On Wed, Nov 25, 2015 at 04:18:18PM +0100, Jakub Hrozek wrote: > On Wed, Nov 25, 2015 at 03:09:41PM -0000, Ondrej Valousek wrote: > > Note: man page says: > > ... > > When autofs provider is used..... > > ... > > I think it should read: > > ... > > When ad provider is used for autofs... > > Yes, that needs fixing. Thanks for the review.
Attached is a patch that rewords the manpage a bit. Hopefully it's clearer now. There are no code changes except the sssd-ad manpage.
>From d5a6bf0a252eafb932fdbae60255699f26a8407e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 18 Nov 2015 15:29:58 +0100 Subject: [PATCH] AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. --- Makefile.am | 5 ++++ src/config/SSSDConfigTest.py | 3 +- src/config/etc/sssd.api.d/sssd-ad.conf | 9 ++++++ src/man/sssd-ad.5.xml | 14 ++++++++-- src/man/sssd.conf.5.xml | 9 ++++++ src/providers/ad/ad_autofs.c | 50 ++++++++++++++++++++++++++++++++++ src/providers/ad/ad_common.c | 31 +++++++++++++++++++++ src/providers/ad/ad_common.h | 9 ++++++ src/providers/ad/ad_init.c | 24 ++++++++++++++++ 9 files changed, 150 insertions(+), 4 deletions(-) create mode 100644 src/providers/ad/ad_autofs.c diff --git a/Makefile.am b/Makefile.am index 212440c9b174de10ca4b8481af350f06b090cc34..0c2a27ccab41bfe11c8af6336486d6336b350172 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3025,6 +3025,11 @@ libsss_ad_la_SOURCES += \ src/providers/ad/ad_sudo.c endif +if BUILD_AUTOFS +libsss_ad_la_SOURCES += \ + src/providers/ad/ad_autofs.c +endif + libsss_ad_la_CFLAGS = \ $(AM_CFLAGS) \ $(OPENLDAP_CFLAGS) \ diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index abd4a39258e060f27db62eb2352450b6c405930c..96a6b2f4a1721e91ddc112414615606d4425a38f 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -752,7 +752,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): control_provider_dict = { 'ipa': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs', 'session', 'hostid', 'subdomains'], - 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'subdomains'], + 'ad': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs', + 'subdomains'], 'local': ['id', 'auth', 'chpass'], 'ldap': ['id', 'auth', 'access', 'chpass', 'sudo', 'autofs'], 'krb5': ['auth', 'access', 'chpass'], diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index b636d93108ef0a3831970d7827895c14b0f3571c..5eb546caac913b839112a70bd81dbde2c7ff2d9f 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -173,3 +173,12 @@ ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false ldap_sudorule_notafter = str, None, false ldap_sudorule_order = str, None, false + +[provider/ad/autofs] +ldap_autofs_map_master_name = str, None, false +ldap_autofs_map_object_class = str, None, false +ldap_autofs_map_name = str, None, false +ldap_autofs_entry_object_class = str, None, false +ldap_autofs_entry_key = str, None, false +ldap_autofs_entry_value = str, None, false +ldap_autofs_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 127e96582d71e8216db88d37a16d37d01748131d..d2f74cfce53162f2959ca7c2183a715904e18deb 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -60,9 +60,9 @@ </para> <para> However, it is neither necessary nor recommended to set these - options. The AD provider can also be used as an access, chpass and - sudo provider. No configuration of the access provider is required - on the client side. + options. The AD provider can also be used as an access, chpass, + sudo and autofs provider. No configuration of the access provider + is required on the client side. </para> <para> By default, the AD provider will map UID and GID values from the @@ -928,6 +928,14 @@ ldap_account_expire_policy = ad all the connection parameters (such as LDAP URIs and encryption details) manually. </para> + <para> + When the autofs provider is set to <quote>ad</quote>, the RFC2307 + schema attribute mapping (nisMap, nisObject, ...) is used, + because these attributes are included the default Active + Directory schema. + </para> + <para> + </para> </refsect1> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="include/seealso.xml" /> diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 573f421a7d885d28d5dbc03423e6c6dd84d7b8fd..c4f584e8f2d87611a415084dd0e37a205531dd39 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1931,6 +1931,15 @@ pam_account_expired_message = Account expired, please call help desk. </citerefentry> for more information on configuring IPA. </para> <para> + <quote>ad</quote> to load maps stored in an AD + server. See + <citerefentry> + <refentrytitle>sssd-ad</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on configuring + the AD provider. + </para> + <para> <quote>none</quote> disables autofs explicitly. </para> <para> diff --git a/src/providers/ad/ad_autofs.c b/src/providers/ad/ad_autofs.c new file mode 100644 index 0000000000000000000000000000000000000000..7d4ed34b5e03b59c4a912e5d6e40b5bfb2482009 --- /dev/null +++ b/src/providers/ad/ad_autofs.c @@ -0,0 +1,50 @@ +/* + SSSD + + AD autofs Provider Initialization functions + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "providers/ad/ad_common.h" +#include "providers/ldap/sdap_autofs.h" + +int ad_autofs_init(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs AD back end\n"); + + ret = sdap_autofs_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = ad_get_autofs_options(id_ctx->ad_options, be_ctx->cdb, + be_ctx->conf_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 52284a5f39863d6195daa038b1294ee631e60b6a..4f8223879a504d1e34b39f4166601c53fd6a73fe 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1020,6 +1020,37 @@ ad_get_id_options(struct ad_options *ad_opts, } errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path) +{ + errno_t ret; + + /* autofs maps */ + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ad_opts->id->autofs_mobject_map); + if (ret != EOK) { + return ret; + } + + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ad_opts->id->autofs_entry_map); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +errno_t ad_set_search_bases(struct sdap_options *id_opts) { errno_t ret; diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index de6ffbff7d20f582c2689383f3d51e027e58277c..49e97b0bebf18e795be2549c22de74111ae06583 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -132,6 +132,10 @@ ad_get_id_options(struct ad_options *ad_opts, const char *conf_path, struct sdap_options **_opts); errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path); +errno_t ad_get_auth_options(TALLOC_CTX *mem_ctx, struct ad_options *ad_opts, struct be_ctx *bectx, @@ -170,4 +174,9 @@ int ad_sudo_init(struct be_ctx *be_ctx, struct bet_ops **ops, void **pvt_data); +int ad_autofs_init(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct bet_ops **ops, + void **pvt_data); + #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index 5f30b6ea864b56225e25767ea3988a709dbf8337..72ce5536b0f0f69a530bda0ffc41ae93180c1a94 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -580,3 +580,27 @@ int sssm_ad_sudo_init(struct be_ctx *bectx, return EOK; #endif } + +int sssm_ad_autofs_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ +#ifdef BUILD_AUTOFS + struct ad_id_ctx *id_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n"); + + ret = sssm_ad_id_init(bectx, ops, (void **) &id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sssm_ad_id_init failed.\n"); + return ret; + } + + return ad_autofs_init(bectx, id_ctx, ops, pvt_data); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n"); + return EOK; +#endif +} -- 2.4.3
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
