c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
an allow-any default to a deny-any default when it
can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
commands in man pages since local provider is
deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
168 lines
5.1 KiB
Diff
168 lines
5.1 KiB
Diff
From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 2 Jul 2018 10:38:54 +0200
|
|
Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
|
|
|
|
Add a function to write certificate mapping and matching rules from the
|
|
config database to the cache of a domain.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
src/confdb/confdb.h | 23 +++++++++++++
|
|
2 files changed, 122 insertions(+)
|
|
|
|
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
index 621647e..26415ca 100644
|
|
--- a/src/confdb/confdb.c
|
|
+++ b/src/confdb/confdb.c
|
|
@@ -2202,3 +2202,102 @@ done:
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
+
|
|
+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
|
+ struct confdb_ctx *cdb,
|
|
+ struct sss_domain_info *dom,
|
|
+ struct certmap_info ***_certmap_list)
|
|
+{
|
|
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
+ struct ldb_dn *dn = NULL;
|
|
+ struct ldb_result *res = NULL;
|
|
+ /* The attributte order is important, because it is used in
|
|
+ * sysdb_ldb_msg_attr_to_certmap_info and must match
|
|
+ * enum certmap_info_member. */
|
|
+ static const char *attrs[] = { CONFDB_CERTMAP_NAME,
|
|
+ CONFDB_CERTMAP_MAPRULE,
|
|
+ CONFDB_CERTMAP_MATCHRULE,
|
|
+ CONFDB_CERTMAP_PRIORITY,
|
|
+ CONFDB_CERTMAP_DOMAINS,
|
|
+ NULL};
|
|
+ struct certmap_info **certmap_list = NULL;
|
|
+ size_t c;
|
|
+ int ret;
|
|
+
|
|
+ tmp_ctx = talloc_new(NULL);
|
|
+ if (tmp_ctx == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
|
|
+ CONFDB_CERTMAP_BASEDN);
|
|
+ if (dn == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
|
+ attrs, NULL);
|
|
+ if (ret != LDB_SUCCESS) {
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
|
|
+ res->count + 1);
|
|
+ if (certmap_list == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ for (c = 0; c < res->count; c++) {
|
|
+ ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
|
|
+ attrs, &certmap_list[c]);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ *_certmap_list = talloc_steal(mem_ctx, certmap_list);
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ talloc_free(tmp_ctx);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
|
+ struct sss_domain_info *dom)
|
|
+{
|
|
+ int ret;
|
|
+ TALLOC_CTX *tmp_ctx;
|
|
+ struct certmap_info **certmap_list;
|
|
+
|
|
+ tmp_ctx = talloc_new(NULL);
|
|
+ if (tmp_ctx == NULL) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ talloc_free(tmp_ctx);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
index 2266501..2aae93a 100644
|
|
--- a/src/confdb/confdb.h
|
|
+++ b/src/confdb/confdb.h
|
|
@@ -265,6 +265,15 @@
|
|
#define CONFDB_KCM_SOCKET "socket_path"
|
|
#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
|
|
|
|
+/* Certificate mapping rules */
|
|
+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
|
|
+#define CONFDB_CERTMAP_NAME "cn"
|
|
+#define CONFDB_CERTMAP_MAPRULE "maprule"
|
|
+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
|
|
+#define CONFDB_CERTMAP_DOMAINS "domains"
|
|
+#define CONFDB_CERTMAP_PRIORITY "priority"
|
|
+
|
|
+
|
|
struct confdb_ctx;
|
|
struct config_file_ctx;
|
|
|
|
@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
|
|
const char *section,
|
|
char ***sections,
|
|
int *num_sections);
|
|
+
|
|
+/**
|
|
+ * @brief Convenience function to write the certificate mapping and matching
|
|
+ * rules from the configuration database to the cache of a domain
|
|
+ *
|
|
+ * @param[in] cdb The connection object to the confdb
|
|
+ * @param[in] dom Target domain where to rules should be written to
|
|
+ *
|
|
+ * @return 0 - Successfully retrieved the entry (or used the default)
|
|
+ * @return ENOMEM - There was insufficient memory to complete the operation
|
|
+ * @return EINVAL - Typically internal processing error
|
|
+ */
|
|
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
|
+ struct sss_domain_info *dom);
|
|
/**
|
|
* @}
|
|
*/
|
|
--
|
|
2.9.5
|
|
|