> On Thu, Feb 09, 2012 at 06:05:30PM +0100, Jan Zelený wrote: > > > > On Thu, 2012-02-09 at 13:46 +0100, Jakub Hrozek wrote: > > > > > On Tue, Feb 07, 2012 at 01:40:39PM +0100, Jan Zelený wrote: > > > > > > With all these changes happening in last two weeks, the IPA hosts > > > > > > code was messy at best. This patch sorts out some of the mess. I > > > > > > already did some testing: SELinux and HBAC seem to be working > > > > > > correctly. Honza, please take a look and test this patch with > > > > > > your SSH-related code. That is the last code that uses host > > > > > > fetching. > > > > > > > > > > > > If this patch makes it to master, I plan to do some more cleanup > > > > > > in the HBAC code which is closely related to the code this patch > > > > > > cleans. > > > > > > > > > > > > Thanks > > > > > > Jan > > > > > > > > > > None of the new options is documented or has a configAPI entry. If > > > > > that's intentional to avoid breaking string freeze, then there > > > > > should be a ticket to track adding them. > > > > > > > > They still need to be in the sssd.api.d/sssd-ipa.conf file. We can > > > > omit the strings from SSSDConfig.py to avoid breaking string freeze > > > > I guess. But the API needs to not choke on them if they're specified > > > > in the config file. > > > > > > > > Is this change necessary for the 1.8.0 release, or can we just fix it > > > > properly (with option changes) in 1.9.0? > > > > > > I guess we can leave it for 1.9, the current state isn't breaking > > > anything AFAIK. > > > > > > > > ...or... > > > > > > > > > > I was actually thinking if we want to document the IPA attribute > > > > > maps at all. The options clutter the manual page and their value > > > > > is questionable. Would anyone oppose *removing* all the attribute > > > > > maps from the IPA manual page? Or at the very least moving them > > > > > into some section down at the bottom where noone would be confused > > > > > by the options. > > > > > > > > I'm in favor of removing any manpage entries that are of neglibible > > > > utility (in 1.9.0, not 1.8.0). > > > > > > Agreed. I'll file a ticket for that. > > > > > > I'll send updated patch for master in a moment > > > > Filed ticket https://fedorahosted.org/sssd/ticket/1187 > > > > Patches are in attachment. > > > > Jan > > The patch works fine but have you considered moving "sdap_attr_map > *selinuxuser_map", host_map and hostgroup_map into struct ipa_options? > > It seems odd that the search bases are in struct ipa_options but maps > are in sdap_options. Also ipa_options seems like a better fit for > IPA-specific data.
Done, patches are in attachment. Jan
From b5df53528a806af5e1077bee156c636984ccd258 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Tue, 7 Feb 2012 07:01:20 -0500
Subject: [PATCH 1/2] IPA hosts refactoring
---
src/config/etc/sssd.api.d/sssd-ipa.conf | 20 ++++++
src/db/sysdb.h | 4 +
src/providers/ipa/ipa_access.c | 24 ++------
src/providers/ipa/ipa_access.h | 3 +-
src/providers/ipa/ipa_common.c | 52 +++++++++++-----
src/providers/ipa/ipa_common.h | 17 +++++
src/providers/ipa/ipa_hbac_hosts.c | 6 +-
src/providers/ipa/ipa_hbac_private.h | 6 --
src/providers/ipa/ipa_hostid.c | 10 +---
src/providers/ipa/ipa_hosts.c | 101 +++++++++++++-----------------
src/providers/ipa/ipa_hosts.h | 6 +-
src/providers/ipa/ipa_init.c | 2 +
src/providers/ipa/ipa_netgroups.c | 6 +-
src/providers/ipa/ipa_selinux_maps.c | 11 ++-
src/providers/ipa/ipa_selinux_maps.h | 1 +
src/providers/ipa/ipa_session.c | 26 +-------
src/providers/ldap/sdap.h | 2 -
17 files changed, 153 insertions(+), 144 deletions(-)
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 3e3384d942ebc2e750816a0086d0dffa552bd184..6ed92eabe96a5e6831512238a1c5647521a0cb6d 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -124,9 +124,29 @@ krb5_fast_principal = str, None, false
ipa_hbac_refresh = int, None, false
ipa_hbac_treat_deny_as = str, None, false
ipa_hbac_support_srchost = bool, None, false
+ipa_host_object_class = str, None, false
+ipa_host_name = str, None, false
+ipa_host_fqdn = str, None, false
+ipa_host_serverhostname = str, None, false
+ipa_host_member_of = str, None, false
+ipa_host_ssh_public_key = str, None, false
+ipa_host_uuid = str, None, false
+ipa_hostgroup_objectclass = str, None, false
+ipa_hostgroup_name = str, None, false
+ipa_hostgroup_member = str, None, false
+ipa_hostgroup_memberof = str, None, false
+ipa_hostgroup_uuid = str, None, false
[provider/ipa/autofs]
ipa_automount_location = str, None, false
[provider/ipa/chpass]
+[provider/ipa/session]
+ipa_host_object_class = str, None, false
+ipa_host_name = str, None, false
+ipa_host_fqdn = str, None, false
+ipa_host_serverhostname = str, None, false
+ipa_host_member_of = str, None, false
+ipa_host_ssh_public_key = str, None, false
+ipa_host_uuid = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index e9a89606b37e02560be8c01c813043c29d1e9e64..a9d4b0f8fad9fa47934fb19416da46f58e7bb59e 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -45,6 +45,7 @@
#define SYSDB_GROUP_CLASS "group"
#define SYSDB_NETGROUP_CLASS "netgroup"
#define SYSDB_HOST_CLASS "host"
+#define SYSDB_HOSTGROUP_CLASS "hostgroup"
#define SYSDB_SELINUX_USERMAP_CLASS "selinuxusermap"
#define SYSDB_SELINUX_CLASS "selinux"
@@ -95,6 +96,9 @@
#define SYSDB_NETGROUP_MEMBER "memberNisNetgroup"
#define SYSDB_DESCRIPTION "description"
+#define SYSDB_FQDN "fqdn"
+#define SYSDB_SERVERHOSTNAME "serverHostname"
+
#define SYSDB_SELINUX_SEEALSO "seeAlso"
#define SYSDB_SELINUX_USER "selinuxUser"
#define SYSDB_SELINUX_ENABLED "enabled"
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 1eed86c333a3242e253ac4407d1dcc45a0d5783a..523bba258daac428415dd085129bfffcb5259ac8 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -272,20 +272,6 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
const char *hostname;
struct tevent_req *req;
- hbac_ctx->host_attrs = talloc_array(hbac_ctx, const char *, 8);
- if (hbac_ctx->host_attrs == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to allocate host attribute list.\n"));
- return ENOMEM;
- }
- hbac_ctx->host_attrs[0] = "objectClass";
- hbac_ctx->host_attrs[1] = IPA_HOST_SERVERHOSTNAME;
- hbac_ctx->host_attrs[2] = IPA_HOST_FQDN;
- hbac_ctx->host_attrs[3] = IPA_UNIQUE_ID;
- hbac_ctx->host_attrs[4] = IPA_MEMBER;
- hbac_ctx->host_attrs[5] = IPA_MEMBEROF;
- hbac_ctx->host_attrs[6] = IPA_CN;
- hbac_ctx->host_attrs[7] = NULL;
-
if (dp_opt_get_bool(hbac_ctx->ipa_options, IPA_HBAC_SUPPORT_SRCHOST)) {
/* Support srchost
* -> we don't want any particular host,
@@ -301,7 +287,9 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
hbac_ctx_sysdb(hbac_ctx),
sdap_id_op_handle(hbac_ctx->sdap_op),
hbac_ctx_sdap_id_ctx(hbac_ctx)->opts,
- hostname, hbac_ctx->host_attrs, NULL, 0, true,
+ hostname,
+ hbac_ctx->access_ctx->host_map,
+ hbac_ctx->access_ctx->hostgroup_map,
hbac_ctx->access_ctx->host_search_bases);
if (req == NULL) {
DEBUG(1, ("Could not get host info\n"));
@@ -375,7 +363,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
for (i = 0; i < hbac_ctx->host_count; i++) {
ret = sysdb_attrs_get_string(hbac_ctx->hosts[i],
- IPA_HOST_FQDN,
+ SYSDB_FQDN,
&hostname);
if (ret != EOK) {
DEBUG(1, ("Could not locate IPA host\n"));
@@ -480,9 +468,9 @@ static void hbac_sysdb_save(struct tevent_req *req)
/* Save the hosts */
ret = ipa_hbac_sysdb_save(sysdb, domain,
- HBAC_HOSTS_SUBDIR, IPA_HOST_FQDN,
+ HBAC_HOSTS_SUBDIR, SYSDB_FQDN,
hbac_ctx->host_count, hbac_ctx->hosts,
- HBAC_HOSTGROUPS_SUBDIR, IPA_CN,
+ HBAC_HOSTGROUPS_SUBDIR, SYSDB_NAME,
hbac_ctx->hostgroup_count,
hbac_ctx->hostgroups);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index ddfb2cf562054fc0d1d9c6200b4e8ffff055a015..f6b08af3c8da95c8b06d5220d8cdcd16b0c5ac0e 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -38,6 +38,8 @@ struct ipa_access_ctx {
struct time_rules_ctx *tr_ctx;
time_t last_update;
+ struct sdap_attr_map *host_map;
+ struct sdap_attr_map *hostgroup_map;
struct sdap_search_base **host_search_bases;
struct sdap_search_base **hbac_search_bases;
};
@@ -54,7 +56,6 @@ struct hbac_ctx {
struct sdap_search_base **search_bases;
/* Hosts */
- const char **host_attrs;
size_t host_count;
struct sysdb_attrs **hosts;
size_t hostgroup_count;
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 4fd4483625acf6f9b78dc513beb3db2a710f4469..7f7edbad33a9495333a9d091dab3f8bc9e0f895e 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -183,22 +183,33 @@ struct sdap_attr_map ipa_netgroup_map[] = {
struct sdap_attr_map ipa_host_map[] = {
{ "ipa_host_object_class", "ipaHost", SYSDB_HOST_CLASS, NULL },
- { "ipa_host_fqdn", "fqdn", SYSDB_NAME, NULL },
- { "ipa_host_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
- { "ipa_host_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }
+ { "ipa_host_name", "cn", SYSDB_NAME, NULL },
+ { "ipa_host_fqdn", "fqdn", SYSDB_FQDN, NULL },
+ { "ipa_host_serverhostname", "serverHostname", SYSDB_SERVERHOSTNAME, NULL },
+ { "ipa_host_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL },
+ { "ipa_host_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL },
+ { "ipa_host_uuid", "ipaUniqueID", SYSDB_UUID, NULL}
+};
+
+static struct sdap_attr_map ipa_hostgroup_map[] = {
+ { "ipa_hostgroup_objectclass", "ipaHostgroup", SYSDB_HOSTGROUP_CLASS, NULL},
+ { "ipa_hostgroup_name", "cn", SYSDB_NAME, NULL},
+ { "ipa_hostgroup_member", "member", SYSDB_MEMBER, NULL},
+ { "ipa_hostgroup_memberof", "memberOf", SYSDB_ORIG_MEMBEROF, NULL},
+ { "ipa_hostgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL}
};
static struct sdap_attr_map ipa_selinux_user_map[] = {
- {"ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
- {"ipa_selinux_usermap_name", "cn", SYSDB_NAME, NULL},
- {"ipa_selinux_usermap_member_user", "memberUser", SYSDB_ORIG_MEMBER_USER, NULL},
- {"ipa_selinux_usermap_member_host", "memberHost", SYSDB_ORIG_MEMBER_HOST, NULL},
- {"ipa_selinux_usermap_see_also", "seeAlso", SYSDB_SELINUX_SEEALSO, NULL},
- {"ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},
- {"ipa_selinux_usermap_enabled", "ipaEnabledFlag", SYSDB_SELINUX_ENABLED, NULL},
- {"ipa_selinux_usermap_user_category", "userCategory", SYSDB_USER_CATEGORY, NULL},
- {"ipa_selinux_usermap_host_category", "hostCategory", SYSDB_HOST_CATEGORY, NULL},
- {"ipa_selinux_usermap_uuid", "ipaUniqueID", SYSDB_UUID, NULL}
+ { "ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
+ { "ipa_selinux_usermap_name", "cn", SYSDB_NAME, NULL},
+ { "ipa_selinux_usermap_member_user", "memberUser", SYSDB_ORIG_MEMBER_USER, NULL},
+ { "ipa_selinux_usermap_member_host", "memberHost", SYSDB_ORIG_MEMBER_HOST, NULL},
+ { "ipa_selinux_usermap_see_also", "seeAlso", SYSDB_SELINUX_SEEALSO, NULL},
+ { "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},
+ { "ipa_selinux_usermap_enabled", "ipaEnabledFlag", SYSDB_SELINUX_ENABLED, NULL},
+ { "ipa_selinux_usermap_user_category", "userCategory", SYSDB_USER_CATEGORY, NULL},
+ { "ipa_selinux_usermap_host_category", "hostCategory", SYSDB_HOST_CATEGORY, NULL},
+ { "ipa_selinux_usermap_uuid", "ipaUniqueID", SYSDB_UUID, NULL}
};
struct dp_option ipa_def_krb5_opts[] = {
@@ -702,7 +713,16 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
cdb, conf_path,
ipa_host_map,
IPA_OPTS_HOST,
- &ipa_opts->id->host_map);
+ &ipa_opts->host_map);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sdap_get_map(ipa_opts->id,
+ cdb, conf_path,
+ ipa_hostgroup_map,
+ IPA_OPTS_HOSTGROUP,
+ &ipa_opts->hostgroup_map);
if (ret != EOK) {
goto done;
}
@@ -710,7 +730,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
ret = sdap_get_map(ipa_opts->id,
cdb, conf_path,
ipa_service_map,
- IPA_OPTS_HOST,
+ SDAP_OPTS_SERVICES,
&ipa_opts->id->service_map);
if (ret != EOK) {
goto done;
@@ -720,7 +740,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
cdb, conf_path,
ipa_selinux_user_map,
IPA_OPTS_SELINUX_USERMAP,
- &ipa_opts->id->selinuxuser_map);
+ &ipa_opts->selinuxuser_map);
if (ret != EOK) {
goto done;
}
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 84c726c854cfd3cccd283d8c104d8b497aaf7350..26a6f9d9b58b024dbd505eae8da3487d0c083dc1 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -81,13 +81,26 @@ enum ipa_netgroup_attrs {
enum ipa_host_attrs {
IPA_OC_HOST = 0,
+ IPA_AT_HOST_NAME,
IPA_AT_HOST_FQDN,
+ IPA_AT_HOST_SERVERHOSTNAME,
IPA_AT_HOST_MEMBER_OF,
IPA_AT_HOST_SSH_PUBLIC_KEY,
+ IPA_AT_HOST_UUID,
IPA_OPTS_HOST /* attrs counter */
};
+enum ipa_hostgroup_attrs {
+ IPA_OC_HOSTGROUP = 0,
+ IPA_AT_HOSTGROUP_NAME,
+ IPA_AT_HOSTGROUP_MEMBER,
+ IPA_AT_HOSTGROUP_MEMBER_OF,
+ IPA_AT_HOSTGROUP_UUID,
+
+ IPA_OPTS_HOSTGROUP /* attrs counter */
+};
+
enum ipa_selinux_usermap_attrs {
IPA_OC_SELINUX_USERMAP = 0,
IPA_AT_SELINUX_USERMAP_NAME,
@@ -118,6 +131,10 @@ struct ipa_id_ctx {
struct ipa_options {
struct dp_option *basic;
+ struct sdap_attr_map *host_map;
+ struct sdap_attr_map *hostgroup_map;
+ struct sdap_attr_map *selinuxuser_map;
+
struct sdap_search_base **host_search_bases;
struct sdap_search_base **hbac_search_bases;
struct sdap_search_base **selinux_search_bases;
diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c
index 1626f178a319e43ceb323a2d67deac13bf4be2f6..23f7816be0356f1cd89467225d6223f3b1d0d69a 100644
--- a/src/providers/ipa/ipa_hbac_hosts.c
+++ b/src/providers/ipa/ipa_hbac_hosts.c
@@ -40,7 +40,7 @@ static errno_t hbac_host_attrs_to_rule(TALLOC_CTX *mem_ctx,
errno_t ret;
TALLOC_CTX *tmp_ctx;
struct hbac_rule_element *new_hosts;
- const char *attrs[] = { IPA_HOST_FQDN, IPA_CN, NULL };
+ const char *attrs[] = { SYSDB_FQDN, SYSDB_NAME, NULL };
struct ldb_message_element *el;
size_t num_hosts = 0;
size_t num_hostgroups = 0;
@@ -131,7 +131,7 @@ static errno_t hbac_host_attrs_to_rule(TALLOC_CTX *mem_ctx,
/* Original DN matched a single host. Get the hostname */
name = ldb_msg_find_attr_as_string(msgs[0],
- IPA_HOST_FQDN,
+ SYSDB_FQDN,
NULL);
if (name == NULL) {
DEBUG(1, ("FQDN is missing!\n"));
@@ -167,7 +167,7 @@ static errno_t hbac_host_attrs_to_rule(TALLOC_CTX *mem_ctx,
}
/* Original DN matched a single group. Get the groupname */
- name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL);
+ name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
if (name == NULL) {
DEBUG(1, ("Hostgroup name is missing!\n"));
ret = EFAULT;
diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
index acf5671578dd6611b600bcb549cc0e3e1e86251e..bb1ea4ec1eb11c68ad2bfb6ec1939ed34f7fb1c3 100644
--- a/src/providers/ipa/ipa_hbac_private.h
+++ b/src/providers/ipa/ipa_hbac_private.h
@@ -28,14 +28,9 @@
#define IPA_HBAC_RULE "ipaHBACRule"
-#define IPA_HOST "ipaHost"
-#define IPA_HOSTGROUP "ipaHostGroup"
-
#define IPA_HBAC_SERVICE "ipaHBACService"
#define IPA_HBAC_SERVICE_GROUP "ipaHBACServiceGroup"
-#define IPA_HOST_SERVERHOSTNAME "serverHostName"
-#define IPA_HOST_FQDN "fqdn"
#define IPA_UNIQUE_ID "ipauniqueid"
#define IPA_MEMBER "member"
@@ -61,7 +56,6 @@
#define IPA_SERVICE_CATEGORY "serviceCategory"
#define IPA_TRUE_VALUE "TRUE"
-#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,%s"
#define IPA_HBAC_BASE_TMPL "cn=hbac,%s"
#define IPA_SERVICES_BASE_TMPL "cn=hbacservices,cn=accounts,%s"
diff --git a/src/providers/ipa/ipa_hostid.c b/src/providers/ipa/ipa_hostid.c
index 873cc529668d45c8cd76cc12cfbe8f6cfcf6b37e..b610749a8692cd05a6378f6dd4f82bfcaf9945ec 100644
--- a/src/providers/ipa/ipa_hostid.c
+++ b/src/providers/ipa/ipa_hostid.c
@@ -33,7 +33,6 @@ struct hosts_get_state {
struct sysdb_ctx *sysdb;
struct sss_domain_info *domain;
const char *name;
- const char **attrs;
size_t count;
struct sysdb_attrs **hosts;
@@ -176,11 +175,6 @@ hosts_get_send(TALLOC_CTX *memctx,
state->domain = ctx->be->domain;
state->name = name;
- /* TODO: handle attrs_type */
- ret = build_attrs_from_map(state, ctx->opts->host_map,
- IPA_OPTS_HOST, &state->attrs);
- if (ret != EOK) goto fail;
-
ret = hosts_get_retry(req);
if (ret != EOK) {
goto fail;
@@ -234,8 +228,8 @@ hosts_get_connect_done(struct tevent_req *subreq)
subreq = ipa_host_info_send(state, state->ev, state->sysdb,
sdap_id_op_handle(state->op),
ctx->opts, state->name,
- state->attrs, ctx->opts->host_map,
- IPA_OPTS_HOST, false,
+ ctx->opts->host_map,
+ ctx->opts->hostgroup_map,
state->ctx->host_search_bases);
if (!subreq) {
tevent_req_error(req, ENOMEM);
diff --git a/src/providers/ipa/ipa_hosts.c b/src/providers/ipa/ipa_hosts.c
index e939ab7f17ea837de12889543e192fac1b659c23..67e6fa2a279c24c3947a0f27702ea1f28a248a9a 100644
--- a/src/providers/ipa/ipa_hosts.c
+++ b/src/providers/ipa/ipa_hosts.c
@@ -24,8 +24,7 @@
#include "db/sysdb.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ipa/ipa_hosts.h"
-/* FIXME: this is temporary, use proper map instead */
-#include "providers/ipa/ipa_hbac_private.h"
+#include "providers/ipa/ipa_common.h"
struct ipa_host_state {
struct tevent_context *ev;
@@ -33,8 +32,8 @@ struct ipa_host_state {
struct sdap_handle *sh;
struct sdap_options *opts;
const char **attrs;
- struct sdap_attr_map *map;
- int map_num_attrs;
+ struct sdap_attr_map *host_map;
+ struct sdap_attr_map *hostgroup_map;
struct sdap_search_base **search_bases;
int search_base_iter;
@@ -48,19 +47,9 @@ struct ipa_host_state {
size_t host_count;
struct sysdb_attrs **hosts;
- bool fetch_hostgroups;
size_t hostgroup_count;
struct sysdb_attrs **hostgroups;
- struct sdap_attr_map_info *hostgroup_map;
-};
-
-#define HOSTGROUP_MAP_ATTRS_COUNT 5
-static struct sdap_attr_map hostgroup_map[] = {
- {"objectclass", "ipahostgroup", "hostgroup", NULL},
- {"name_attr", IPA_CN, IPA_CN, NULL},
- {"member", IPA_MEMBER, SYSDB_ORIG_MEMBER, NULL},
- {"memberof", IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF, NULL},
- {"ipa_id", IPA_UNIQUE_ID, IPA_UNIQUE_ID, NULL}
+ struct sdap_attr_map_info *ipa_hostgroup_map;
};
static void
@@ -76,6 +65,12 @@ static errno_t
ipa_hostgroup_info_next(struct tevent_req *req,
struct ipa_host_state *state);
+/**
+ * hostname == NULL -> look up all hosts / host groups
+ * hostname != NULL -> look up only given host and groups
+ * it's member of
+ * hostgroup_map == NULL -> skip looking up hostgroups
+ */
struct tevent_req *
ipa_host_info_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -83,10 +78,8 @@ ipa_host_info_send(TALLOC_CTX *mem_ctx,
struct sdap_handle *sh,
struct sdap_options *opts,
const char *hostname,
- const char **attrs,
- struct sdap_attr_map *map,
- int map_num_attrs,
- bool fetch_hostgroups,
+ struct sdap_attr_map *host_map,
+ struct sdap_attr_map *hostgroup_map,
struct sdap_search_base **search_bases)
{
errno_t ret;
@@ -106,17 +99,22 @@ ipa_host_info_send(TALLOC_CTX *mem_ctx,
state->search_bases = search_bases;
state->search_base_iter = 0;
state->cur_filter = NULL;
- state->attrs = attrs;
- state->map = map;
- state->map_num_attrs = map_num_attrs;
- state->fetch_hostgroups = fetch_hostgroups;
+ state->host_map = host_map;
+ state->hostgroup_map = hostgroup_map;
+
+ ret = build_attrs_from_map(state, host_map, IPA_OPTS_HOST, &state->attrs);
+ if (ret != EOK) {
+ goto immediate;
+ }
if (hostname == NULL) {
state->host_filter = talloc_asprintf(state, "(objectClass=%s)",
- IPA_HOST);
+ host_map[IPA_OC_HOST].name);
} else {
state->host_filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=%s))",
- IPA_HOST, IPA_HOST_FQDN, hostname);
+ host_map[IPA_OC_HOST].name,
+ host_map[IPA_AT_HOST_FQDN].name,
+ hostname);
}
if (state->host_filter == NULL) {
ret = ENOMEM;
@@ -166,8 +164,8 @@ static errno_t ipa_host_info_next(struct tevent_req *req,
subreq = sdap_get_generic_send(state, state->ev, state->opts,
state->sh, base->basedn,
base->scope, state->cur_filter,
- state->attrs, state->map,
- state->map_num_attrs,
+ state->attrs, state->host_map,
+ IPA_OPTS_HOST,
dp_opt_get_int(state->opts->basic,
SDAP_ENUM_SEARCH_TIMEOUT));
if (subreq == NULL) {
@@ -189,7 +187,6 @@ ipa_host_info_done(struct tevent_req *subreq)
struct ipa_host_state *state =
tevent_req_data(req, struct ipa_host_state);
const char *host_dn;
- int i;
ret = sdap_get_generic_recv(subreq, state,
&state->host_count,
@@ -212,34 +209,20 @@ ipa_host_info_done(struct tevent_req *subreq)
return;
}
- ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF,
- state->host_count,
- state->hosts);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Could not replace attribute names\n"));
- tevent_req_error(req, ret);
- return;
- }
-
- /* Complete the map */
- for (i = 0; i < HOSTGROUP_MAP_ATTRS_COUNT; i++) {
- /* These are allocated on the state, so the next time they'll
- * have to be allocated again
- */
- hostgroup_map[i].name = talloc_strdup(state,
- hostgroup_map[i].def_name);
- if (hostgroup_map[i].name == NULL) {
+ if (state->hostgroup_map) {
+ talloc_free(state->attrs);
+ ret = build_attrs_from_map(state, state->hostgroup_map,
+ IPA_OPTS_HOSTGROUP, &state->attrs);
+ if (ret != EOK) {
tevent_req_error(req, ret);
return;
}
- }
- if (state->fetch_hostgroups) {
/* Look up host groups */
if (state->hostname == NULL) {
talloc_zfree(state->host_filter);
state->host_filter = talloc_asprintf(state, "(objectClass=%s)",
- IPA_HOSTGROUP);
+ state->hostgroup_map[IPA_OC_HOSTGROUP].name);
if (state->host_filter == NULL) {
tevent_req_error(req, ENOMEM);
return;
@@ -256,13 +239,13 @@ ipa_host_info_done(struct tevent_req *subreq)
return;
}
} else {
- state->hostgroup_map = talloc_zero(state, struct sdap_attr_map_info);
- if (state->hostgroup_map == NULL) {
+ state->ipa_hostgroup_map = talloc_zero(state, struct sdap_attr_map_info);
+ if (state->ipa_hostgroup_map == NULL) {
tevent_req_error(req, ENOMEM);
return;
}
- state->hostgroup_map->map = hostgroup_map;
- state->hostgroup_map->num_attrs = HOSTGROUP_MAP_ATTRS_COUNT;
+ state->ipa_hostgroup_map->map = state->hostgroup_map;
+ state->ipa_hostgroup_map->num_attrs = IPA_OPTS_HOSTGROUP;
ret = sysdb_attrs_get_string(state->hosts[0], SYSDB_ORIG_DN, &host_dn);
if (ret != EOK) {
@@ -271,8 +254,10 @@ ipa_host_info_done(struct tevent_req *subreq)
}
subreq = sdap_deref_search_send(state, state->ev, state->opts, state->sh,
- host_dn, IPA_MEMBEROF, state->attrs,
- 1, state->hostgroup_map,
+ host_dn,
+ state->hostgroup_map[IPA_AT_HOSTGROUP_MEMBER_OF].name,
+ state->attrs,
+ 1, state->ipa_hostgroup_map,
dp_opt_get_int(state->opts->basic,
SDAP_ENUM_SEARCH_TIMEOUT));
if (subreq == NULL) {
@@ -308,8 +293,9 @@ static errno_t ipa_hostgroup_info_next(struct tevent_req *req,
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
base->basedn, base->scope,
- state->cur_filter, state->attrs, hostgroup_map,
- HOSTGROUP_MAP_ATTRS_COUNT,
+ state->cur_filter, state->attrs,
+ state->hostgroup_map,
+ IPA_OPTS_HOSTGROUP,
dp_opt_get_int(state->opts->basic,
SDAP_ENUM_SEARCH_TIMEOUT));
if (subreq == NULL) {
@@ -407,7 +393,8 @@ ipa_hostgroup_info_done(struct tevent_req *subreq)
}
ret = sysdb_attrs_get_string(deref_result[i]->attrs,
- IPA_CN, &hostgroup_name);
+ state->hostgroup_map[IPA_AT_HOSTGROUP_NAME].sys_name,
+ &hostgroup_name);
if (ret != EOK) goto done;
DEBUG(SSSDBG_FUNC_DATA, ("Dereferenced host group: %s\n",
diff --git a/src/providers/ipa/ipa_hosts.h b/src/providers/ipa/ipa_hosts.h
index 53cabbb79154b184149696c56a6d4910a352a14b..34ceec90531ec653f041a70bff1413b6e15e9e45 100644
--- a/src/providers/ipa/ipa_hosts.h
+++ b/src/providers/ipa/ipa_hosts.h
@@ -30,10 +30,8 @@ ipa_host_info_send(TALLOC_CTX *mem_ctx,
struct sdap_handle *sh,
struct sdap_options *opts,
const char *hostname,
- const char **attrs,
- struct sdap_attr_map *map,
- int map_num_attrs,
- bool fetch_hostgroups,
+ struct sdap_attr_map *host_map,
+ struct sdap_attr_map *hostgroup_map,
struct sdap_search_base **search_bases);
errno_t
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 20745c11f77cdaa504a302b95d58776071954936..ee4b760c1b766c5e8dea2a51a006cfc0f0fad16a 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -386,6 +386,8 @@ int sssm_ipa_access_init(struct be_ctx *bectx,
goto done;
}
ipa_access_ctx->sdap_ctx = id_ctx->sdap_id_ctx;
+ ipa_access_ctx->host_map = id_ctx->ipa_options->host_map;
+ ipa_access_ctx->hostgroup_map = id_ctx->ipa_options->hostgroup_map;
ipa_access_ctx->host_search_bases = id_ctx->ipa_options->host_search_bases;
ipa_access_ctx->hbac_search_bases = id_ctx->ipa_options->hbac_search_bases;
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 647818fa7b31d630cb427acfbc661cbc1daf75f5..c15e43ec07b2ab6f7e6e50eec9a226425e618b22 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -523,11 +523,11 @@ static int ipa_netgr_fetch_hosts(struct ipa_get_netgroups_state *state,
filter = talloc_asprintf(state, "(&%s%s(objectclass=%s))",
state->filter,
base_filter?base_filter:"",
- state->opts->host_map[IPA_OC_HOST].name);
+ state->ipa_opts->host_map[IPA_OC_HOST].name);
if (filter == NULL)
return ENOMEM;
- ret = build_attrs_from_map(state, state->opts->host_map,
+ ret = build_attrs_from_map(state, state->ipa_opts->host_map,
IPA_OPTS_HOST, &attrs);
if (ret != EOK) {
talloc_free(filter);
@@ -538,7 +538,7 @@ static int ipa_netgr_fetch_hosts(struct ipa_get_netgroups_state *state,
bases[state->host_base_iter]->basedn,
bases[state->host_base_iter]->scope,
filter, attrs,
- state->opts->host_map,
+ state->ipa_opts->host_map,
IPA_OPTS_HOST, state->timeout);
state->current_entity = ENTITY_HOST;
diff --git a/src/providers/ipa/ipa_selinux_maps.c b/src/providers/ipa/ipa_selinux_maps.c
index 87650f6ce80dce2fb2d16bdea2227bc1a025a501..ee6a5e694ccdaa7460eac6964232c0fc3ab3f07c 100644
--- a/src/providers/ipa/ipa_selinux_maps.c
+++ b/src/providers/ipa/ipa_selinux_maps.c
@@ -30,6 +30,7 @@ struct ipa_selinux_get_maps_state {
struct sysdb_ctx *sysdb;
struct sdap_handle *sh;
struct sdap_options *opts;
+ struct ipa_options *ipa_opts;
const char **attrs;
struct sdap_search_base **search_bases;
@@ -53,6 +54,7 @@ struct tevent_req *ipa_selinux_get_maps_send(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sdap_handle *sh,
struct sdap_options *opts,
+ struct ipa_options *ipa_opts,
struct sdap_search_base **search_bases)
{
struct tevent_req *req;
@@ -68,20 +70,21 @@ struct tevent_req *ipa_selinux_get_maps_send(TALLOC_CTX *mem_ctx,
state->sysdb = sysdb;
state->sh = sh;
state->opts = opts;
+ state->ipa_opts = ipa_opts;
state->search_bases = search_bases;
state->search_base_iter = 0;
state->map_count = 0;
state->maps = NULL;
- ret = build_attrs_from_map(state, opts->selinuxuser_map,
+ ret = build_attrs_from_map(state, ipa_opts->selinuxuser_map,
IPA_OPTS_SELINUX_USERMAP, &state->attrs);
if (ret != EOK) goto fail;
state->cur_filter = NULL;
state->maps_filter = talloc_asprintf(state,
"(&(objectclass=%s)(%s=TRUE))",
- opts->selinuxuser_map[IPA_OC_SELINUX_USERMAP].name,
- opts->selinuxuser_map[IPA_AT_SELINUX_USERMAP_ENABLED].name);
+ ipa_opts->selinuxuser_map[IPA_OC_SELINUX_USERMAP].name,
+ ipa_opts->selinuxuser_map[IPA_AT_SELINUX_USERMAP_ENABLED].name);
if (state->maps_filter == NULL) {
ret = ENOMEM;
goto fail;
@@ -130,7 +133,7 @@ ipa_selinux_get_maps_next(struct tevent_req *req,
state->sh, base->basedn,
base->scope, state->cur_filter,
state->attrs,
- state->opts->selinuxuser_map,
+ state->ipa_opts->selinuxuser_map,
IPA_OPTS_SELINUX_USERMAP,
dp_opt_get_int(state->opts->basic,
SDAP_ENUM_SEARCH_TIMEOUT));
diff --git a/src/providers/ipa/ipa_selinux_maps.h b/src/providers/ipa/ipa_selinux_maps.h
index efd10bf4e2aad88418d081ba8b15addfba0f9185..d3abec15d0f6cbd7984c64c1eec62ff4f03eff19 100644
--- a/src/providers/ipa/ipa_selinux_maps.h
+++ b/src/providers/ipa/ipa_selinux_maps.h
@@ -33,6 +33,7 @@ ipa_selinux_get_maps_send(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sdap_handle *sh,
struct sdap_options *opts,
+ struct ipa_options *ipa_opts,
struct sdap_search_base **search_bases);
errno_t
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 6b7fc8efb617c871369b445b671ed05fac575025..e23b0120e6c2ce1303f4e70190721721a99b124a 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -35,18 +35,12 @@
#include "providers/ipa/ipa_selinux_common.h"
#include "providers/ipa/ipa_selinux_maps.h"
-/* FIXME: this is temporary until host map is implemented in ipa_common.c */
-#include "providers/ipa/ipa_hbac_private.h"
-
struct ipa_get_selinux_state {
struct be_req *be_req;
struct pam_data *pd;
struct ipa_session_ctx *session_ctx;
struct sdap_id_op *op;
- /* Just tmp stuff so we can free it after query */
- const char **attrs;
-
const char *hostname;
struct sysdb_attrs *host;
struct sysdb_attrs *user;
@@ -251,21 +245,13 @@ static void ipa_get_selinux_connect_done(struct tevent_req *subreq)
/* FIXME: detect if HBAC is configured
* - if yes, we can skip host retrieval and get it directly from sysdb
*/
- state->attrs = talloc_array(state, const char *, 3);
- if (state->attrs == NULL) {
- ret = ENOMEM;
- goto fail;
- }
- state->attrs[0] = "objectClass";
- state->attrs[1] = IPA_MEMBEROF;
- state->attrs[2] = NULL;
-
subreq = ipa_host_info_send(state, bctx->ev, bctx->sysdb,
sdap_id_op_handle(state->op),
id_ctx->sdap_id_ctx->opts,
state->hostname,
- state->attrs, NULL, 0,
- false, state->session_ctx->host_search_bases);
+ id_ctx->ipa_options->host_map,
+ NULL,
+ state->session_ctx->host_search_bases);
if (subreq == NULL) {
ret = ENOMEM;
goto fail;
@@ -300,11 +286,6 @@ static void ipa_get_selinux_hosts_done(struct tevent_req *subreq)
}
state->host = host[0];
- ret = sysdb_attrs_add_string(state->host, SYSDB_NAME, state->hostname);
- if (ret != EOK) {
- goto done;
- }
-
ret = sss_selinux_extract_user(state, bctx->sysdb,
state->pd->user, &state->user);
if (ret != EOK) {
@@ -314,6 +295,7 @@ static void ipa_get_selinux_hosts_done(struct tevent_req *subreq)
subreq = ipa_selinux_get_maps_send(state, bctx->ev, bctx->sysdb,
sdap_id_op_handle(state->op),
id_ctx->opts,
+ state->session_ctx->id_ctx->ipa_options,
state->session_ctx->selinux_search_bases);
if (subreq == NULL) {
ret = ENOMEM;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 5d42384661946008e27355101788f4b91d9aecee..941c27918c015b3005f5ff05db02264c871244ff 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -348,14 +348,12 @@ struct sdap_options {
struct sdap_attr_map *user_map;
struct sdap_attr_map *group_map;
struct sdap_attr_map *netgroup_map;
- struct sdap_attr_map *host_map;
struct sdap_attr_map *service_map;
/* FIXME - should this go to a special struct to avoid mixing with name-service-switch maps? */
struct sdap_attr_map *sudorule_map;
struct sdap_attr_map *autofs_mobject_map;
struct sdap_attr_map *autofs_entry_map;
- struct sdap_attr_map *selinuxuser_map;
/* supported schema types */
enum schema_type {
--
1.7.6.4
From 7f918826da00346ab278d5f73ef53a92584ff8f7 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Thu, 9 Feb 2012 11:50:51 -0500
Subject: [PATCH 2/2] SELinux related attributes added to config API
---
src/config/SSSDConfigTest.py | 2 +-
src/config/etc/sssd.api.d/sssd-ipa.conf | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 7e024caa05dc7164402bec63d4f08a7ee69aa634..000c7dbaadd9bc6ddf04e60a96cd3b7b5e9d1515 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -689,7 +689,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
domain = SSSDConfig.SSSDDomain('sssd', self.schema)
control_provider_dict = {
- 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs' ],
+ 'ipa': ['id', 'auth', 'access', 'chpass', 'autofs', 'session' ],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 6ed92eabe96a5e6831512238a1c5647521a0cb6d..c7c877e74d059cf8751a82c09ae58ce9755a4bf5 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -150,3 +150,13 @@ ipa_host_serverhostname = str, None, false
ipa_host_member_of = str, None, false
ipa_host_ssh_public_key = str, None, false
ipa_host_uuid = str, None, false
+ipa_selinux_usermap_object_class = str, None, false
+ipa_selinux_usermap_name = str, None, false
+ipa_selinux_usermap_member_user = str, None, false
+ipa_selinux_usermap_member_host = str, None, false
+ipa_selinux_usermap_see_also = str, None, false
+ipa_selinux_usermap_selinux_user = str, None, false
+ipa_selinux_usermap_enabled = str, None, false
+ipa_selinux_usermap_user_category = str, None, false
+ipa_selinux_usermap_host_category = str, None, false
+ipa_selinux_usermap_uuid = str, None, false
--
1.7.6.4
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
