On Mon, Jul 15, 2013 at 08:30:03PM +0300, Alexander Bokovoy wrote:
> Hi!
> 
> Attached please find two patches against slapi-nis 0.47 to serve trusted
> domain users and groups to old clients. FreeIPA master needs to be
> enabled with this, see my patch 0108 (on freeipa-devel@).
> 
> The patches add both lookup and PAM-based authentication bind for the
> users returned by SSSD lookup.
> 
> Here is the logic:
> 
> 0. Configuration is performed by setting
> 
>    schema-compat-lookup-sssd: <user|group>
>    schema-compat-sssd-min-id: <value>
> 
> in corresponding schema-compat plugin tree (cn=users and cn=groups).
> 
> If schema-compat-sssd-min-id is not set, it will default to 1000. It is
> used to filter out attempts to fetch system users (<1000 on Fedora by
> default).
> 
> 1. On query, we parse query filter to identify what type of request is
> this: user or group lookup and then issue getpwnam_r()/getgrnam_r() and
> getsidbyid() for libsss_nss_idmap to fetch all needed information.
> 
> SSSD caches these requests they should be relatively fast.
> 
> 2. Once we served the request, it is cached in schema-compat cache map.
> The entry in the cache is currently not expired explicitly but I'm
> working on expiring it on wrong authentication -- if PAM stack returns a
> response telling there is no such user.
> 
> 3. Authentication bind for cached entries is done via PAM service
> 'system-auth'. If HBAC rule 'allow_all' is disabled in FreeIPA, one
> needs to create a rule with service 'system-auth' and allow all users to
> access it on IPA masters. Since system-auth is never used explicitly by
> any application (it is always included through PAM stack and only
> top-level PAM service is used to drive the HBAC ruleset), there is no
> problem.
> 
> PAM authentication code is taken from pam_passthru DS plugin. We cannot
> use it unchanged because pam_passthru expects that LDAP entry will exist
> in DS, while it is not true for these synthetic entries representing
> trusted domain users.
> 
> On Fedora one needs pam-devel and libsss_nss_idmap-devel to build the
> plugin with new functionality.
> 
> -- 
> / Alexander Bokovoy

Hi,

so far I've only built the code, testing is next. So far I have some
comments about the first patch, see inline:

> >From d3433f2033015724fc6580c00d89627afbc06c1d Mon Sep 17 00:00:00 2001
> From: Alexander Bokovoy <aboko...@redhat.com>
> Date: Mon, 15 Jul 2013 14:18:52 +0300
> Subject: [PATCH 1/2] configure: add configure checks for sss_idmap and define
>  attribute to lookup sssd
> 
> If schema compat plugin configuration has 'schema-compat-lookup-sssd: 
> user|group'
> then schema compat plugin will perform lookups of users/groups that were not 
> found
> in the main store using getpwnam_r()/getgrnam_r() and libsss_idmap library.
> 
> This is special case to support legacy clients. Schema compat plugin in the
> case is assumed to be running on FreeIPA master configured with trusts against
> Active Directory and SSSD configure as ipa_server_mode = True.
> 
> Additionally, such entries are added to schema compat plugin's map cache and 
> can
> be used for authentication purposes. They will use PAM authentication 
> pass-through
> to system-auth service.
> ---
>  configure.ac    | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  src/Makefile.am |  6 ++++++
>  2 files changed, 54 insertions(+)
> 
> diff --git a/configure.ac b/configure.ac
> index 8d7cbe1..4a47d36 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -309,6 +309,47 @@ AC_SUBST(ASYNCNS_CFLAGS)
>  AC_SUBST(ASYNCNS_LIBS)
>  fi
>  
> +AC_ARG_WITH(sss_nss_idmap,
> +         AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap]),
> +         use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO)
> +if pkg-config sss_nss_idmap 2> /dev/null ; then
> +         if test x$use_sss_nss_idmap != xno ; then
> +             AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have 
> libsss_nss_idmap.])
> +             PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
> +         else
> +             SSS_NSS_IDMAP_CFLAGS=
> +             SSS_NSS_IDMAP_LIBS=
> +         fi
> +else
> +     if test $use_sss_idmap = yes ; then
> +             PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
> +     else
> +             SSS_NSS_IDMAP_CFLAGS=
> +             SSS_NSS_IDMAP_LIBS=
> +     fi
> +fi
> +AM_CONDITIONAL([SSS_NSS_IDMAP], [test x$SSS_NSS_IDMAP_LIBS != x])
> +AC_SUBST(SSS_NSS_IDMAP_CFLAGS)
> +AC_SUBST(SSS_NSS_IDMAP_LIBS)
> +
> +if x$SSS_NSS_IDMAP_LIBS != x ; then

I think you should use test or square brackets here, otherwise I'm
seeing:

checking for SSS_NSS_IDMAP... yes
./configure: line 12952: x-lsss_nss_idmap: command not found

> +     AC_CHECK_HEADERS(pam.h)

I don't see any pam.h in pam-devel RPM. In SSSD we look for
security/pam_appl.h

> +     if test x$ac_cv_header_pam_h = xno ; then
> +             use_pam=yes
> +     else
> +             use_pam=no
> +     fi
> +
> +     if test $use_pam = yes ; then
> +             PAM_CFLAGS=
> +             PAM_LIBS=-lpam
> +     else
> +             AC_ERROR([<pam.h> not found and it is required for SSSD mode])
> +     fi
> +     AC_SUBST(PAM_CFLAGS)
> +     AC_SUBST(PAM_LIBS)
> +fi
> +
>  mylibdir=`eval echo "$libdir" | sed "s,NONE,${ac_default_prefix},g"`
>  mylibdir=`eval echo "$mylibdir" | sed "s,NONE,${ac_prefix},g"`
>  case "$server" in
> @@ -401,6 +442,13 @@ 
> AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_RDN_ATTR,"$rdnattr",
>  attrattr=schema-compat-entry-attribute
>  AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_ATTR_ATTR,"$attrattr",
>                  [Define to name of the attribute which is used to specify 
> attributes to be used when constructing entries.])
> +sssdattr=schema-compat-lookup-sssd
> +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_ATTR,"$sssdattr",
> +                [Define to name of the attribute which dictates whether or 
> not SSSD on FreeIPA master is consulted about trusted domains' users.])
> +sssdminidattr=schema-compat-sssd-min-id
> +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_MIN_ID_ATTR,"$sssdminidattr",
> +                [Define to name of the attribute which is used to define 
> lower bound of IDs (uid or gid) looked up through sssd. Everything below is 
> not considered belonging to trusted domains.])
> +
>  
>  maxvalue_attr=nis-max-value-size
>  AC_DEFINE_UNQUOTED(NIS_PLUGIN_CONFIGURATION_MAXVALUE_ATTR,"$maxvalue_attr",
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 6c8666b..59b6948 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -51,6 +51,7 @@ nisserver_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) 
> $(TIRPC_LIBS) $(LIBWRA
>  
>  schemacompat_plugin_la_SOURCES = \
>       back-sch.c \
> +     back-sch.h \

This file is only added in the second patch, so maybe the whole
Makefile.am hunk should be moved there.

>       backend.h \
>       back-shr.c \
>       back-shr.h \
> @@ -64,6 +65,11 @@ schemacompat_plugin_la_SOURCES = \
>       wrap.h
>  schemacompat_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) $(LIBPTHREAD) 
> $(CONFIGURED_LINK_FLAGS)
>  
> +if SSS_NSS_IDMAP
> +schemacompat_plugin_la_SOURCES += back-sch-sssd.c back-sch-pam.c
> +schemacompat_plugin_la_LIBADD += $(SSS_NSS_IDMAP_LIBS) $(PAM_LIBS)
> +endif
> +
>  noinst_LTLIBRARIES = dummy-nis-plugin.la
>  dummy_nis_plugin_la_SOURCES = \
>       disp-nis.c \
> -- 
> 1.8.3.1
> 

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to