On Mon, Feb 06, 2012 at 08:16:45PM +0100, Jan Zeleny wrote: > Jakub Hrozek <[email protected]> wrote: > > On Mon, Feb 06, 2012 at 07:37:45PM +0100, Jan Zeleny wrote: > > > Jakub Hrozek <[email protected]> wrote: > > > > Hi, > > > > > > > > I think it would be nice to include the attached patch in 1.8 beta. The > > > > usability improvement in comparison with using autofs_provider=ldap is > > > > the support for automounter "locations" in IPA (see ipa help > > > > automount). > > > > > > > > The user would simply configure the autofs responder service to start > > > > and then optionally select his location using the > > > > ipa_automounter_location option. No need to fiddle with search bases > > > > manually. > > > > > > > > The patch also fixes a copy-paste typo in data_provider_be.c > > > > > > Ack, > > > just one small note: I think the option would better be called > > > ipa_automount_location. > > > > > > Thanks > > > Jan > > > > I agree, this plays nicer with the ipa command that is called automount, > > too, not autofs. > > > > New patch is attached. > > Ack > > Jan
Attached is a patch rebased on top of the SSH patches.
From 873872cf5e18573375e7f3a16dd846e915dbed85 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Mon, 6 Feb 2012 13:28:53 +0100 Subject: [PATCH] AUTOFS: IPA provider --- Makefile.am | 3 +- src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 4 +- src/config/etc/sssd.api.d/sssd-ipa.conf | 3 + src/config/etc/sssd.api.d/sssd-ldap.conf | 3 + src/man/sssd-ipa.5.xml | 12 +++ src/providers/data_provider_be.c | 2 +- src/providers/ipa/ipa_autofs.c | 62 ++++++++++++++++ src/providers/ipa/ipa_common.c | 116 +++++++++++++++++++++++------- src/providers/ipa/ipa_common.h | 14 ++++ src/providers/ipa/ipa_init.c | 26 ++++++- src/providers/ldap/ldap_common.h | 3 + src/tests/ipa_ldap_opt-tests.c | 2 + 13 files changed, 220 insertions(+), 31 deletions(-) create mode 100644 src/providers/ipa/ipa_autofs.c diff --git a/Makefile.am b/Makefile.am index 85d9904205d420983fdfe8d34ba9e82d49307c6d..c0af34c760951879c239a5bfa440514dca936920 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1187,7 +1187,8 @@ libsss_ipa_la_SOURCES += src/providers/ldap/sdap_sudo_cache.c \ endif if BUILD_AUTOFS libsss_ipa_la_SOURCES += src/providers/ldap/sdap_autofs.c \ - src/providers/ldap/sdap_async_autofs.c + src/providers/ldap/sdap_async_autofs.c \ + src/providers/ipa/ipa_autofs.c endif if BUILD_SSH libsss_ipa_la_SOURCES += src/providers/ipa/ipa_hostid.c diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 50cc4e295b3a5b77b6d6ea47666d9d666ac997b2..9fbe67429e55491d26731b7e1967fe02cb3b125d 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -120,6 +120,7 @@ option_strings = { 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), + 'ipa_automount_location' : _("The automounter location this IPA client is using"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index bfc89a122b3128d522dfb8e4ffc8dc1cc300bf57..5bad40edbf36066100e15a7e7e96560c8e15f8fc 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -688,9 +688,9 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): domain = SSSDConfig.SSSDDomain('sssd', self.schema) control_provider_dict = { - 'ipa': ['id', 'auth', 'access', 'chpass'], + 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs' ], 'local': ['id', 'auth', 'chpass'], - 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo'], + 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], 'krb5': ['auth', 'access', 'chpass'], 'proxy': ['id', 'auth'], 'simple': ['access'], diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 88c33f8b33451006401af5c219d58633e47cdc8d..3e3384d942ebc2e750816a0086d0dffa552bd184 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -125,5 +125,8 @@ ipa_hbac_refresh = int, None, false ipa_hbac_treat_deny_as = str, None, false ipa_hbac_support_srchost = bool, None, false +[provider/ipa/autofs] +ipa_automount_location = str, None, false + [provider/ipa/chpass] diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 4fa7ed0bae7da52633104a7c2ee6cddf42cd5e8e..0a5b7f1f3df92739798fbb7e1a8781d992a3ae52 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -129,3 +129,6 @@ ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false ldap_sudorule_notafter = str, None, false ldap_sudorule_order = str, None, false + +[provider/ldap/autofs] + diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index bddd3db1d97a74b535f2bd22dded737f6505feb3..b5bd2816d199f2898c99f061e8343a20c84f439c 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -303,6 +303,18 @@ </listitem> </varlistentry> + <varlistentry condition="with_autofs"> + <term>ipa_automount_location (string)</term> + <listitem> + <para> + The automounter location this IPA client will be using + </para> + <para> + Default: The location named "default" + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ipa_netgroup_member_of (string)</term> <listitem> diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index a48ba107e8f3c6e74eb27e0d413eae8bcd93ba27..992ab3103b96d41cae710988eb22de1a1fb3da2a 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -1893,7 +1893,7 @@ int be_process_init(TALLOC_CTX *mem_ctx, be_domain)); } else { DEBUG(SSSDBG_TRACE_ALL, ("Session backend target successfully loaded " - "from provider [%s].\n", ctx->bet_info[BET_SUDO].mod_name)); + "from provider [%s].\n", ctx->bet_info[BET_SESSION].mod_name)); } ret = load_backend_module(ctx, BET_HOSTID, diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c new file mode 100644 index 0000000000000000000000000000000000000000..f4262590f74de18ca46f9f4494a206f23389cc2a --- /dev/null +++ b/src/providers/ipa/ipa_autofs.c @@ -0,0 +1,62 @@ +/* + SSSD + + IPA Provider Initialization functions + + Authors: + Simo Sorce <[email protected]> + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "util/child_common.h" +#include "providers/ipa/ipa_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_auth.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/ipa/ipa_session.h" + +struct bet_ops ipa_autofs_ops = { + .handler = sdap_autofs_handler, + .finalize = NULL, + .check_online = sdap_check_online +}; + +int ipa_autofs_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing autofs LDAP back end\n")); + + *ops = &ipa_autofs_ops; + *pvt_data = id_ctx->sdap_id_ctx; + + DEBUG(0, ("sleeping\n")); + + ret = ipa_get_autofs_options(id_ctx->ipa_options, be_ctx->cdb, + be_ctx->conf_path, &id_ctx->sdap_id_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot get IPA autofs options\n")); + return ret; + } + + return ret; +} diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 3620c35de7bb3b02f3c3fd454adaba3b9da02253..4fd4483625acf6f9b78dc513beb3db2a710f4469 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -31,6 +31,7 @@ #include "providers/ldap/sdap_async_private.h" #include "util/sss_krb5.h" #include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" struct dp_option ipa_basic_opts[] = { { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -44,7 +45,8 @@ struct dp_option ipa_basic_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, - { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING } }; struct dp_option ipa_def_ldap_opts[] = { @@ -225,6 +227,17 @@ struct sdap_attr_map ipa_service_map[] = { { "ldap_service_entry_usn", NULL, SYSDB_USN, NULL } }; +struct sdap_attr_map ipa_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "automountMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "automountMapName", SYSDB_AUTOFS_MAP_NAME, NULL } +}; + +struct sdap_attr_map ipa_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "automount", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "automountKey", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "automountInformation", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, +}; + int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -497,30 +510,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, if (ret != EOK) goto done; if (NULL == dp_opt_get_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE)) { - value = talloc_asprintf(tmpctx, "cn=default,cn=automount,%s", basedn); - if (!value) { - ret = ENOMEM; - goto done; - } - - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE, - value); - if (ret != EOK) { - goto done; - } - - DEBUG(SSSDBG_TRACE_LIBS, ("Option %s set to %s\n", - ipa_opts->id->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, - dp_opt_get_string(ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE))); - } - ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, - SDAP_AUTOFS_SEARCH_BASE, - &ipa_opts->id->autofs_search_bases); - - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE)) { #if 0 ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE, @@ -1024,3 +1013,80 @@ done: return ret; } +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts) +{ + TALLOC_CTX *tmp_ctx; + char *basedn; + char *autofs_base; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, + dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM), + &basedn); + if (ret != EOK) { + goto done; + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE)) { + + autofs_base = talloc_asprintf(tmp_ctx, "cn=%s,cn=automount,%s", + dp_opt_get_string(ipa_opts->basic, + IPA_AUTOMOUNT_LOCATION), + basedn); + if (!autofs_base) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + autofs_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE))); + } + + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + &ipa_opts->id->autofs_search_bases); + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ipa_opts->id->autofs_mobject_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Could not get autofs map object attribute map\n")); + return ret; + } + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ipa_opts->id->autofs_entry_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Could not get autofs entry object attribute map\n")); + return ret; + } + + *_opts = ipa_opts->id; + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 2d0e0e1d46d12ca264fa29fcea6442a5dc46c99b..84c726c854cfd3cccd283d8c104d8b497aaf7350 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -39,6 +39,9 @@ struct ipa_service { #define IPA_OPTS_SVC_TEST 5 +#define IPA_OPTS_AUTOMNTMAP_TEST 2 +#define IPA_OPTS_AUTOMNTENTRY_TEST 3 + /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ @@ -57,6 +60,7 @@ enum ipa_basic_opt { IPA_HBAC_REFRESH, IPA_HBAC_DENY_METHOD, IPA_HBAC_SUPPORT_SRCHOST, + IPA_AUTOMOUNT_LOCATION, IPA_OPTS_BASIC /* opts counter */ }; @@ -148,6 +152,16 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, const char *conf_path, struct dp_option **_opts); +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts); + +int ipa_autofs_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data); + int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *servers, struct ipa_options *options, diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 1165048b2f140d0e56afeb4317ea60a4061c3839..20745c11f77cdaa504a302b95d58776071954936 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -180,8 +180,6 @@ int sssm_ipa_id_init(struct be_ctx *bectx, } } - - ret = setup_tls_config(sdap_ctx->opts->basic); if (ret != EOK) { DEBUG(1, ("setup_tls_config failed [%d][%s].\n", @@ -484,3 +482,27 @@ done: return ret; } #endif + +int sssm_ipa_autofs_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ +#ifdef BUILD_AUTOFS + struct ipa_id_ctx *id_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing IPA autofs handler\n")); + + ret = sssm_ipa_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n")); + return ret; + } + + return ipa_autofs_init(bectx, id_ctx, ops, pvt_data); +#else + DEBUG(SSSDBG_MINOR_FAILURE, ("Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n")); + return EOK; +#endif +} diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index c377bcb678ed4814329e4526317feed36d462f16..c912576347b3c95d27ebc613b95947a7a1fd364a 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -89,6 +89,9 @@ void sdap_pam_chpass_handler(struct be_req *breq); /* access */ void sdap_pam_access_handler(struct be_req *breq); +/* autofs */ +void sdap_autofs_handler(struct be_req *breq); + void sdap_handler_done(struct be_req *req, int dp_err, int error, const char *errstr); diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c index 121a0610b66e70732ff983c1769c1d71845fcf3c..2497c97c2b824d4d775805e1f630ca56a687c6b9 100644 --- a/src/tests/ipa_ldap_opt-tests.c +++ b/src/tests/ipa_ldap_opt-tests.c @@ -78,6 +78,8 @@ START_TEST(test_check_num_opts) { fail_if(IPA_OPTS_BASIC_TEST != SDAP_OPTS_BASIC); fail_if(IPA_OPTS_SVC_TEST != SDAP_OPTS_SERVICES); + fail_if(IPA_OPTS_AUTOMNTMAP_TEST != SDAP_OPTS_AUTOFS_MAP); + fail_if(IPA_OPTS_AUTOMNTENTRY_TEST != SDAP_OPTS_AUTOFS_ENTRY); fail_if(IPA_KRB5_OPTS_TEST != KRB5_OPTS); } END_TEST -- 1.7.7.6
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
