URL: https://github.com/SSSD/sssd/pull/5283
Author: joakim-tjernlund
Title: #5283: Add dyndns_auth_ptr support
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5283/head:pr5283
git checkout pr5283
From a95b6c87e965c4833bc1fe045590c6ddb98f04d6 Mon Sep 17 00:00:00 2001
From: Joakim Tjernlund <joakim.tjernl...@infinera.com>
Date: Sat, 15 Aug 2020 11:47:42 +0200
Subject: [PATCH 1/2] Add dyndns_auth_ptr support
Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml | 15 +++++++++++++++
src/man/sssd-ipa.5.xml | 15 +++++++++++++++
src/providers/ad/ad_dyndns.c | 1 +
src/providers/ad/ad_opts.c | 1 +
src/providers/be_dyndns.c | 13 +++++++++++++
src/providers/be_dyndns.h | 2 ++
src/providers/ipa/ipa_dyndns.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/sdap_dyndns.c | 5 ++++-
src/providers/ldap/sdap_dyndns.h | 1 +
11 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 2874ea048b..6347024278 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -421,6 +421,7 @@ option = dyndns_refresh_interval
option = dyndns_update_ptr
option = dyndns_force_tcp
option = dyndns_auth
+option = dyndns_auth_ptr
option = dyndns_server
# files provider specific options
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 5c2f465462..e4712e26d9 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -1165,6 +1165,21 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>dyndns_auth_ptr (string)</term>
+ <listitem>
+ <para>
+ Whether the nsupdate utility should use GSS-TSIG
+ authentication for secure PTR updates with the DNS
+ server, insecure updates can be sent by setting
+ this option to 'none'.
+ </para>
+ <para>
+ Default: Same as dyndns_auth
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>dyndns_server (string)</term>
<listitem>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 0de866740a..7b630493da 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -214,6 +214,21 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>dyndns_auth_ptr (string)</term>
+ <listitem>
+ <para>
+ Whether the nsupdate utility should use GSS-TSIG
+ authentication for secure PTR updates with the DNS
+ server, insecure updates can be sent by setting
+ this option to 'none'.
+ </para>
+ <para>
+ Default: Same as dyndns_auth
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ipa_enable_dns_sites (boolean)</term>
<listitem>
diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c
index 00e1d253ae..71ef16c0b5 100644
--- a/src/providers/ad/ad_dyndns.c
+++ b/src/providers/ad/ad_dyndns.c
@@ -238,6 +238,7 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq)
ctx->dyndns_ctx->opts,
sdap_ctx,
ctx->dyndns_ctx->auth_type,
+ ctx->dyndns_ctx->auth_ptr_type,
dp_opt_get_string(ctx->dyndns_ctx->opts,
DP_OPT_DYNDNS_IFACE),
dp_opt_get_string(ctx->basic,
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 25b1367731..9ebb9ad1a4 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -309,6 +309,7 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 54f3cc08a3..f97779e1dc 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1217,6 +1217,7 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
@@ -1254,6 +1255,18 @@ be_nsupdate_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx,
return EINVAL;
}
+ strauth = dp_opt_get_string(ctx->opts, DP_OPT_DYNDNS_AUTH_PTR);
+ if (strcasecmp(strauth, "") == 0) {
+ ctx->auth_ptr_type = ctx->auth_type;
+ } else if (strcasecmp(strauth, "gss-tsig") == 0) {
+ ctx->auth_ptr_type = BE_NSUPDATE_AUTH_GSS_TSIG;
+ } else if (strcasecmp(strauth, "none") == 0) {
+ ctx->auth_ptr_type = BE_NSUPDATE_AUTH_NONE;
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Unknown dyndns ptr auth type %s\n", strauth);
+ return EINVAL;
+ }
+
*_ctx = ctx;
return ERR_OK;
}
diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h
index c8c48d9b09..2967519b47 100644
--- a/src/providers/be_dyndns.h
+++ b/src/providers/be_dyndns.h
@@ -39,6 +39,7 @@ enum be_nsupdate_auth {
struct be_nsupdate_ctx {
struct dp_option *opts;
enum be_nsupdate_auth auth_type;
+ enum be_nsupdate_auth auth_ptr_type;
time_t last_refresh;
bool timer_in_progress;
@@ -56,6 +57,7 @@ enum dp_dyndns_opts {
DP_OPT_DYNDNS_UPDATE_PTR,
DP_OPT_DYNDNS_FORCE_TCP,
DP_OPT_DYNDNS_AUTH,
+ DP_OPT_DYNDNS_AUTH_PTR,
DP_OPT_DYNDNS_SERVER,
DP_OPT_DYNDNS /* attrs counter */
diff --git a/src/providers/ipa/ipa_dyndns.c b/src/providers/ipa/ipa_dyndns.c
index 9404ea9cb9..76167eb918 100644
--- a/src/providers/ipa/ipa_dyndns.c
+++ b/src/providers/ipa/ipa_dyndns.c
@@ -213,6 +213,7 @@ ipa_dyndns_update_connect_done(struct tevent_req *subreq)
ctx->dyndns_ctx->opts,
sdap_ctx,
ctx->dyndns_ctx->auth_type,
+ ctx->dyndns_ctx->auth_ptr_type,
dp_opt_get_string(ctx->dyndns_ctx->opts,
DP_OPT_DYNDNS_IFACE),
dp_opt_get_string(ctx->basic,
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index d0e23d5c5a..dadf1f7a13 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -63,6 +63,7 @@ struct dp_option ipa_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index 01c4b405b4..3535fb4265 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -59,6 +59,7 @@ struct sdap_dyndns_update_state {
bool update_ptr;
bool check_diff;
enum be_nsupdate_auth auth_type;
+ enum be_nsupdate_auth auth_ptr_type;
bool fallback_mode;
char *update_msg;
};
@@ -89,6 +90,7 @@ sdap_dyndns_update_send(TALLOC_CTX *mem_ctx,
struct dp_option *opts,
struct sdap_id_ctx *sdap_ctx,
enum be_nsupdate_auth auth_type,
+ enum be_nsupdate_auth auth_ptr_type,
const char *ifname,
const char *hostname,
const char *realm,
@@ -117,6 +119,7 @@ sdap_dyndns_update_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->opts = opts;
state->auth_type = auth_type;
+ state->auth_ptr_type = auth_ptr_type;
/* fallback servername is overridden by user option */
conf_servername = dp_opt_get_string(opts, DP_OPT_DYNDNS_SERVER);
@@ -432,7 +435,7 @@ sdap_dyndns_update_ptr_step(struct tevent_req *req)
}
/* Fork a child process to perform the DNS update */
- subreq = be_nsupdate_send(state, state->ev, state->auth_type,
+ subreq = be_nsupdate_send(state, state->ev, state->auth_ptr_type,
state->update_msg,
dp_opt_get_bool(state->opts,
DP_OPT_DYNDNS_FORCE_TCP));
diff --git a/src/providers/ldap/sdap_dyndns.h b/src/providers/ldap/sdap_dyndns.h
index c66e265944..5fb3667390 100644
--- a/src/providers/ldap/sdap_dyndns.h
+++ b/src/providers/ldap/sdap_dyndns.h
@@ -37,6 +37,7 @@ sdap_dyndns_update_send(TALLOC_CTX *mem_ctx,
struct dp_option *opts,
struct sdap_id_ctx *sdap_ctx,
enum be_nsupdate_auth auth_type,
+ enum be_nsupdate_auth auth_ptr_type,
const char *ifname,
const char *hostname,
const char *realm,
From 18f17decbfb4e8d5b8a1f0c508bce28482374247 Mon Sep 17 00:00:00 2001
From: Joakim Tjernlund <joakim.tjernl...@infinera.com>
Date: Tue, 1 Sep 2020 19:33:11 +0200
Subject: [PATCH 2/2] dyndns_auth_ptr: Use NULL_STRING instead of empty string
---
src/providers/ad/ad_opts.c | 2 +-
src/providers/be_dyndns.c | 4 ++--
src/providers/ipa/ipa_opts.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 9ebb9ad1a4..b61de2838e 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -309,7 +309,7 @@ struct dp_option ad_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
- { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index f97779e1dc..2de3b11bb7 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1217,7 +1217,7 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
- { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
@@ -1256,7 +1256,7 @@ be_nsupdate_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx,
}
strauth = dp_opt_get_string(ctx->opts, DP_OPT_DYNDNS_AUTH_PTR);
- if (strcasecmp(strauth, "") == 0) {
+ if (strauth == NULL) {
ctx->auth_ptr_type = ctx->auth_type;
} else if (strcasecmp(strauth, "gss-tsig") == 0) {
ctx->auth_ptr_type = BE_NSUPDATE_AUTH_GSS_TSIG;
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index dadf1f7a13..9ebcc85297 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -63,7 +63,7 @@ struct dp_option ipa_dyndns_opts[] = {
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING },
- { "dyndns_auth_ptr", DP_OPT_STRING, { "" }, NULL_STRING },
+ { "dyndns_auth_ptr", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
