File 0018-AD_PROVIDER-ad_enabled_domains.patch of Package sssd.11069
From 854d6513ac5d1b2ba666d6b120e702081bbb1633 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Fri, 13 May 2016 05:21:07 -0400
Subject: [PATCH 1/4] AD_PROVIDER: Add ad_enabled_domains option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit d6342c92c226becbdd254f90a0005b8c00c300dc)
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/man/sssd-ad.5.xml | 27 ++++++++++++++++++++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_opts.c | 1 +
5 files changed, 31 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index d31458017..22bc32ce3 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -186,6 +186,7 @@ option_strings = {
# [provider/ad]
'ad_domain' : _('Active Directory domain'),
+ 'ad_enabled_domains' : _('Enabled Active Directory domains'),
'ad_server' : _('Active Directory server address'),
'ad_backup_server' : _('Active Directory backup server address'),
'ad_hostname' : _('Active Directory client hostname'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 23006d26c..0d16387aa 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -1,5 +1,6 @@
[provider/ad]
ad_domain = str, None, false
+ad_enabled_domains = str, None, false
ad_server = str, None, false
ad_backup_server = str, None, false
ad_hostname = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 54a4b5627..d7d765165 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -113,6 +113,33 @@ ldap_id_mapping = False
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ad_enabled_domains (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of enabled Active Directory domains.
+ If provided, SSSD will ignore any domains not listed in this
+ option. If left unset, all domains from the AD forest will
+ be available.
+ </para>
+ <para>
+ For proper operation, this option must be specified in all
+ lower-case and as the fully qualified domain name of the
+ Active Directory domain. For example:
+ <programlisting>
+ad_enabled_domains = sales.example.com, eng.example.com
+ </programlisting>
+ </para>
+ <para>
+ The short domain name (also known as the NetBIOS or the flat
+ name) will be autodetected by SSSD.
+ </para>
+ <para>
+ Default: Not set
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ad_server, ad_backup_server (string)</term>
<listitem>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index c795a41d0..2f5f3a448 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -42,6 +42,7 @@ struct ad_options;
enum ad_basic_opt {
AD_DOMAIN = 0,
+ AD_ENABLED_DOMAINS,
AD_SERVER,
AD_BACKUP_SERVER,
AD_HOSTNAME,
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 15024adb7..aefcaaf8a 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -28,6 +28,7 @@
struct dp_option ad_basic_opts[] = {
{ "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_enabled_domains", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.21.0
From 5c9e24c1558c782d2f1bf89724043769953e202d Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Tue, 21 Jun 2016 08:34:15 +0200
Subject: [PATCH 2/4] AD_PROVIDER: Initializing of ad_enabled_domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We add ad_enabled_domains into ad_subdomains_ctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit a82baf596bac1fdac6addca6419d8992111a8aa2)
---
src/providers/ad/ad_subdomains.c | 81 ++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f7e7e6200..c74e494f6 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -63,6 +63,7 @@ struct ad_subdomains_ctx {
struct sdap_id_conn_ctx *ldap_ctx;
struct sss_idmap_ctx *idmap_ctx;
char *domain_name;
+ const char **ad_enabled_domains;
time_t last_refreshed;
struct tevent_timer *timer_event;
@@ -91,6 +92,79 @@ struct ad_subdomains_req_ctx {
char *forest;
};
+static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,
+ struct ad_id_ctx *ad_id_ctx,
+ const char *ad_domain,
+ const char ***_ad_enabled_domains)
+{
+ int ret;
+ const char *str;
+ const char *option_name;
+ const char **domains = NULL;
+ int count;
+ bool is_ad_in_domains;
+ TALLOC_CTX *tmp_ctx = NULL;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ str = dp_opt_get_cstring(ad_id_ctx->ad_options->basic, AD_ENABLED_DOMAINS);
+ if (str == NULL) {
+ *_ad_enabled_domains = NULL;
+ ret = EOK;
+ goto done;
+ }
+
+ count = 0;
+ ret = split_on_separator(tmp_ctx, str, ',', true, true,
+ discard_const_p(char **, &domains), &count);
+ if (ret != EOK) {
+ option_name = ad_id_ctx->ad_options->basic[AD_ENABLED_DOMAINS].opt_name;
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse option [%s], [%i] [%s]!\n",
+ option_name, ret, sss_strerror(ret));
+ ret = EINVAL;
+ goto done;
+ }
+
+ is_ad_in_domains = false;
+ for (int i = 0; i < count; i++) {
+ is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false;
+ }
+
+ if (is_ad_in_domains == false) {
+ domains = talloc_realloc(tmp_ctx, domains, const char*, count + 2);
+ if (domains == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ domains[count] = talloc_strdup(domains, ad_domain);
+ if (domains[count] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ domains[count + 1] = NULL;
+ } else {
+ domains = talloc_realloc(tmp_ctx, domains, const char*, count + 1);
+ if (domains == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ domains[count] = NULL;
+ }
+
+ *_ad_enabled_domains = talloc_steal(mem_ctx, domains);
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
static errno_t
ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
struct ad_id_ctx *id_ctx,
@@ -1182,6 +1256,7 @@ int ad_subdom_init(struct be_ctx *be_ctx,
void **pvt_data)
{
struct ad_subdomains_ctx *ctx;
+ const char **ad_enabled_domains = NULL;
int ret;
enum idmap_error_code err;
@@ -1191,6 +1266,11 @@ int ad_subdom_init(struct be_ctx *be_ctx,
return ENOMEM;
}
+ ret = ad_get_enabled_domains(ctx, id_ctx, ad_domain, &ad_enabled_domains);
+ if (ret != EOK) {
+ return EINVAL;
+ }
+
ctx->be_ctx = be_ctx;
ctx->sdom = id_ctx->sdap_id_ctx->opts->sdom;
ctx->ldap_ctx = id_ctx->ldap_ctx;
@@ -1200,6 +1280,7 @@ int ad_subdom_init(struct be_ctx *be_ctx,
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
return ENOMEM;
}
+ ctx->ad_enabled_domains = ad_enabled_domains;
ctx->ad_id_ctx = id_ctx;
*ops = &ad_subdomains_ops;
*pvt_data = ctx;
--
2.21.0
From 7c7781a6632dc46d73567bf90ba1d0bf1c0e4a17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 3 Nov 2016 08:42:07 +0100
Subject: [PATCH 3/4] AD_PROVIDER: ad_enabled_domains - only master
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can skip looking up other domains if option ad_enabled_domains
contains only master domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 49f38702e62bbd1728757063ba407444e6270952)
---
src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index c74e494f6..9f60665ed 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -649,6 +649,7 @@ static void ad_subdomains_get_conn_done(struct tevent_req *req)
goto fail;
}
+ /* connect to the DC we are a member of */
req = ad_master_domain_send(ctx, ctx->sd_ctx->be_ctx->ev,
ctx->sd_ctx->ldap_ctx,
ctx->sdap_op,
@@ -699,6 +700,22 @@ static void ad_subdomains_master_dom_done(struct tevent_req *req)
goto done;
}
+ /*
+ * If ad_enabled_domains contains only master domain
+ * we shouldn't lookup other domains.
+ */
+ if (ctx->sd_ctx->ad_enabled_domains != NULL) {
+ if (talloc_array_length(ctx->sd_ctx->ad_enabled_domains) == 2) {
+ if (strcasecmp(ctx->sd_ctx->ad_enabled_domains[0],
+ ctx->sd_ctx->be_ctx->domain->name) == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No other enabled domain than master.\n");
+ ret = EOK;
+ goto done;
+ }
+ }
+ }
+
if (ctx->forest == NULL ||
strcasecmp(ctx->sd_ctx->be_ctx->domain->name, ctx->forest) != 0) {
DEBUG(SSSDBG_TRACE_FUNC,
--
2.21.0
From efba0221c407af832727da26fa45c7aa326c89b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 3 Nov 2016 08:44:34 +0100
Subject: [PATCH 4/4] AD_PROVIDER: ad_enabled_domains - other then master
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can skip looking up other domains if
option ad_enabled_domains doesn't contain them.
Resolves:
https://fedorahosted.org/sssd/ticket/2828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit ba26252f43409a2e4c3d2396e4e7a21584bd725a)
---
src/providers/ad/ad_subdomains.c | 40 +++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 9f60665ed..11dc4edbf 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -165,6 +165,16 @@ done:
return ret;
}
+static bool is_domain_enabled(const char *domain,
+ const char **enabled_doms)
+{
+ if (enabled_doms == NULL) {
+ return true;
+ }
+
+ return string_in_list(domain, discard_const_p(char *, enabled_doms), false);
+}
+
static errno_t
ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
struct ad_id_ctx *id_ctx,
@@ -1023,6 +1033,7 @@ static errno_t ad_subdomains_get_slave(struct ad_subdomains_req_ctx *ctx)
static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
+ const char **enabled_domains_list,
size_t nsd, struct sysdb_attrs **sd,
struct sysdb_attrs *root,
size_t *_nsd_out,
@@ -1031,9 +1042,10 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
size_t i, sdi;
struct sysdb_attrs **sd_out;
const char *sd_name;
+ const char *root_name;
errno_t ret;
- if (root == NULL) {
+ if (root == NULL && enabled_domains_list == NULL) {
/* We are connected directly to the root domain. The 'sd'
* list is complete and we can just use it
*/
@@ -1060,6 +1072,13 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
goto fail;
}
+ if (is_domain_enabled(sd_name, enabled_domains_list) == false) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name);
+ continue;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name);
+ }
+
if (strcasecmp(sd_name, domain->name) == 0) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Not including primary domain %s in the subdomain list\n",
@@ -1072,9 +1091,23 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
}
/* Now include the root */
- sd_out[sdi] = talloc_steal(sd_out, root);
+ if (root != NULL) {
+ ret = sysdb_attrs_get_string(root, AD_AT_TRUST_PARTNER, &root_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+ goto fail;
+ }
+
+ if (is_domain_enabled(root_name, enabled_domains_list) == true) {
+ sd_out[sdi] = talloc_steal(sd_out, root);
+ sdi++;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "Disabling forest root domain %s\n",
+ root_name);
+ }
+ }
- *_nsd_out = sdi+1;
+ *_nsd_out = sdi;
*_sd_out = sd_out;
return EOK;
@@ -1142,6 +1175,7 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req)
* subdomains
*/
ret = ad_subdomains_process(ctx, ctx->sd_ctx->be_ctx->domain,
+ ctx->sd_ctx->ad_enabled_domains,
ctx->reply_count, ctx->reply,
ctx->root_domain_attrs, &nsubdoms, &subdoms);
if (ret != EOK) {
--
2.21.0
