don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
I was also thinking of reducing the number of host groups, but that seemed to be redundant, since the number of host groups is usually not that high and the complexity of fetching only relevant groups doesn't seem worth it. Jan
From b8b1a7eee7628c5b2849daafe03a6db912fcb159 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 4 Nov 2011 13:16:47 -0400 Subject: [PATCH] Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078 --- src/config/SSSDConfig.py | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/man/sssd-ipa.5.xml | 12 ++++++++++++ src/providers/ipa/ipa_access.c | 4 ++++ src/providers/ipa/ipa_common.c | 3 ++- src/providers/ipa/ipa_common.h | 1 + src/providers/ipa/ipa_hbac_hosts.c | 18 +++++++++++++++++- src/providers/ipa/ipa_hbac_private.h | 2 ++ 8 files changed, 40 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 87b1d63413cd914401aeccdc6ad2eec12af92a66..b6d1b6f070afd73dd0a32b1c58c6e312255c82fa 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -102,6 +102,7 @@ option_strings = { 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), + 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 9ea45285ec93c4afe0ea2210c5a27a68de894b3f..697db819cbb165f1c4febeb2c417607444221bbe 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -106,6 +106,7 @@ krb5_fast_principal = str, None, false [provider/ipa/access] ipa_hbac_refresh = int, None, false ipa_hbac_treat_deny_as = str, None, false +ipa_hbac_support_srchost = bool, None, false [provider/ipa/chpass] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 2c1a0ed8c37b4429b1929637807d3cbedcca1d68..105f5c7283f70e3cb6fae978f19d966b02460d75 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -234,6 +234,18 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>ipa_hbac_support_srchost (boolean)</term> + <listitem> + <para> + If this is set to false, then srchost as given + to SSSD by PAM will be ignored. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> </variablelist> </para> diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 10f1cb7e6e2685b9dc6ac7f05ae53a37ebce345e..657e1169b6dc9539fbd28f9bae48931f8717875a 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -299,6 +299,10 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx) hbac_ctx_be(hbac_ctx)->domain, sdap_id_op_handle(hbac_ctx->sdap_op), hbac_ctx_sdap_id_ctx(hbac_ctx)->opts, + dp_opt_get_bool(hbac_ctx->ipa_options, + IPA_HBAC_SUPPORT_SRCHOST), + dp_opt_get_string(hbac_ctx->ipa_options, + IPA_HOSTNAME), hbac_ctx->hbac_search_base); if (req == NULL) { DEBUG(1, ("Could not get host info\n")); diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 8f9d5d77955cb7b01bfac69fc4ba00b136f866f2..e361b276a769160d9d0ff50a47be819a079f641d 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -39,7 +39,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, - { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING } + { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, + { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 40c5e53205285d761a43f6f0a77764006a5d79ca..65749216ca02ab761d057a10195dda28dbedd43a 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -52,6 +52,7 @@ enum ipa_basic_opt { IPA_KRB5_REALM, IPA_HBAC_REFRESH, IPA_HBAC_DENY_METHOD, + IPA_HBAC_SUPPORT_SRCHOST, IPA_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c index 42a3f5c1b8946341abff1b5a5cafa8a07abfba3c..9725dd6fe98e9ca6761d61c3cb449b6958edfdaa 100644 --- a/src/providers/ipa/ipa_hbac_hosts.c +++ b/src/providers/ipa/ipa_hbac_hosts.c @@ -34,6 +34,9 @@ struct ipa_hbac_host_state { const char *search_base; const char **attrs; + bool support_srchost; + const char *hostname; + /* Return values */ size_t host_count; struct sysdb_attrs **hosts; @@ -55,6 +58,8 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, struct sdap_handle *sh, struct sdap_options *opts, + bool support_srchost, + const char *hostname, const char *search_base) { errno_t ret; @@ -73,9 +78,20 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx, state->dom = dom; state->sh = sh; state->opts = opts; + state->support_srchost = support_srchost; + state->hostname = hostname; state->search_base = search_base; - host_filter = talloc_asprintf(state, "(objectClass=%s)", IPA_HOST); + if (support_srchost) { + host_filter = talloc_asprintf(state, "(objectClass=%s)", IPA_HOST); + } else { + if (hostname == NULL) { + ret = EINVAL; + goto immediate; + } + host_filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=%s))", + IPA_HOST, IPA_HOST_FQDN, hostname); + } if (host_filter == NULL) { ret = ENOMEM; goto immediate; diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h index 32b5d70ce8f648378cfbcb3edb36b958cf17f60f..d3d881bf1adae64943beee755abdbd9e0fc5dea7 100644 --- a/src/providers/ipa/ipa_hbac_private.h +++ b/src/providers/ipa/ipa_hbac_private.h @@ -106,6 +106,8 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, struct sdap_handle *sh, struct sdap_options *opts, + bool support_srchost, + const char *hostname, const char *search_base); errno_t -- 1.7.6.4
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
