On 08/11/2014 04:51 PM, Jakub Hrozek wrote:
On Mon, Aug 11, 2014 at 04:19:22PM +0200, Pavel Reichl wrote:
Subject: [PATCH 7/9] SDAP: new option - DN to ppolicy on LDAP
Do we need to make the DN configurable? When you install the ppolicy,
can you actually set the DN?
I haven't tested setting different DN, but I believe it's possible.
During weekend I was putting my notes for setting ppolicy on OpenLDAP on
this wiki page
https://fedorahosted.org/sssd/wiki/openldap_ppolicy#Loadingppolicyoverlay
(this is work in progress and I'm not even sure we care to have such a
how-to on our wiki), but I believe you can see from there that DN is
configurable.
Any howto is good as long as it's up to date.
And from the howto it seems clear that olcPPolicyDefault is the DN
setting, so yes, this should be configurable.
Still we could use a default DN if user didn't set DN himself:
"cn=ppolicy,ou=policies,$search_base"
That sounds like a good idea.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Hello,
please note that attached patches requires to be patches from "SDAP:
refactor sdap_access" thread to pushed first.
>From 91fc30f99c826eb4b09b177b37251a63234a3aaa Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 09:15:59 +0100
Subject: [PATCH 1/9] SDAP: split sdap_access_filter_get_access_done
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
---
src/providers/ldap/sdap_access.c | 59 ++++++++++++++++++++++++++--------------
1 file changed, 39 insertions(+), 20 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 89d37e52fa27b14be6bf702ebf0bc18b3fe59da6..0702c565a466ba067350595233f9746443d0864d 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -40,6 +40,11 @@
#include "providers/data_provider.h"
#include "providers/dp_backend.h"
+static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain,
+ const char *username,
+ const char *attr_name,
+ bool value);
+
static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
@@ -856,7 +861,6 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
int ret, tret, dp_error;
size_t num_results;
bool found = false;
- struct sysdb_attrs *attrs;
struct sysdb_attrs **results;
struct tevent_req *req =
tevent_req_callback_data(subreq, struct tevent_req);
@@ -935,25 +939,8 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
ret = ERR_ACCESS_DENIED;
}
- attrs = sysdb_new_attrs(state);
- if (attrs == NULL) {
- ret = ENOMEM;
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
- goto done;
- }
-
- tret = sysdb_attrs_add_bool(attrs, SYSDB_LDAP_ACCESS_FILTER,
- ret == EOK ? true : false);
- if (tret != EOK) {
- /* Failing to save to the cache is non-fatal.
- * Just return the result.
- */
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
- goto done;
- }
-
- tret = sysdb_set_user_attr(state->domain, state->username, attrs,
- SYSDB_MOD_REP);
+ tret = sdap_save_user_cache_bool(state->domain, state->username,
+ SYSDB_LDAP_ACCESS_FILTER, found);
if (tret != EOK) {
/* Failing to save to the cache is non-fatal.
* Just return the result.
@@ -1060,6 +1047,38 @@ static errno_t sdap_access_service(struct pam_data *pd,
return ret;
}
+static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain,
+ const char *username,
+ const char *attr_name,
+ bool value)
+{
+ errno_t ret;
+ struct sysdb_attrs *attrs;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ ret = ENOMEM;
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_bool(attrs, attr_name, value);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, username, attrs, SYSDB_MOD_REP);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user access attribute\n");
+ goto done;
+ }
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
static errno_t sdap_access_host(struct ldb_message *user_entry)
{
errno_t ret;
--
1.9.3
>From 8c6e074e312cc1040aad82d5ae6291dfe7799e68 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 11:00:48 +0100
Subject: [PATCH 2/9] SDAP: refactor sdap_access_filter_send
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
---
src/providers/ldap/sdap_access.c | 46 ++++++++++++++++++++++++++--------------
1 file changed, 30 insertions(+), 16 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 0702c565a466ba067350595233f9746443d0864d..33277e7d1c77664ab8caa6c7a7cf724a9245de14 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -45,6 +45,10 @@ static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain,
const char *attr_name,
bool value);
+static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry,
+ const char *username,
+ const char **_basedn);
+
static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
@@ -648,7 +652,7 @@ struct sdap_access_filter_req_ctx {
struct sysdb_handle *handle;
struct sss_domain_info *domain;
bool cached_access;
- char *basedn;
+ const char *basedn;
};
static errno_t sdap_access_filter_decide_offline(struct tevent_req *req);
@@ -666,7 +670,6 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
{
struct sdap_access_filter_req_ctx *state;
struct tevent_req *req;
- const char *basedn;
char *clean_username;
errno_t ret = ERR_INTERNAL;
char *name;
@@ -704,20 +707,9 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Perform online operation */
- basedn = ldb_msg_find_attr_as_string(user_entry, SYSDB_ORIG_DN, NULL);
- if (basedn == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,"Could not find originalDN for user [%s]\n",
- state->username);
- ret = EINVAL;
- goto done;
- }
-
- state->basedn = talloc_strdup(state, basedn);
- if (state->basedn == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not allocate memory for originalDN\n");
- ret = ENOMEM;
+ ret = sdap_get_basedn_user_entry(user_entry, state->username,
+ &state->basedn);
+ if (ret != EOK) {
goto done;
}
@@ -1141,3 +1133,25 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
return ret;
}
+
+static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry,
+ const char *username,
+ const char **_basedn)
+{
+ const char *basedn;
+ errno_t ret;
+
+ basedn = ldb_msg_find_attr_as_string(user_entry, SYSDB_ORIG_DN, NULL);
+ if (basedn == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,"Could not find originalDN for user [%s]\n",
+ username);
+ ret = EINVAL;
+ goto done;
+ }
+
+ *_basedn = basedn;
+ ret = EOK;
+
+done:
+ return ret;
+}
--
1.9.3
>From be0d612259419b610cd3554eaf0baad1c35484f0 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 11:13:20 +0100
Subject: [PATCH 3/9] SDAP: nitpicks in sdap_access_filter_get_access_done
Fixed typo and replaced duplicated string by macro definition.
---
src/providers/ldap/sdap_access.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 33277e7d1c77664ab8caa6c7a7cf724a9245de14..94c64eff44cd607573538b1fab0f8a66ac1e7d78 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -40,6 +40,8 @@
#include "providers/data_provider.h"
#include "providers/dp_backend.h"
+#define MALFORMED_FILTER "Malformed access control filter [%s]\n"
+
static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain,
const char *username,
const char *attr_name,
@@ -874,10 +876,8 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
} else if (dp_error == DP_ERR_OFFLINE) {
ret = sdap_access_filter_decide_offline(req);
} else if (ret == ERR_INVALID_FILTER) {
- sss_log(SSS_LOG_ERR,
- "Malformed access control filter [%s]\n", state->filter);
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Malformed access control filter [%s]\n", state->filter);
+ sss_log(SSS_LOG_ERR, MALFORMED_FILTER, state->filter);
+ DEBUG(SSSDBG_CRIT_FAILURE, MALFORMED_FILTER, state->filter);
ret = ERR_ACCESS_DENIED;
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -917,9 +917,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
}
if (found) {
- /* Save "allow" to the cache for future offline
- :q* access checks.
- */
+ /* Save "allow" to the cache for future offline access checks. */
DEBUG(SSSDBG_TRACE_FUNC, "Access granted by online lookup\n");
ret = EOK;
}
--
1.9.3
>From 6336e7e4bdae86b488b07f80ace0d8263274ca51 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 12:22:21 +0100
Subject: [PATCH 4/9] SDAP: refactor sdap_access_filter_done
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
---
src/providers/ldap/sdap_access.c | 55 +++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 18 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 94c64eff44cd607573538b1fab0f8a66ac1e7d78..e6432de08708f0e0700465322b71bf4e1b2494a3 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -59,6 +59,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
struct sdap_id_conn_ctx *conn,
const char *username,
struct ldb_message *user_entry);
+
static errno_t sdap_access_filter_recv(struct tevent_req *req);
static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
@@ -70,6 +71,10 @@ static errno_t sdap_access_service(struct pam_data *pd,
static errno_t sdap_access_host(struct ldb_message *user_entry);
+enum sdap_access_control_type {
+ SDAP_ACCESS_CONTROL_FILTER,
+};
+
struct sdap_access_req_ctx {
struct pam_data *pd;
struct tevent_context *ev;
@@ -79,11 +84,12 @@ struct sdap_access_req_ctx {
struct sss_domain_info *domain;
struct ldb_message *user_entry;
size_t current_rule;
+ enum sdap_access_control_type ac_type;
};
-static errno_t check_next_rule(struct sdap_access_req_ctx *state,
- struct tevent_req *req);
-static void sdap_access_filter_done(struct tevent_req *subreq);
+static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
+ struct tevent_req *req);
+static void sdap_access_done(struct tevent_req *subreq);
struct tevent_req *
sdap_access_send(TALLOC_CTX *mem_ctx,
@@ -151,7 +157,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
state->user_entry = res->msgs[0];
- ret = check_next_rule(state, req);
+ ret = sdap_access_check_next_rule(state, req);
if (ret == EAGAIN) {
return req;
}
@@ -166,8 +172,8 @@ done:
return req;
}
-static errno_t check_next_rule(struct sdap_access_req_ctx *state,
- struct tevent_req *req)
+static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
+ struct tevent_req *req)
{
struct tevent_req *subreq;
int ret = EOK;
@@ -190,7 +196,9 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
return ENOMEM;
}
- tevent_req_set_callback(subreq, sdap_access_filter_done, req);
+ state->ac_type = SDAP_ACCESS_CONTROL_FILTER;
+
+ tevent_req_set_callback(subreq, sdap_access_done, req);
return EAGAIN;
case LDAP_ACCESS_EXPIRE:
@@ -218,14 +226,27 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
return ret;
}
-static void sdap_access_filter_done(struct tevent_req *subreq)
+static void sdap_access_done(struct tevent_req *subreq)
{
errno_t ret;
- struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req);
- struct sdap_access_req_ctx *state =
- tevent_req_data(req, struct sdap_access_req_ctx);
+ struct tevent_req *req;
+ struct sdap_access_req_ctx *state;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct sdap_access_req_ctx);
+
+ /* process subrequest */
+ switch(state->ac_type) {
+ case SDAP_ACCESS_CONTROL_FILTER:
+ ret = sdap_access_filter_recv(subreq);
+ break;
+ default:
+ ret = EINVAL;
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unknown access control type: %d.",
+ state->ac_type);
+ break;
+ }
- ret = sdap_access_filter_recv(subreq);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n");
@@ -235,7 +256,7 @@ static void sdap_access_filter_done(struct tevent_req *subreq)
state->current_rule++;
- ret = check_next_rule(state, req);
+ ret = sdap_access_check_next_rule(state, req);
switch (ret) {
case EAGAIN:
return;
@@ -255,7 +276,6 @@ errno_t sdap_access_recv(struct tevent_req *req)
return EOK;
}
-
#define SHADOW_EXPIRE_MSG "Account expired according to shadow attributes"
static errno_t sdap_account_expired_shadow(struct pam_data *pd,
@@ -660,7 +680,7 @@ struct sdap_access_filter_req_ctx {
static errno_t sdap_access_filter_decide_offline(struct tevent_req *req);
static int sdap_access_filter_retry(struct tevent_req *req);
static void sdap_access_filter_connect_done(struct tevent_req *subreq);
-static void sdap_access_filter_get_access_done(struct tevent_req *req);
+static void sdap_access_filter_done(struct tevent_req *req);
static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
@@ -847,10 +867,10 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq)
return;
}
- tevent_req_set_callback(subreq, sdap_access_filter_get_access_done, req);
+ tevent_req_set_callback(subreq, sdap_access_filter_done, req);
}
-static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
+static void sdap_access_filter_done(struct tevent_req *subreq)
{
int ret, tret, dp_error;
size_t num_results;
@@ -955,7 +975,6 @@ static errno_t sdap_access_filter_recv(struct tevent_req *req)
return EOK;
}
-
#define AUTHR_SRV_MISSING_MSG "Authorized service attribute missing, " \
"access denied"
#define AUTHR_SRV_DENY_MSG "Access denied by authorized service attribute"
--
1.9.3
>From b04ea36712fd1680971668f121c15224d8bcd3ec Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 16:05:13 +0100
Subject: [PATCH 5/9] SDAP: don't log error on access denied
Don't log error if access is denied in function sdap_access_done().
---
src/providers/ldap/sdap_access.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index e6432de08708f0e0700465322b71bf4e1b2494a3..9eb8215f555a4e8c3f6cf248c2931159ffe6300c 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -249,7 +249,12 @@ static void sdap_access_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n");
+ if (ret == ERR_ACCESS_DENIED) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Access was denied.\n");
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Error retrieving access check result.\n");
+ }
tevent_req_error(req, ret);
return;
}
--
1.9.3
>From 0518d978c5a49058683f795281adbfcedd68c727 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 16:13:08 +0100
Subject: [PATCH 6/9] SDAP: refactor AC offline checks
Prepare code for other access control checks.
---
src/providers/ldap/sdap_access.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 9eb8215f555a4e8c3f6cf248c2931159ffe6300c..6105d03df7c76ca222ee529f03fdbe1f1c9dcb25 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -678,6 +678,7 @@ struct sdap_access_filter_req_ctx {
struct sdap_id_op *sdap_op;
struct sysdb_handle *handle;
struct sss_domain_info *domain;
+ /* cached results of access control checks */
bool cached_access;
const char *basedn;
};
@@ -727,6 +728,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
state->cached_access = ldb_msg_find_attr_as_bool(user_entry,
SYSDB_LDAP_ACCESS_FILTER,
false);
+
/* Ok, we have one result, check if we are online or offline */
if (be_is_offline(be_ctx)) {
/* Ok, we're offline. Return from the cache */
@@ -796,12 +798,13 @@ done:
return req;
}
-static errno_t sdap_access_filter_decide_offline(struct tevent_req *req)
+/* Helper function,
+ * cached_ac => access granted
+ * !cached_ac => access denied
+ */
+static errno_t sdap_access_decide_offline_impl(bool cached_ac)
{
- struct sdap_access_filter_req_ctx *state =
- tevent_req_data(req, struct sdap_access_filter_req_ctx);
-
- if (state->cached_access) {
+ if (cached_ac) {
DEBUG(SSSDBG_TRACE_FUNC, "Access granted by cached credentials\n");
return EOK;
} else {
@@ -810,6 +813,15 @@ static errno_t sdap_access_filter_decide_offline(struct tevent_req *req)
}
}
+static errno_t sdap_access_filter_decide_offline(struct tevent_req *req)
+{
+ struct sdap_access_filter_req_ctx *state;
+
+ state = tevent_req_data(req, struct sdap_access_filter_req_ctx);
+
+ return sdap_access_decide_offline_impl(state->cached_access);
+}
+
static int sdap_access_filter_retry(struct tevent_req *req)
{
struct sdap_access_filter_req_ctx *state =
--
1.9.3
>From 306cd5b6cccbf24ed2335652aa5085a048784ecf Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Wed, 6 Aug 2014 16:05:53 +0100
Subject: [PATCH 7/9] SDAP: new option - DN to ppolicy on LDAP
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/providers/ad/ad_opts.h | 1 +
src/providers/ipa/ipa_opts.h | 1 +
src/providers/ldap/ldap_opts.h | 1 +
src/providers/ldap/sdap.h | 1 +
8 files changed, 8 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 38111a86f02c12e2a6469f2ab671098ebfd84dcb..dc18e1e82f46673f475b5fa699f3048eb36796b2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -323,6 +323,7 @@ option_strings = {
'ldap_use_tokengroups' : _('Whether to use Token-Groups'),
'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),
+ 'ldap_pwdlockout_dn' : _('DN for ppolicy queries'),
# [provider/ldap/auth]
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 93d869c67f96afbea2e39d061daf578602b2f9a9..b9f01bc840da953957943c09c406c433cc065007 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -112,6 +112,7 @@ ldap_groups_use_matching_rule_in_chain = bool, None, false
ldap_initgroups_use_matching_rule_in_chain = bool, None, false
ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
+ldap_pwdlockout_dn = str, None, false
[provider/ad/auth]
krb5_ccachedir = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index f3b9cb0637bd3f827dd198acb74c933b4f953a81..92d8aa082e35b5f56c7d2452a8e32f0e98fc8b34 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -130,6 +130,7 @@ ldap_initgroups_use_matching_rule_in_chain = bool, None, false
ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
ipa_server_mode = bool, None, false
+ldap_pwdlockout_dn = str, None, false
[provider/ipa/auth]
krb5_ccachedir = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index a4802a1ea190fbdf57ec13d031bb74ad46e08a47..29276bfd74b9fcc67042a138006959896c34fbae 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -119,6 +119,7 @@ ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
ldap_min_id = int, None, false
ldap_max_id = int, None, false
+ldap_pwdlockout_dn = str, None, false
[provider/ldap/auth]
ldap_pwd_policy = str, None, false
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index a3ade012a7c1efb705a011697af36c28e39b1a9b..a82f7a9e08b41b300970b4f8b90f8850fb11c80c 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -134,6 +134,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+ { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index c7197beb1ecae2935255c46559287ad1186f760e..1c14cfdcbf7a9c343f57121e891d0e6da6a3ea10 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -155,6 +155,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+ { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 13a84ec1e979864e06d5690ec29967548b21aac1..4d5b71f43d78553c8ddd05d88e202e62ed7c9d52 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -121,6 +121,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+ { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 6bab0e1c1ce520ba248cc6634349493d82b31233..da1471c2f4742aecfc13624e5085ffc5bff972eb 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -232,6 +232,7 @@ enum sdap_basic_opt {
SDAP_DISABLE_RANGE_RETRIEVAL,
SDAP_MIN_ID,
SDAP_MAX_ID,
+ SDAP_PWDLOCKOUT_DN,
SDAP_OPTS_BASIC /* opts counter */
};
--
1.9.3
>From 3e2f70202c44f11c85ad53815960cd375dc41249 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 17:44:24 +0100
Subject: [PATCH 8/9] SDAP: account lockout to restrict access via ssh key
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
---
src/providers/ldap/ldap_init.c | 2 +
src/providers/ldap/sdap_access.c | 495 +++++++++++++++++++++++++++++++++++++++
src/providers/ldap/sdap_access.h | 9 +
3 files changed, 506 insertions(+)
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 9960fd3ab7a6e446e5cdc1e8fa4984aab812d980..44333a9a3a45de16aaaf83fecaea4817cebc90d4 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -421,6 +421,8 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
access_ctx->access_rule[c] = LDAP_ACCESS_SERVICE;
} else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_HOST;
+ } else if (strcasecmp(order_list[c], LDAP_ACCESS_LOCK_NAME) == 0) {
+ access_ctx->access_rule[c] = LDAP_ACCESS_LOCKOUT;
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unexpected access rule name [%s].\n", order_list[c]);
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 6105d03df7c76ca222ee529f03fdbe1f1c9dcb25..9a1ef02a56da1cd36a77741f223477a3024def78 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -40,6 +40,7 @@
#include "providers/data_provider.h"
#include "providers/dp_backend.h"
+#define PERMANENTLY_LOCKED_ACCOUNT "000001010000Z"
#define MALFORMED_FILTER "Malformed access control filter [%s]\n"
static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain,
@@ -51,6 +52,16 @@ static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry,
const char *username,
const char **_basedn);
+static struct tevent_req *
+sdap_access_lock_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct sss_domain_info *domain,
+ struct sdap_access_ctx *access_ctx,
+ struct sdap_id_conn_ctx *conn,
+ const char *username,
+ struct ldb_message *user_entry);
+
static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
@@ -62,6 +73,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
static errno_t sdap_access_filter_recv(struct tevent_req *req);
+static errno_t sdap_access_lock_recv(struct tevent_req *req);
+
static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
struct pam_data *pd,
struct ldb_message *user_entry);
@@ -73,6 +86,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry);
enum sdap_access_control_type {
SDAP_ACCESS_CONTROL_FILTER,
+ SDAP_ACCESS_CONTROL_PPOLICY_LOCK,
};
struct sdap_access_req_ctx {
@@ -184,6 +198,26 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
/* we are done with no errors */
return EOK;
+ case LDAP_ACCESS_LOCKOUT:
+ ret = EOK;
+
+ subreq = sdap_access_lock_send(state, state->ev, state->be_ctx,
+ state->domain,
+ state->access_ctx,
+ state->conn,
+ state->pd->user,
+ state->user_entry);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_lock_send failed.\n");
+ return ENOMEM;
+ }
+
+ state->ac_type = SDAP_ACCESS_CONTROL_PPOLICY_LOCK;
+
+ tevent_req_set_callback(subreq, sdap_access_done, req);
+ return EAGAIN;
+ break;
+
case LDAP_ACCESS_FILTER:
subreq = sdap_access_filter_send(state, state->ev, state->be_ctx,
state->domain,
@@ -240,6 +274,9 @@ static void sdap_access_done(struct tevent_req *subreq)
case SDAP_ACCESS_CONTROL_FILTER:
ret = sdap_access_filter_recv(subreq);
break;
+ case SDAP_ACCESS_CONTROL_PPOLICY_LOCK:
+ ret = sdap_access_lock_recv(subreq);
+ break;
default:
ret = EINVAL;
DEBUG(SSSDBG_MINOR_FAILURE, "Unknown access control type: %d.",
@@ -683,8 +720,10 @@ struct sdap_access_filter_req_ctx {
const char *basedn;
};
+static errno_t sdap_access_lockout_decide_offline(struct tevent_req *req);
static errno_t sdap_access_filter_decide_offline(struct tevent_req *req);
static int sdap_access_filter_retry(struct tevent_req *req);
+static void sdap_access_lock_connect_done(struct tevent_req *subreq);
static void sdap_access_filter_connect_done(struct tevent_req *subreq);
static void sdap_access_filter_done(struct tevent_req *req);
static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
@@ -1168,6 +1207,462 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
return ret;
}
+static void sdap_access_lock_get_lockout_done(struct tevent_req *subreq);
+static int sdap_access_lock_retry(struct tevent_req *req);
+static errno_t sdap_access_lock_step(struct tevent_req *req);
+static void sdap_access_lock_step_done(struct tevent_req *subreq);
+
+struct sdap_access_lock_req_ctx {
+ const char *username;
+ const char *filter;
+ struct tevent_context *ev;
+ struct sdap_access_ctx *access_ctx;
+ struct sdap_options *opts;
+ struct sdap_id_conn_ctx *conn;
+ struct sdap_id_op *sdap_op;
+ struct sysdb_handle *handle;
+ struct sss_domain_info *domain;
+ /* cached results of access control checks */
+ bool cached_access;
+ const char *basedn;
+};
+
+static struct tevent_req *
+sdap_access_lock_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct sss_domain_info *domain,
+ struct sdap_access_ctx *access_ctx,
+ struct sdap_id_conn_ctx *conn,
+ const char *username,
+ struct ldb_message *user_entry)
+{
+ struct sdap_access_lock_req_ctx *state;
+ struct tevent_req *req;
+ errno_t ret;
+
+ req = tevent_req_create(mem_ctx,
+ &state, struct sdap_access_lock_req_ctx);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->filter = NULL;
+ state->username = username;
+ state->opts = access_ctx->id_ctx->opts;
+ state->conn = conn;
+ state->ev = ev;
+ state->access_ctx = access_ctx;
+ state->domain = domain;
+
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing access lock check for user [%s]\n", username);
+
+ state->cached_access = ldb_msg_find_attr_as_bool(
+ user_entry, SYSDB_LDAP_ACCESS_CACHED_LOCKOUT, false);
+
+ /* Ok, we have one result, check if we are online or offline */
+ if (be_is_offline(be_ctx)) {
+ /* Ok, we're offline. Return from the cache */
+ ret = sdap_access_lockout_decide_offline(req);
+ goto done;
+ }
+
+ ret = sdap_get_basedn_user_entry(user_entry, state->username,
+ &state->basedn);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Checking lock against LDAP\n");
+
+ state->sdap_op = sdap_id_op_create(state,
+ state->conn->conn_cache);
+ if (!state->sdap_op) {
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sdap_access_lock_retry(req);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ return req;
+
+done:
+ if (ret == EOK) {
+ tevent_req_done(req);
+ } else {
+ tevent_req_error(req, ret);
+ }
+ tevent_req_post(req, ev);
+ return req;
+}
+
+static int sdap_access_lock_retry(struct tevent_req *req)
+{
+ struct sdap_access_lock_req_ctx *state;
+ struct tevent_req *subreq;
+ int ret;
+
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+ if (!subreq) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret));
+ return ret;
+ }
+
+ tevent_req_set_callback(subreq, sdap_access_lock_connect_done, req);
+ return EOK;
+}
+
+static char*
+get_default_ppolicy_dn(TALLOC_CTX *mem_ctx, struct sdap_options *opts)
+{
+ char *search_base;
+
+ search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE);
+
+ return talloc_asprintf(mem_ctx, "cn=ppolicy,ou=policies,%s", search_base);
+}
+
+static void sdap_access_lock_connect_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req;
+ struct sdap_access_lock_req_ctx *state;
+ int ret, dp_error;
+ const char *attrs[] = { SYSDB_LDAP_ACCESS_LOCKOUT, NULL };
+ const char *ppolicy_dn;
+ char *ppolicy_dn_default = NULL;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+
+ ret = sdap_id_op_connect_recv(subreq, &dp_error);
+ talloc_zfree(subreq);
+
+ if (ret != EOK) {
+ if (dp_error == DP_ERR_OFFLINE) {
+ ret = sdap_access_lockout_decide_offline(req);
+ if (ret == EOK) {
+ tevent_req_done(req);
+ return;
+ }
+ }
+
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ ppolicy_dn = dp_opt_get_string(state->opts->basic,
+ SDAP_PWDLOCKOUT_DN);
+ if (ppolicy_dn == NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "ldap_pwdlockout_dn was not defined in configuration file.\n");
+
+ ppolicy_dn_default = get_default_ppolicy_dn(state, state->opts);
+ if (ppolicy_dn_default == NULL) {
+ tevent_req_error(req, ERR_ACCESS_DENIED);
+ goto done;
+ }
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Default value for ldap_pwdlockout_dn is: %s\n",
+ ppolicy_dn_default);
+
+ ppolicy_dn = ppolicy_dn_default;
+ }
+
+ /* Connection to LDAP succeeded
+ * Send 'pwdLockout' request
+ */
+ subreq = sdap_get_generic_send(state,
+ state->ev,
+ state->opts,
+ sdap_id_op_handle(state->sdap_op),
+ ppolicy_dn,
+ LDAP_SCOPE_BASE,
+ NULL, attrs,
+ NULL, 0,
+ dp_opt_get_int(state->opts->basic,
+ SDAP_SEARCH_TIMEOUT),
+ false);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not start LDAP communication\n");
+ tevent_req_error(req, EIO);
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, sdap_access_lock_get_lockout_done, req);
+
+done:
+ talloc_free(ppolicy_dn_default);
+}
+
+static void sdap_access_lock_get_lockout_done(struct tevent_req *subreq)
+{
+ int ret, tret, dp_error;
+ size_t num_results;
+ bool pwdLockout = false;
+ struct sysdb_attrs **results;
+ struct tevent_req *req;
+ struct sdap_access_lock_req_ctx *state;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+
+ ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
+ talloc_zfree(subreq);
+
+ /* Check the number of responses we got
+ * If it's exactly 1, we passed the check
+ * If it's < 1, we failed the check
+ * Anything else is an error
+ */
+ if (num_results < 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "[%s] was not found."
+ "Granting access.\n", SYSDB_LDAP_ACCESS_LOCKOUT);
+ } else if (results == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ } else if (num_results > 1) {
+ /* It should not be possible to get more than one reply
+ * here, since we're doing a base-scoped search
+ */
+ DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ } else { /* Ok, we got a single reply */
+ ret = sysdb_attrs_get_bool(results[0], SYSDB_LDAP_ACCESS_LOCKOUT,
+ &pwdLockout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Error reading %s: [%s]\n", SYSDB_LDAP_ACCESS_LOCKOUT,
+ strerror(ret));
+ ret = ERR_INTERNAL;
+ goto done;
+ }
+ }
+
+ if (pwdLockout) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Password policy is enabled on LDAP server.\n");
+
+ /* ppolicy is enabled => find out if account is locked */
+ ret = sdap_access_lock_step(req);
+ if (ret == EOK) {
+ ret = EAGAIN;
+ }
+ goto done;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Password policy is disabled on LDAP server "
+ "- storing 'access granted' in sysdb.\n");
+ tret = sdap_save_user_cache_bool(state->domain, state->username,
+ SYSDB_LDAP_ACCESS_CACHED_LOCKOUT,
+ true);
+ if (tret != EOK) {
+ /* Failing to save to the cache is non-fatal.
+ * Just return the result.
+ */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to set user locked attribute\n");
+ goto done;
+ }
+
+ ret = EOK;
+ goto done;
+ }
+
+done:
+ if (ret != EAGAIN) {
+ /* release connection */
+ tret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_get_generic_send() returned error [%d][%s]\n",
+ ret, sss_strerror(ret));
+ }
+
+ if (ret == EOK) {
+ tevent_req_done(req);
+ } else {
+ tevent_req_error(req, ret);
+ }
+ }
+}
+
+errno_t sdap_access_lock_step(struct tevent_req *req)
+{
+ errno_t ret;
+ struct tevent_req *subreq;
+ struct sdap_access_lock_req_ctx *state;
+ const char *attrs[] = { SYSDB_LDAP_ACCESS_LOCKED_TIME, NULL };
+
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+
+ subreq = sdap_get_generic_send(state,
+ state->ev,
+ state->opts,
+ sdap_id_op_handle(state->sdap_op),
+ state->basedn,
+ LDAP_SCOPE_BASE,
+ NULL, attrs,
+ NULL, 0,
+ dp_opt_get_int(state->opts->basic,
+ SDAP_SEARCH_TIMEOUT),
+ false);
+
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_lock_send failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, sdap_access_lock_step_done, req);
+ ret = EOK;
+
+done:
+ return ret;
+}
+
+static void sdap_access_lock_step_done(struct tevent_req *subreq)
+{
+ int ret, tret, dp_error;
+ size_t num_results;
+ bool locked = false;
+ const char *pwdAccountLockedTime;
+ struct sysdb_attrs **results;
+ struct tevent_req *req;
+ struct sdap_access_lock_req_ctx *state;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+
+ ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
+ talloc_zfree(subreq);
+
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
+ if (ret != EOK) {
+ if (dp_error == DP_ERR_OK) {
+ /* retry */
+ tret = sdap_access_lock_retry(req);
+ if (tret == EOK) {
+ return;
+ }
+ } else if (dp_error == DP_ERR_OFFLINE) {
+ ret = sdap_access_lockout_decide_offline(req);
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_get_generic_send() returned error [%d][%s]\n",
+ ret, sss_strerror(ret));
+ }
+
+ goto done;
+ }
+
+ /* Check the number of responses we got
+ * If it's exactly 1, we passed the check
+ * If it's < 1, we failed the check
+ * Anything else is an error
+ */
+ if (num_results < 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "User [%s] was not found with the specified filter. "
+ "Denying access.\n", state->username);
+ } else if (results == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ } else if (num_results > 1) {
+ /* It should not be possible to get more than one reply
+ * here, since we're doing a base-scoped search
+ */
+ DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ } else { /* Ok, we got a single reply */
+ ret = sysdb_attrs_get_string(results[0], SYSDB_LDAP_ACCESS_LOCKED_TIME,
+ &pwdAccountLockedTime);
+ if (ret == EOK) {
+ /* We do *not* care about exact value of account locked time, we
+ * only *do* care if the value is equal to
+ * PERMANENTLY_LOCKED_ACCOUNT, which means that account is locked
+ * permanently.
+ */
+ if (strcasecmp(pwdAccountLockedTime,
+ PERMANENTLY_LOCKED_ACCOUNT) == 0) {
+ locked = true;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Account of: %s is beeing blocked by password policy, "
+ "but value: [%s] value is ignored by SSSD.\n",
+ state->username, pwdAccountLockedTime);
+ }
+ } else {
+ /* Attribute SYSDB_LDAP_ACCESS_LOCKED_TIME in not be present unless
+ * user's account is blocked by password policy.
+ */
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Attribute %s failed to be obtained - [%d][%s].\n",
+ SYSDB_LDAP_ACCESS_LOCKED_TIME, ret, strerror(ret));
+ }
+ }
+
+ if (locked) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Access denied by online lookup - account is locked.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Access granted by online lookup - account is not locked.\n");
+ ret = EOK;
+ }
+
+ /* Save '!locked' to the cache for future offline access checks.
+ * Locked == true => access denied,
+ * Locked == false => access granted
+ */
+ tret = sdap_save_user_cache_bool(state->domain, state->username,
+ SYSDB_LDAP_ACCESS_CACHED_LOCKOUT,
+ !locked);
+
+ if (tret != EOK) {
+ /* Failing to save to the cache is non-fatal.
+ * Just return the result.
+ */
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user locked attribute\n");
+ goto done;
+ }
+
+done:
+ if (ret == EOK) {
+ tevent_req_done(req);
+ } else {
+ tevent_req_error(req, ret);
+ }
+}
+
+static errno_t sdap_access_lock_recv(struct tevent_req *req)
+{
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ return EOK;
+}
+
+static errno_t sdap_access_lockout_decide_offline(struct tevent_req *req)
+{
+ struct sdap_access_lock_req_ctx *state;
+
+ state = tevent_req_data(req, struct sdap_access_lock_req_ctx);
+
+ return sdap_access_decide_offline_impl(state->cached_access);
+}
+
static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry,
const char *username,
const char **_basedn)
diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h
index 30097e21f59abe19fc14d052edb0a6343c67f892..f085e619961198b887d65ed5ee0bc5cdd90d1b20 100644
--- a/src/providers/ldap/sdap_access.h
+++ b/src/providers/ldap/sdap_access.h
@@ -28,12 +28,20 @@
#include "providers/dp_backend.h"
#include "providers/ldap/ldap_common.h"
+/* Attributes in sysdb, used for caching last values of lockout or filter
+ * access control checks.
+ */
#define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow"
+#define SYSDB_LDAP_ACCESS_CACHED_LOCKOUT "ldap_access_lockout_allow"
+/* names of ppolicy attributes */
+#define SYSDB_LDAP_ACCESS_LOCKED_TIME "pwdAccountLockedTime"
+#define SYSDB_LDAP_ACCESS_LOCKOUT "pwdLockout"
#define LDAP_ACCESS_FILTER_NAME "filter"
#define LDAP_ACCESS_EXPIRE_NAME "expire"
#define LDAP_ACCESS_SERVICE_NAME "authorized_service"
#define LDAP_ACCESS_HOST_NAME "host"
+#define LDAP_ACCESS_LOCK_NAME "lockout"
#define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow"
#define LDAP_ACCOUNT_EXPIRE_AD "ad"
@@ -48,6 +56,7 @@ enum ldap_access_rule {
LDAP_ACCESS_EXPIRE,
LDAP_ACCESS_SERVICE,
LDAP_ACCESS_HOST,
+ LDAP_ACCESS_LOCKOUT,
LDAP_ACCESS_LAST
};
--
1.9.3
>From c50d08abd0fedfd340eaf2d06a0177ed2bda8064 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <[email protected]>
Date: Fri, 1 Aug 2014 17:04:55 +0100
Subject: [PATCH 9/9] MAN: options 'lockout' and 'ldap_pwdlockout_dn'
Resolves:
https://fedorahosted.org/sssd/ticket/2364
---
src/man/sssd-ldap.5.xml | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index e8bcfd0d13cb39b7e60fc8f3aa4338b53d2921e2..eb3b8d23f0d26cb2cff447e805ed7cbb23f4e13d 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1914,6 +1914,13 @@ ldap_access_filter = (employeeType=admin)
<emphasis>filter</emphasis>: use ldap_access_filter
</para>
<para>
+ <emphasis>lockout</emphasis>: use account locking.
+ If set, this option denies access in case that ldap
+ attribute 'pwdAccountLockedTime' is present and has
+ value of '000001010000Z'. Please see the option
+ ldap_pwdlockout_dn.
+ </para>
+ <para>
<emphasis>expire</emphasis>: use
ldap_account_expire_policy
</para>
@@ -1937,6 +1944,26 @@ ldap_access_filter = (employeeType=admin)
</varlistentry>
<varlistentry>
+ <term>ldap_pwdlockout_dn (string)</term>
+ <listitem>
+ <para>
+ This option specifies the DN of password policy entry
+ on LDAP server. Please note that absence of this
+ option in sssd.conf in case of enabled account
+ lockout checking will yield access denied as
+ ppolicy attributes on LDAP server cannot be checked
+ properly.
+ </para>
+ <para>
+ Example: cn=ppolicy,ou=policies,dc=example,dc=com
+ </para>
+ <para>
+ Default: cn=ppolicy,ou=policies,$ldap_search_base
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_deref (string)</term>
<listitem>
<para>
--
1.9.3
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel