sasl_mech == NULL) {
362 0 : return false;
363 : }
364 :
365 0 : if (strcasecmp(sasl_mech, "GSSAPI") != 0) {
366 0 : return false;
367 : }
368 :
369 0 : if (dp_opt_get_bool(opts->basic, SDAP_KRB5_KINIT) == false) {
370 0 : return false;
371 : }
372 :
373 0 : return true;
374 : }
375 :
376 0 : static errno_t ldap_init_misc(struct be_ctx *be_ctx,
377 : struct sdap_options *options,
378 : struct sdap_id_ctx *id_ctx)
379 : {
380 : errno_t ret;
381 :
382 0 : if (should_call_gssapi_init(options)) {
383 0 : ret = sdap_gssapi_init(id_ctx, options->basic, be_ctx,
384 0 : id_ctx->conn->service, &id_ctx->krb5_service);
385 0 : if (ret != EOK) {
386 0 : DEBUG(SSSDBG_CRIT_FAILURE,
387 : "sdap_gssapi_init failed [%d][%s].\n",
388 : ret, sss_strerror(ret));
389 0 : return ret;
390 : }
391 : }
392 :
393 0 : ret = setup_tls_config(options->basic);
394 0 : if (ret != EOK) {
395 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n",
396 : ret, sss_strerror(ret));
397 0 : return ret;
398 : }
399 :
400 : /* Setup the ID mapping object */
401 0 : ret = sdap_idmap_init(id_ctx, id_ctx, &options->idmap_ctx);
402 0 : if (ret != EOK) {
403 0 : DEBUG(SSSDBG_FATAL_FAILURE,
404 : "Could not initialize ID mapping. In case ID mapping properties "
405 : "changed on the server, please remove the SSSD database\n");
406 0 : return ret;
407 : }
408 :
409 0 : ret = ldap_id_setup_tasks(id_ctx);
410 0 : if (ret != EOK) {
411 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks "
412 : "[%d]: %s\n", ret, sss_strerror(ret));
413 0 : return ret;
414 : }
415 :
416 0 : ret = sdap_setup_child();
417 0 : if (ret != EOK) {
418 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
419 : ret, sss_strerror(ret));
420 0 : return ret;
421 : }
422 :
423 : /* Setup SRV lookup plugin */
424 0 : ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
425 0 : if (ret != EOK) {
426 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin "
427 : "[%d]: %s\n", ret, sss_strerror(ret));
428 0 : return ret;
429 : }
430 :
431 : /* Setup periodical refresh of expired records */
432 0 : ret = sdap_refresh_init(be_ctx->refresh_ctx, id_ctx);
433 0 : if (ret != EOK && ret != EEXIST) {
434 0 : DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh will not work "
435 : "[%d]: %s\n", ret, sss_strerror(ret));
436 : }
437 :
438 0 : return EOK;
439 : }
440 :
441 0 : errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx,
442 : struct be_ctx *be_ctx,
443 : struct data_provider *provider,
444 : const char *module_name,
445 : void **_module_data)
446 : {
447 : struct sdap_service *sdap_service;
448 : struct ldap_init_ctx *init_ctx;
449 : errno_t ret;
450 :
451 0 : init_ctx = talloc_zero(mem_ctx, struct ldap_init_ctx);
452 0 : if (init_ctx == NULL) {
453 0 : return ENOMEM;
454 : }
455 :
456 : /* Always initialize options since it is needed everywhere. */
457 0 : ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb,
458 : be_ctx->conf_path, &init_ctx->options);
459 0 : if (ret != EOK) {
460 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options "
461 : "[%d]: %s\n", ret, sss_strerror(ret));
462 0 : goto done;
463 : }
464 :
465 : /* Always initialize id_ctx since it is needed everywhere. */
466 0 : ret = get_sdap_service(init_ctx, be_ctx, init_ctx->options, &sdap_service);
467 0 : if (ret != EOK) {
468 0 : DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize failover service "
469 : "[%d]: %s\n", ret, sss_strerror(ret));
470 0 : goto done;
471 : }
472 :
473 0 : init_ctx->id_ctx = sdap_id_ctx_new(init_ctx, be_ctx, sdap_service);
474 0 : if (init_ctx->id_ctx == NULL) {
475 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP ID context\n");
476 0 : ret = ENOMEM;
477 0 : goto done;
478 : }
479 :
480 0 : init_ctx->id_ctx->opts = init_ctx->options;
481 :
482 : /* Setup miscellaneous things. */
483 0 : ret = ldap_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx);
484 0 : if (ret != EOK) {
485 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init LDAP module "
486 : "[%d]: %s\n", ret, sss_strerror(ret));
487 0 : goto done;
488 : }
489 :
490 : /* Initialize auth_ctx only if one of the target is enabled. */
491 0 : if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) {
492 0 : ret = ldap_init_auth_ctx(init_ctx, be_ctx, init_ctx->id_ctx,
493 : init_ctx->options, &init_ctx->auth_ctx);
494 0 : if (ret != EOK) {
495 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context "
496 : "[%d]: %s\n", ret, sss_strerror(ret));
497 0 : return ret;
498 : }
499 : }
500 :
501 0 : *_module_data = init_ctx;
502 :
503 0 : ret = EOK;
504 :
505 : done:
506 0 : if (ret != EOK) {
507 0 : talloc_free(init_ctx);
508 : }
509 :
510 0 : return ret;
511 : }
512 :
513 0 : errno_t sssm_ldap_id_init(TALLOC_CTX *mem_ctx,
514 : struct be_ctx *be_ctx,
515 : void *module_data,
516 : struct dp_method *dp_methods)
517 : {
518 : struct ldap_init_ctx *init_ctx;
519 : struct sdap_id_ctx *id_ctx;
520 :
521 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
522 0 : id_ctx = init_ctx->id_ctx;
523 :
524 0 : dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER,
525 : sdap_account_info_handler_send, sdap_account_info_handler_recv, id_ctx,
526 : struct sdap_id_ctx, struct be_acct_req, struct dp_reply_std);
527 :
528 0 : dp_set_method(dp_methods, DPM_CHECK_ONLINE,
529 : sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx,
530 : struct sdap_id_ctx, void, struct dp_reply_std);
531 :
532 0 : return EOK;
533 : }
534 :
535 0 : errno_t sssm_ldap_auth_init(TALLOC_CTX *mem_ctx,
536 : struct be_ctx *be_ctx,
537 : void *module_data,
538 : struct dp_method *dp_methods)
539 : {
540 : struct ldap_init_ctx *init_ctx;
541 : struct sdap_auth_ctx *auth_ctx;
542 :
543 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
544 0 : auth_ctx = init_ctx->auth_ctx;
545 :
546 0 : dp_set_method(dp_methods, DPM_AUTH_HANDLER,
547 : sdap_pam_auth_handler_send, sdap_pam_auth_handler_recv, auth_ctx,
548 : struct sdap_auth_ctx, struct pam_data, struct pam_data *);
549 :
550 0 : return EOK;
551 : }
552 :
553 0 : errno_t sssm_ldap_chpass_init(TALLOC_CTX *mem_ctx,
554 : struct be_ctx *be_ctx,
555 : void *module_data,
556 : struct dp_method *dp_methods)
557 : {
558 : struct ldap_init_ctx *init_ctx;
559 : struct sdap_auth_ctx *auth_ctx;
560 : errno_t ret;
561 :
562 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
563 0 : auth_ctx = init_ctx->auth_ctx;
564 :
565 0 : ret = init_chpass_service(auth_ctx, be_ctx, init_ctx->options,
566 : &auth_ctx->chpass_service);
567 0 : if (ret != EOK) {
568 0 : DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize chpass service "
569 : "[%d]: %s\n", ret, sss_strerror(ret));
570 0 : return ret;
571 : }
572 :
573 0 : dp_set_method(dp_methods, DPM_AUTH_HANDLER,
574 : sdap_pam_chpass_handler_send, sdap_pam_chpass_handler_recv, auth_ctx,
575 : struct sdap_auth_ctx, struct pam_data, struct pam_data *);
576 :
577 0 : return EOK;
578 : }
579 :
580 0 : errno_t sssm_ldap_access_init(TALLOC_CTX *mem_ctx,
581 : struct be_ctx *be_ctx,
582 : void *module_data,
583 : struct dp_method *dp_methods)
584 : {
585 : struct ldap_init_ctx *init_ctx;
586 : struct sdap_access_ctx *access_ctx;
587 : errno_t ret;
588 :
589 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
590 :
591 0 : access_ctx = talloc_zero(mem_ctx, struct sdap_access_ctx);
592 0 : if(access_ctx == NULL) {
593 0 : ret = ENOMEM;
594 0 : goto done;
595 : }
596 :
597 0 : access_ctx->id_ctx = init_ctx->id_ctx;
598 :
599 0 : ret = set_access_rules(access_ctx, access_ctx, access_ctx->id_ctx->opts);
600 0 : if (ret != EOK) {
601 0 : DEBUG(SSSDBG_CRIT_FAILURE,
602 : "set_access_rules failed: [%d][%s].\n",
603 : ret, sss_strerror(ret));
604 0 : goto done;
605 : }
606 :
607 0 : dp_set_method(dp_methods, DPM_ACCESS_HANDLER,
608 : sdap_pam_access_handler_send, sdap_pam_access_handler_recv, access_ctx,
609 : struct sdap_access_ctx, struct pam_data, struct pam_data *);
610 :
611 0 : ret = EOK;
612 :
613 : done:
614 0 : if (ret != EOK) {
615 0 : talloc_free(access_ctx);
616 : }
617 :
618 0 : return ret;
619 : }
620 :
621 0 : errno_t sssm_ldap_autofs_init(TALLOC_CTX *mem_ctx,
622 : struct be_ctx *be_ctx,
623 : void *module_data,
624 : struct dp_method *dp_methods)
625 : {
626 : #ifdef BUILD_AUTOFS
627 : struct ldap_init_ctx *init_ctx;
628 :
629 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP autofs handler\n");
630 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
631 :
632 0 : return sdap_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
633 : #else
634 : DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is "
635 : "built without autofs support, ignoring\n");
636 : return EOK;
637 : #endif
638 : }
639 :
640 0 : errno_t sssm_ldap_sudo_init(TALLOC_CTX *mem_ctx,
641 : struct be_ctx *be_ctx,
642 : void *module_data,
643 : struct dp_method *dp_methods)
644 : {
645 : #ifdef BUILD_SUDO
646 : struct ldap_init_ctx *init_ctx;
647 :
648 0 : DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP sudo handler\n");
649 0 : init_ctx = talloc_get_type(module_data, struct ldap_init_ctx);
650 :
651 0 : return sdap_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods);
652 : #else
653 : DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is "
654 : "built without sudo support, ignoring\n");
655 : return EOK;
656 : #endif
657 : }
|
