Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Catch up with C8S. #7700

Open
wants to merge 8 commits into
base: sssd-2-9-4
Choose a base branch
from
Open

Catch up with C8S. #7700

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6dcec31
sssd: adding mail as case insensitive
andreboscatto Feb 7, 2024
ae4387c
sdap: add search_bases option to groups_by_user_send()
sumit-bose Jan 23, 2024
74cb354
sdap: add naming_context as new member of struct sdap_domain
sumit-bose Jan 24, 2024
251ae79
pam: fix SC auth with multiple certs and missing login name
sumit-bose Jan 18, 2024
8920736
ad-gpo: use hash to store intermediate results
sumit-bose Nov 8, 2023
c012186
ad: refresh root domain when read directly
sumit-bose Mar 1, 2024
f5bfcb9
failover: add failover_primary_timeout option
pbrezina Apr 30, 2024
a646f5d
INTG-TESTS: backport `sync_files_provider()` from b9c1d7d667d49080c27…
alexey-tikhonov Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/config/SSSDConfig/sssdoptions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ def __init__(self):
'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain': _('The domain part of service discovery DNS query'),
'failover_primary_timeout': _('How often SSSD tries to reconnect to the primary server after a successful '
'connection to the backup server.'),
'override_gid': _('Override GID value from the identity provider with this value'),
'case_sensitive': _('Treat usernames as case sensitive'),
'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
Expand Down
2 changes: 2 additions & 0 deletions src/config/SSSDConfigTest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,6 +579,7 @@ def testListOptions(self):
'dns_resolver_op_timeout',
'dns_resolver_timeout',
'dns_discovery_domain',
'failover_primary_timeout',
'dyndns_update',
'dyndns_ttl',
'dyndns_iface',
Expand Down Expand Up @@ -939,6 +940,7 @@ def testRemoveProvider(self):
'dns_resolver_op_timeout',
'dns_resolver_timeout',
'dns_discovery_domain',
'failover_primary_timeout',
'dyndns_update',
'dyndns_ttl',
'dyndns_iface',
Expand Down
1 change: 1 addition & 0 deletions src/config/cfg_rules.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,7 @@ option = dns_resolver_op_timeout
option = dns_resolver_timeout
option = dns_resolver_use_search_list
option = dns_discovery_domain
option = failover_primary_timeout
option = override_gid
option = case_sensitive
option = override_homedir
Expand Down
1 change: 1 addition & 0 deletions src/config/etc/sssd.api.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ dns_resolver_server_timeout = int, None, false
dns_resolver_op_timeout = int, None, false
dns_resolver_timeout = int, None, false
dns_discovery_domain = str, None, false
failover_primary_timeout = int, None, false
override_gid = int, None, false
case_sensitive = str, None, false
override_homedir = str, None, false
Expand Down
7 changes: 7 additions & 0 deletions src/db/sysdb_init.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
}
}

if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
ret = sysdb_upgrade_23(sysdb, &version);
if (ret != EOK) {
goto done;
}
}

ret = EOK;
done:
sysdb->ldb = save_ldb;
Expand Down
5 changes: 4 additions & 1 deletion src/db/sysdb_private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
#ifndef __INT_SYS_DB_H__
#define __INT_SYS_DB_H__

#define SYSDB_VERSION_0_24 "0.24"
#define SYSDB_VERSION_0_23 "0.23"
#define SYSDB_VERSION_0_22 "0.22"
#define SYSDB_VERSION_0_21 "0.21"
Expand All @@ -47,7 +48,7 @@
#define SYSDB_VERSION_0_2 "0.2"
#define SYSDB_VERSION_0_1 "0.1"

#define SYSDB_VERSION SYSDB_VERSION_0_23
#define SYSDB_VERSION SYSDB_VERSION_0_24

#define SYSDB_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
Expand All @@ -60,6 +61,7 @@
"objectclass: CASE_INSENSITIVE\n" \
"ipHostNumber: CASE_INSENSITIVE\n" \
"ipNetworkNumber: CASE_INSENSITIVE\n" \
"mail: CASE_INSENSITIVE\n" \
"\n" \
"dn: @INDEXLIST\n" \
"@IDXATTR: cn\n" \
Expand Down Expand Up @@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);

int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);

Expand Down
56 changes: 56 additions & 0 deletions src/db/sysdb_upgrade.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2718,6 +2718,62 @@ int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver)
return ret;
}

int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
{
TALLOC_CTX *tmp_ctx;
int ret;
struct ldb_message *msg;
struct upgrade_ctx *ctx;

tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}

ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
if (ret) {
return ret;
}

/* Add new indexes */
msg = ldb_msg_new(tmp_ctx);
if (!msg) {
ret = ENOMEM;
goto done;
}
msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
if (!msg->dn) {
ret = ENOMEM;
goto done;
}

/* Case insensitive search for mail */
ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
if (ret != LDB_SUCCESS) {
ret = ENOMEM;
goto done;
}
ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
if (ret != LDB_SUCCESS) {
ret = ENOMEM;
goto done;
}

ret = ldb_modify(sysdb->ldb, msg);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}

/* conversion done, update version number */
ret = update_version(ctx);

done:
ret = finish_upgrade(ret, &ctx, ver);
talloc_free(tmp_ctx);
return ret;
}

int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
{
struct upgrade_ctx *ctx;
Expand Down
19 changes: 19 additions & 0 deletions src/man/sssd.conf.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3773,6 +3773,25 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</listitem>
</varlistentry>

<varlistentry>
<term>failover_primary_timeout (integer)</term>
<listitem>
<para>
When no primary server is currently available,
SSSD fail overs to a backup server. This option
defines the amount of time (in seconds) to
wait before SSSD tries to reconnect to a primary
server again.
</para>
<para>
Note: The minimum value is 31.
</para>
<para>
Default: 31
</para>
</listitem>
</varlistentry>

<varlistentry>
<term>override_gid (integer)</term>
<listitem>
Expand Down
128 changes: 114 additions & 14 deletions src/providers/ad/ad_gpo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1431,13 +1431,41 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}

static errno_t
add_result_to_hash(hash_table_t *hash, const char *key, char *value)
{
int hret;
hash_key_t k;
hash_value_t v;

if (hash == NULL || key == NULL || value == NULL) {
return EINVAL;
}

k.type = HASH_KEY_CONST_STRING;
k.c_str = key;

v.type = HASH_VALUE_PTR;
v.ptr = value;

hret = hash_enter(hash, &k, &v);
if (hret != HASH_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
key, value, hash_error_string(hret));
return EIO;
}

return EOK;
}

/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
* in the file (as part of the GPO Result object in the sysdb cache).
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
Expand Down Expand Up @@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
allow_key,
value);
ret = add_result_to_hash(allow_maps, allow_key,
talloc_strdup(allow_maps, value));
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
"'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
ret, sss_strerror(ret));
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
"value: [%s] to allow maps "
"[%d][%s].\n",
allow_key, value, ret,
sss_strerror(ret));
goto done;
}
}
Expand All @@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
deny_key,
value);
ret = add_result_to_hash(deny_maps, deny_key,
talloc_strdup(deny_maps, value));
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
"'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
ret, sss_strerror(ret));
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
"value: [%s] to deny maps "
"[%d][%s].\n",
deny_key, value, ret,
sss_strerror(ret));
goto done;
}
}
Expand Down Expand Up @@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
hash_table_t *allow_maps;
hash_table_t *deny_maps;
};

static void ad_gpo_connect_done(struct tevent_req *subreq);
Expand Down Expand Up @@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}

ret = sss_hash_create(state, 0, &state->allow_maps);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
"hash table [%d]: %s\n", ret, sss_strerror(ret));
goto immediately;
}

ret = sss_hash_create(state, 0, &state->deny_maps);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
"hash table [%d]: %s\n", ret, sss_strerror(ret));
goto immediately;
}

subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
Expand Down Expand Up @@ -2091,6 +2134,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
char *server_uri;
LDAPURLDesc *lud;
struct sdap_domain *sdom;
struct sdap_search_base **search_bases;

req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_gpo_access_state);
Expand Down Expand Up @@ -2184,9 +2228,20 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}

ret = common_parse_search_base(state,
sdom->naming_context == NULL ? sdom->basedn
: sdom->naming_context,
state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to create dedicated search base for host lookups, "
"trying with user search base.");
}

subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
NULL,
Expand Down Expand Up @@ -2701,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}

static errno_t
store_hash_maps_in_cache(struct sss_domain_info *domain,
hash_table_t *allow_maps, hash_table_t *deny_maps)
{
int ret;
struct hash_iter_context_t *iter;
hash_entry_t *entry;
size_t c;
hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};


for (c = 0; hash_list[c] != NULL; c++) {
iter = new_hash_iter_context(hash_list[c]);
if (iter == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
return EINVAL;
}

while ((entry = iter->next(iter)) != NULL) {
ret = sysdb_gpo_store_gpo_result_setting(domain,
entry->key.c_str,
entry->value.ptr);
if (ret != EOK) {
free(iter);
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
"[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
(char *) entry->value.ptr, ret, sss_strerror(ret));
return ret;
}
}
talloc_free(iter);
}

return EOK;
}

/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
Expand Down Expand Up @@ -2742,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
Expand All @@ -2755,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)

if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
ret = store_hash_maps_in_cache(state->host_domain,
state->allow_maps, state->deny_maps);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
"[%d][%s].\n", ret, sss_strerror(ret));
goto done;
}
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,
Expand Down
Loading
Loading