Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A bunch of patches to be merged downstream to c8s #7706

Closed
wants to merge 5 commits into from
Closed

A bunch of patches to be merged downstream to c8s #7706

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7849906
sdap: allow to provide user_map when looking up group memberships
sumit-bose Sep 6, 2024
b95a3fd
ad: use default user_map when looking of host groups for GPO
sumit-bose Sep 6, 2024
8dd71f1
sysdb: do not fail to add non-posix user to MPG domain
sumit-bose Jun 14, 2024
3e3bd02
ldap: add 'exop_force' value for ldap_pwmodify_mode
sumit-bose Sep 13, 2024
4acd589
DEBUG: reduce log level in case a responder asks for unknown domain
alexey-tikhonov Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions src/db/sysdb_ops.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
goto done;
}

ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
if (ret != ENOENT) {
if (ret == EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Group with GID [%"SPRIgid"] already exists in an "
"MPG domain\n", gid);
ret = EEXIST;
if (uid != 0) { /* uid == 0 means non-POSIX object */
ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
if (ret != ENOENT) {
if (ret == EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Group with GID [%"SPRIgid"] already exists in an "
"MPG domain\n", uid);
ret = EEXIST;
}
goto done;
}
goto done;
}
}

Expand Down
11 changes: 11 additions & 0 deletions src/man/sssd-ldap.5.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,17 @@
userPassword (not recommended).
</para>
</listitem>
<listitem>
<para>
exop_force - Try Password Modify
Extended Operation (RFC 3062) even if
there are no grace logins left.
Depending on the type and configuration
of the LDAP server the password change
might fail because an authenticated bind
is not possible.
</para>
</listitem>
</itemizedlist>
</para>
<para>
Expand Down
1 change: 1 addition & 0 deletions src/providers/ad/ad_access.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ struct ad_access_ctx {
} gpo_map_type;
hash_table_t *gpo_map_options_table;
enum gpo_map_type gpo_default_right;
struct sdap_attr_map *host_attr_map;
};

struct tevent_req *
Expand Down
13 changes: 13 additions & 0 deletions src/providers/ad/ad_gpo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
#include "providers/ad/ad_common.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ad/ad_gpo.h"
#include "providers/ad/ad_opts.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap.h"
Expand Down Expand Up @@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
"trying with user search base.");
}

if (state->access_ctx->host_attr_map == NULL) {
ret = sdap_copy_map(state->access_ctx,
ad_2008r2_user_map, SDAP_OPTS_USER,
&state->access_ctx->host_attr_map);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
goto done;
}
}

subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
NULL,
state->access_ctx->host_attr_map,
SDAP_OPTS_USER,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
Expand Down
3 changes: 2 additions & 1 deletion src/providers/ipa/ipa_auth.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
SDAP_OPT_TIMEOUT);

subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
state->pd->authtok, timeout);
state->pd->authtok, timeout,
state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
if (subreq == NULL) {
goto done;
}
Expand Down
5 changes: 4 additions & 1 deletion src/providers/ldap/ldap_auth.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
NULL, NULL, state->dn,
state->authtok,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_OPT_TIMEOUT));
SDAP_OPT_TIMEOUT),
state->ctx->opts->pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
Expand Down Expand Up @@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,

switch (opts->pwmodify_mode) {
case SDAP_PWMODIFY_EXOP:
case SDAP_PWMODIFY_EXOP_FORCE:
subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
password, new_password,
timeout);
Expand Down Expand Up @@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)

switch (state->mode) {
case SDAP_PWMODIFY_EXOP:
case SDAP_PWMODIFY_EXOP_FORCE:
ret = sdap_exop_modify_passwd_recv(subreq, state,
&state->user_error_message);
break;
Expand Down
2 changes: 2 additions & 0 deletions src/providers/ldap/ldap_common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
struct sdap_attr_map *user_map,
size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix);

Expand Down
9 changes: 9 additions & 0 deletions src/providers/ldap/ldap_id.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1144,6 +1144,8 @@ struct groups_by_user_state {
const char *filter_value;
int filter_type;
const char *extra_value;
struct sdap_attr_map *user_map;
size_t user_map_cnt;
const char **attrs;
bool non_posix;

Expand All @@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
struct sdap_attr_map *user_map,
size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix)
{
Expand Down Expand Up @@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->filter_value = filter_value;
state->filter_type = filter_type;
state->extra_value = extra_value;
state->user_map = user_map;
state->user_map_cnt = user_map_cnt;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->search_bases = search_bases;
Expand Down Expand Up @@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
state->sdom,
sdap_id_op_handle(state->op),
state->ctx,
state->user_map,
state->user_map_cnt,
state->conn,
state->search_bases,
state->filter_value,
Expand Down Expand Up @@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
ar->filter_value,
ar->filter_type,
ar->extra_value,
NULL, 0,
noexist_delete, false);
break;

Expand Down
2 changes: 2 additions & 0 deletions src/providers/ldap/ldap_options.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
} else if (strcasecmp(pwmodify, "exop_force") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
} else {
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
ret = EINVAL;
Expand Down
5 changes: 3 additions & 2 deletions src/providers/ldap/sdap.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -546,8 +546,9 @@ struct sdap_options {

/* password modify mode */
enum pwmodify_mode {
SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */
SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */
SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
} pwmodify_mode;

/* The search bases for the domain or its subdomain */
Expand Down
5 changes: 4 additions & 1 deletion src/providers/ldap/sdap_async.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
int simple_bind_timeout);
int simple_bind_timeout,
enum pwmodify_mode pwmodify_mode);

errno_t sdap_auth_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
Expand All @@ -157,6 +158,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
struct sdap_attr_map *user_map,
size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *name,
Expand Down
27 changes: 21 additions & 6 deletions src/providers/ldap/sdap_async_connection.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,7 @@ struct simple_bind_state {
struct tevent_context *ev;
struct sdap_handle *sh;
const char *user_dn;
enum pwmodify_mode pwmodify_mode;

struct sdap_op *op;

Expand All @@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
int timeout,
const char *user_dn,
struct berval *pw)
struct berval *pw,
enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req;
struct simple_bind_state *state;
Expand All @@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
state->ev = ev;
state->sh = sh;
state->user_dn = user_dn;
state->pwmodify_mode = pwmodify_mode;

ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
0, NULL, 0, &ctrls[0]);
Expand Down Expand Up @@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
* Grace Authentications". */
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
ret = ERR_AUTH_FAILED;
if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
ret = ERR_PASSWORD_EXPIRED;
} else {
ret = ERR_AUTH_FAILED;
}
}
} else if (strcmp(response_controls[c]->ldctl_oid,
LDAP_CONTROL_PWEXPIRED) == 0) {
Expand All @@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_INVALID_CREDENTIALS) {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
ret = ERR_AUTH_FAILED;
if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
ret = ERR_PASSWORD_EXPIRED;
} else {
ret = ERR_AUTH_FAILED;
}
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, user must set a new password.\n");
Expand Down Expand Up @@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
int simple_bind_timeout)
int simple_bind_timeout,
enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
Expand Down Expand Up @@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
pw.bv_len = pwlen;

state->is_sasl = false;
subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return tevent_req_post(req, ev);
Expand Down Expand Up @@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
SDAP_SASL_AUTHID),
user_dn, authtok,
dp_opt_get_int(state->opts->basic,
SDAP_OPT_TIMEOUT));
SDAP_OPT_TIMEOUT),
state->opts->pwmodify_mode);
talloc_free(authtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
Expand Down
Loading
Loading