Skip to content

Commit a60320b

Browse files
justin-stephensonjustin-stephenson
committed
IPA: Support ID override templates
Retrieve ID override templates on subdomain initialization. When overrides are checked during IPA lookups, check for fallback template values. :relnote: SSSD now checks for existence of ID override templates in an IPA provider configuration. ID override templates supports overriding loginShell and homeDirectory values for trusted AD, or upcoming IPA-IPA trusted users. This behavior is enabled by default.
1 parent 71151e3 commit a60320b

File tree

5 files changed

+365
-9
lines changed

5 files changed

+365
-9
lines changed

src/providers/ipa/ipa_common.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,8 @@ struct ipa_id_ctx {
210210
char *view_name;
211211
/* Only used with server mode */
212212
struct ipa_server_mode_ctx *server_mode;
213+
const char *global_template_homedir;
214+
const char *global_template_shell;
213215
};
214216

215217
struct ipa_options {

src/providers/ipa/ipa_id.c

Lines changed: 54 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -372,13 +372,35 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
372372

373373
if (is_default_view(state->ipa_ctx->view_name)) {
374374
ret = sysdb_apply_default_override(state->user_dom, override_attrs,
375+
state->ipa_ctx->global_template_homedir,
376+
state->ipa_ctx->global_template_shell,
375377
state->groups[state->group_idx]->dn);
376378
} else {
377379
ret = sysdb_store_override(state->user_dom,
378380
state->ipa_ctx->view_name,
379381
SYSDB_MEMBER_GROUP,
380382
override_attrs,
381383
state->groups[state->group_idx]->dn);
384+
if (ret != EOK) {
385+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
386+
tevent_req_error(req, ret);
387+
return;
388+
}
389+
390+
/* Individual user ID override should supersede template values,
391+
* Don't add template values if normal ID override is found */
392+
if (override_attrs == NULL) {
393+
ret = sysdb_store_override_template(state->user_dom,
394+
state->ipa_ctx->global_template_homedir,
395+
state->ipa_ctx->global_template_shell,
396+
state->ipa_ctx->view_name,
397+
state->groups[state->group_idx]->dn);
398+
if (ret != EOK) {
399+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
400+
tevent_req_error(req, ret);
401+
return;
402+
}
403+
}
382404
}
383405
talloc_free(override_attrs);
384406
if (ret != EOK) {
@@ -924,13 +946,28 @@ static int ipa_id_get_account_info_post_proc_step(struct tevent_req *req)
924946
type = SYSDB_MEMBER_GROUP;
925947
}
926948

927-
ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
949+
ret = sysdb_store_override(state->domain,
950+
state->ipa_ctx->view_name,
928951
type,
929952
state->override_attrs, state->obj_msg->dn);
930953
if (ret != EOK) {
931954
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
932955
goto done;
933956
}
957+
958+
/* Individual user ID override should supersede template values,
959+
* Don't add template values if normal ID override is found */
960+
if (state->override_attrs == NULL) {
961+
ret = sysdb_store_override_template(state->domain,
962+
state->ipa_ctx->global_template_homedir,
963+
state->ipa_ctx->global_template_shell,
964+
state->ipa_ctx->view_name,
965+
state->obj_msg->dn);
966+
if (ret != EOK) {
967+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
968+
goto done;
969+
}
970+
}
934971
}
935972

936973
if (state->ghosts != NULL) {
@@ -1009,14 +1046,29 @@ static void ipa_id_get_account_info_done(struct tevent_req *subreq)
10091046
type = SYSDB_MEMBER_GROUP;
10101047
}
10111048

1012-
ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
1049+
ret = sysdb_store_override(state->domain,
1050+
state->ipa_ctx->view_name,
10131051
type,
10141052
state->override_attrs, state->obj_msg->dn);
10151053
if (ret != EOK) {
10161054
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
10171055
goto fail;
10181056
}
10191057

1058+
/* Individual user ID override should supersede template values,
1059+
* Don't add template values if normal ID override is found */
1060+
if (state->override_attrs == NULL) {
1061+
ret = sysdb_store_override_template(state->domain,
1062+
state->ipa_ctx->global_template_homedir,
1063+
state->ipa_ctx->global_template_shell,
1064+
state->ipa_ctx->view_name,
1065+
state->obj_msg->dn);
1066+
if (ret != EOK) {
1067+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
1068+
goto fail;
1069+
}
1070+
}
1071+
10201072
if (state->ghosts != NULL) {
10211073
/* Resolve ghost members */
10221074
subreq = ipa_resolve_user_list_send(state, state->ev,

src/providers/ipa/ipa_s2n_exop.c

Lines changed: 28 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -946,6 +946,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
946946
struct req_input *req_input,
947947
struct resp_attrs *attrs,
948948
struct resp_attrs *simple_attrs,
949+
struct ipa_id_ctx *ipa_ctx,
949950
const char *view_name,
950951
struct sysdb_attrs *override_attrs,
951952
struct sysdb_attrs *mapped_attrs,
@@ -1611,7 +1612,7 @@ static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req)
16111612
struct ipa_s2n_get_list_state);
16121613

16131614
ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs,
1614-
NULL, state->ipa_ctx->view_name,
1615+
NULL, state->ipa_ctx, state->ipa_ctx->view_name,
16151616
state->override_attrs, state->mapped_attrs,
16161617
false);
16171618
if (ret != EOK) {
@@ -2322,7 +2323,8 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
23222323

23232324
if (ret == ENOENT || is_default_view(state->ipa_ctx->view_name)) {
23242325
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
2325-
state->simple_attrs, NULL, NULL, NULL, true);
2326+
state->simple_attrs, state->ipa_ctx,
2327+
NULL, NULL, NULL, true);
23262328
if (ret != EOK) {
23272329
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
23282330
goto done;
@@ -2475,6 +2477,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
24752477
struct req_input *req_input,
24762478
struct resp_attrs *attrs,
24772479
struct resp_attrs *simple_attrs,
2480+
struct ipa_id_ctx *ipa_ctx,
24782481
const char *view_name,
24792482
struct sysdb_attrs *override_attrs,
24802483
struct sysdb_attrs *mapped_attrs,
@@ -2905,12 +2908,28 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
29052908
/* For the default view the data return by the extdom plugin already
29062909
* contains all needed data and it is not expected to have a separate
29072910
* override object. */
2908-
ret = sysdb_store_override(dom, view_name, type, override_attrs,
2909-
res->msgs[0]->dn);
2911+
ret = sysdb_store_override(dom,
2912+
view_name,
2913+
type,
2914+
override_attrs, res->msgs[0]->dn);
29102915
if (ret != EOK) {
29112916
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
29122917
goto done;
29132918
}
2919+
2920+
/* Individual user ID override should supersede template values,
2921+
* Don't add template values if normal ID override is found */
2922+
if (override_attrs == NULL) {
2923+
ret = sysdb_store_override_template(dom,
2924+
ipa_ctx->global_template_homedir,
2925+
ipa_ctx->global_template_shell,
2926+
ipa_ctx->view_name,
2927+
res->msgs[0]->dn);
2928+
if (ret != EOK) {
2929+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
2930+
goto done;
2931+
}
2932+
}
29142933
}
29152934

29162935
done:
@@ -2958,7 +2977,8 @@ static void ipa_s2n_get_list_done(struct tevent_req *subreq)
29582977
&sid_str);
29592978
if (ret == ENOENT) {
29602979
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
2961-
state->simple_attrs, NULL, NULL, NULL, true);
2980+
state->simple_attrs, state->ipa_ctx,
2981+
NULL, NULL, NULL, true);
29622982
if (ret != EOK) {
29632983
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
29642984
goto fail;
@@ -2995,6 +3015,7 @@ static void ipa_s2n_get_list_done(struct tevent_req *subreq)
29953015
} else {
29963016
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
29973017
state->simple_attrs,
3018+
state->ipa_ctx,
29983019
state->ipa_ctx->view_name,
29993020
state->override_attrs, NULL, true);
30003021
if (ret != EOK) {
@@ -3031,7 +3052,8 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq)
30313052
}
30323053

30333054
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
3034-
state->simple_attrs, state->ipa_ctx->view_name,
3055+
state->simple_attrs, state->ipa_ctx,
3056+
state->ipa_ctx->view_name,
30353057
override_attrs, NULL, true);
30363058
if (ret != EOK) {
30373059
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");

0 commit comments

Comments
 (0)