Hi, I think it would be nice to include the attached patch in 1.8 beta. The usability improvement in comparison with using autofs_provider=ldap is the support for automounter "locations" in IPA (see ipa help automount).
The user would simply configure the autofs responder service to start and then optionally select his location using the ipa_automounter_location option. No need to fiddle with search bases manually. The patch also fixes a copy-paste typo in data_provider_be.c
From 5daae2e1e5acad6b2b5ec5c947d8969918012bf1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Mon, 6 Feb 2012 13:28:53 +0100 Subject: [PATCH] AUTOFS: IPA provider --- Makefile.am | 3 +- src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 4 +- src/config/etc/sssd.api.d/sssd-ipa.conf | 3 + src/config/etc/sssd.api.d/sssd-ldap.conf | 3 + src/man/sssd-ipa.5.xml | 12 +++ src/providers/data_provider_be.c | 2 +- src/providers/ipa/ipa_autofs.c | 62 ++++++++++++++++ src/providers/ipa/ipa_common.c | 116 +++++++++++++++++++++++------- src/providers/ipa/ipa_common.h | 14 ++++ src/providers/ipa/ipa_init.c | 26 ++++++- src/providers/ldap/ldap_common.h | 3 + src/tests/ipa_ldap_opt-tests.c | 2 + 13 files changed, 220 insertions(+), 31 deletions(-) create mode 100644 src/providers/ipa/ipa_autofs.c diff --git a/Makefile.am b/Makefile.am index c0b4c700040b7b4573bb81ecf9dca708e85ae31f..bf50e9f2cb683714d37f671bda00aa7830ea0bfe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1139,7 +1139,8 @@ libsss_ipa_la_SOURCES += src/providers/ldap/sdap_sudo_cache.c \ endif if BUILD_AUTOFS libsss_ipa_la_SOURCES += src/providers/ldap/sdap_autofs.c \ - src/providers/ldap/sdap_async_autofs.c + src/providers/ldap/sdap_async_autofs.c \ + src/providers/ipa/ipa_autofs.c endif diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 00ce5b79dfc6943afc2a4a72c6ffc55b7245eb54..5700da049b6392c2140e4de497f31a2821269faa 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -119,6 +119,7 @@ option_strings = { 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), + 'ipa_automounter_location' : _("The automounter location this IPA client is using"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 186bf36491e1446076de9ec03c1daab4cd124d35..20143d022f06a2953b5c83767b4b51f43c63b694 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -687,9 +687,9 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): domain = SSSDConfig.SSSDDomain('sssd', self.schema) control_provider_dict = { - 'ipa': ['id', 'auth', 'access', 'chpass'], + 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs' ], 'local': ['id', 'auth', 'chpass'], - 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo'], + 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], 'krb5': ['auth', 'access', 'chpass'], 'proxy': ['id', 'auth'], 'simple': ['access'], diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index fae996312041c9e4bc67679403bbab89fe3090b6..32c3e60d5af1ced2da52f2ab0aff324a06ece95e 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -123,5 +123,8 @@ ipa_hbac_refresh = int, None, false ipa_hbac_treat_deny_as = str, None, false ipa_hbac_support_srchost = bool, None, false +[provider/ipa/autofs] +ipa_automounter_location = str, None, false + [provider/ipa/chpass] diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 57f7688c63df89b78f16aa4e0d0e715d505b9aa1..ab39813e70a3d934634dc8f278441250521950e6 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -128,3 +128,6 @@ ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false ldap_sudorule_notafter = str, None, false ldap_sudorule_order = str, None, false + +[provider/ldap/autofs] + diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 547fee5549fea9d73332a5bafeb40adfd273d1eb..6a67ff7e3a88ab609f04916d086b2febb3326d7b 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -303,6 +303,18 @@ </listitem> </varlistentry> + <varlistentry condition="with_autofs"> + <term>ipa_automounter_location (string)</term> + <listitem> + <para> + The automounter location this IPA client will be using + </para> + <para> + Default: The location named "default" + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ipa_netgroup_member_of (string)</term> <listitem> diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index e7ba98fdf98142b65f5cd1d131076be5990e5b48..e720494333326cd1e6d747133d5e9355352fee44 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -1712,7 +1712,7 @@ int be_process_init(TALLOC_CTX *mem_ctx, be_domain)); } else { DEBUG(SSSDBG_TRACE_ALL, ("Session backend target successfully loaded " - "from provider [%s].\n", ctx->bet_info[BET_SUDO].mod_name)); + "from provider [%s].\n", ctx->bet_info[BET_SESSION].mod_name)); } /* Handle SIGUSR1 to force offline behavior */ diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c new file mode 100644 index 0000000000000000000000000000000000000000..f4262590f74de18ca46f9f4494a206f23389cc2a --- /dev/null +++ b/src/providers/ipa/ipa_autofs.c @@ -0,0 +1,62 @@ +/* + SSSD + + IPA Provider Initialization functions + + Authors: + Simo Sorce <[email protected]> + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "util/child_common.h" +#include "providers/ipa/ipa_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_auth.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/ipa/ipa_session.h" + +struct bet_ops ipa_autofs_ops = { + .handler = sdap_autofs_handler, + .finalize = NULL, + .check_online = sdap_check_online +}; + +int ipa_autofs_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing autofs LDAP back end\n")); + + *ops = &ipa_autofs_ops; + *pvt_data = id_ctx->sdap_id_ctx; + + DEBUG(0, ("sleeping\n")); + + ret = ipa_get_autofs_options(id_ctx->ipa_options, be_ctx->cdb, + be_ctx->conf_path, &id_ctx->sdap_id_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get IPA autofs options\n")); + return ret; + } + + return ret; +} diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 615cdcaa194a24c244455bcab72cc310f50f4e20..d4d22f05352948e086d6f35c31a1d3def176a683 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -31,6 +31,7 @@ #include "providers/ldap/sdap_async_private.h" #include "util/sss_krb5.h" #include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" struct dp_option ipa_basic_opts[] = { { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -44,7 +45,8 @@ struct dp_option ipa_basic_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, - { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ipa_automounter_location", DP_OPT_STRING, { "default" }, NULL_STRING } }; struct dp_option ipa_def_ldap_opts[] = { @@ -223,6 +225,17 @@ struct sdap_attr_map ipa_service_map[] = { { "ldap_service_entry_usn", NULL, SYSDB_USN, NULL } }; +struct sdap_attr_map ipa_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "automountMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "automountMapName", SYSDB_AUTOFS_MAP_NAME, NULL } +}; + +struct sdap_attr_map ipa_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "automount", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "automountKey", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "automountInformation", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, +}; + int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -495,30 +508,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, if (ret != EOK) goto done; if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE)) { - value = talloc_asprintf(tmpctx, "cn=default,cn=automount,%s", basedn); - if (!value) { - ret = ENOMEM; - goto done; - } - - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE, - value); - if (ret != EOK) { - goto done; - } - - DEBUG(SSSDBG_TRACE_LIBS, ("Option %s set to %s\n", - ipa_opts->id->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE))); - } - ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE, - &ipa_opts->id->autofs_search_bases); - - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE)) { #if 0 ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE, @@ -1022,3 +1011,80 @@ done: return ret; } +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts) +{ + TALLOC_CTX *tmp_ctx; + char *basedn; + char *autofs_base; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, + dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM), + &basedn); + if (ret != EOK) { + goto done; + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE)) { + + autofs_base = talloc_asprintf(tmp_ctx, "cn=%s,cn=automount,%s", + dp_opt_get_string(ipa_opts->basic, + IPA_AUTOMOUNT_LOCATION), + basedn); + if (!autofs_base) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + autofs_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE))); + } + + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + &ipa_opts->id->autofs_search_bases); + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ipa_opts->id->autofs_mobject_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Could not get autofs map object attribute map\n")); + return ret; + } + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ipa_opts->id->autofs_entry_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Could not get autofs entry object attribute map\n")); + return ret; + } + + *_opts = ipa_opts->id; + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 3c32b178348f4bd613ae8627f26e1a2a080eba2d..681ac1b6aac0cac831710c575be6062c5f0bd77f 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -39,6 +39,9 @@ struct ipa_service { #define IPA_OPTS_SVC_TEST 5 +#define IPA_OPTS_AUTOMNTMAP_TEST 2 +#define IPA_OPTS_AUTOMNTENTRY_TEST 3 + /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ @@ -57,6 +60,7 @@ enum ipa_basic_opt { IPA_HBAC_REFRESH, IPA_HBAC_DENY_METHOD, IPA_HBAC_SUPPORT_SRCHOST, + IPA_AUTOMOUNT_LOCATION, IPA_OPTS_BASIC /* opts counter */ }; @@ -147,6 +151,16 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, const char *conf_path, struct dp_option **_opts); +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts); + +int ipa_autofs_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data); + int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *servers, struct ipa_options *options, diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 0484200cd550ada4a4e519e7973a654811a420dd..1f9bc0a7a68172cdc71650ea45335591da394212 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -172,8 +172,6 @@ int sssm_ipa_id_init(struct be_ctx *bectx, } } - - ret = setup_tls_config(sdap_ctx->opts->basic); if (ret != EOK) { DEBUG(1, ("setup_tls_config failed [%d][%s].\n", @@ -435,3 +433,27 @@ done: } return ret; } + +int sssm_ipa_autofs_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ +#ifdef BUILD_AUTOFS + struct ipa_id_ctx *id_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing IPA autofs handler\n")); + + ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n")); + return ret; + } + + return ipa_autofs_init(bectx, id_ctx, ops, pvt_data); +#else + DEBUG(SSSDBG_MINOR_FAILURE, ("Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n")); + return EOK; +#endif +} diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index c377bcb678ed4814329e4526317feed36d462f16..c912576347b3c95d27ebc613b95947a7a1fd364a 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -89,6 +89,9 @@ void sdap_pam_chpass_handler(struct be_req *breq); /* access */ void sdap_pam_access_handler(struct be_req *breq); +/* autofs */ +void sdap_autofs_handler(struct be_req *breq); + void sdap_handler_done(struct be_req *req, int dp_err, int error, const char *errstr); diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c index 121a0610b66e70732ff983c1769c1d71845fcf3c..2497c97c2b824d4d775805e1f630ca56a687c6b9 100644 --- a/src/tests/ipa_ldap_opt-tests.c +++ b/src/tests/ipa_ldap_opt-tests.c @@ -78,6 +78,8 @@ START_TEST(test_check_num_opts) { fail_if(IPA_OPTS_BASIC_TEST != SDAP_OPTS_BASIC); fail_if(IPA_OPTS_SVC_TEST != SDAP_OPTS_SERVICES); + fail_if(IPA_OPTS_AUTOMNTMAP_TEST != SDAP_OPTS_AUTOFS_MAP); + fail_if(IPA_OPTS_AUTOMNTENTRY_TEST != SDAP_OPTS_AUTOFS_ENTRY); fail_if(IPA_KRB5_OPTS_TEST != KRB5_OPTS); } END_TEST -- 1.7.7.6
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
