6
Copyright (C) Simo Sorce <ssorce@redhat.com>
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
25
#include "providers/dp_backend.h"
27
#include "util/sss_ldap.h"
29
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
30
#define SDAP_DIAGNOSTIC_MESSAGE LDAP_OPT_DIAGNOSTIC_MESSAGE
32
#ifdef LDAP_OPT_ERROR_STRING
33
#define SDAP_DIAGNOSTIC_MESSAGE LDAP_OPT_ERROR_STRING
35
#error No extended diagnostic message available
40
struct sdap_msg *next;
46
typedef void (sdap_op_callback_t)(struct sdap_op *op,
47
struct sdap_msg *, int, void *);
52
struct sdap_op *prev, *next;
53
struct sdap_handle *sh;
58
sdap_op_callback_t *callback;
61
struct tevent_context *ev;
62
struct sdap_msg *list;
63
struct sdap_msg *last;
66
struct fd_event_item {
67
struct fd_event_item *prev;
68
struct fd_event_item *next;
71
struct tevent_fd *fde;
75
struct sdap_handle *sh;
76
struct tevent_context *ev;
77
struct fd_event_item *fd_list;
88
/* Authentication ticket expiration time (if any) */
92
struct sdap_fd_events *sdap_fd_events;
94
struct sup_list supported_saslmechs;
95
struct sup_list supported_controls;
96
struct sup_list supported_extensions;
100
/* during release we need to lock access to the handler
101
* from the destructor to avoid recursion */
102
bool destructor_lock;
103
/* mark when it is safe to finally release the handler memory */
107
struct sdap_service {
110
char *kinit_service_name;
113
struct sdap_ppolicy_data {
118
#define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange"
119
#define SYSDB_SHADOWPW_MIN "shadowMin"
120
#define SYSDB_SHADOWPW_MAX "shadowMax"
121
#define SYSDB_SHADOWPW_WARNING "shadowWarning"
122
#define SYSDB_SHADOWPW_INACTIVE "shadowInactive"
123
#define SYSDB_SHADOWPW_EXPIRE "shadowExpire"
124
#define SYSDB_SHADOWPW_FLAG "shadowFlag"
126
#define SYSDB_NS_ACCOUNT_LOCK "nsAccountLock"
128
#define SYSDB_KRBPW_LASTCHANGE "krbLastPwdChange"
129
#define SYSDB_KRBPW_EXPIRATION "krbPasswordExpiration"
131
#define SYSDB_PWD_ATTRIBUTE "pwdAttribute"
133
#define SYSDB_AD_ACCOUNT_EXPIRES "adAccountExpires"
134
#define SYSDB_AD_USER_ACCOUNT_CONTROL "adUserAccountControl"
136
#define SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS "namingContexts"
137
#define SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT "defaultNamingContext"
139
#define SDAP_IPA_USN "entryUSN"
140
#define SDAP_IPA_LAST_USN "lastUSN"
141
#define SDAP_AD_USN "uSNChanged"
142
#define SDAP_AD_LAST_USN "highestCommittedUSN"
152
SDAP_AUTH_PW_EXPIRED,
156
enum sdap_basic_opt {
159
SDAP_DEFAULT_BIND_DN,
160
SDAP_DEFAULT_AUTHTOK_TYPE,
161
SDAP_DEFAULT_AUTHTOK,
163
SDAP_NETWORK_TIMEOUT,
166
SDAP_USER_SEARCH_BASE,
167
SDAP_USER_SEARCH_SCOPE,
168
SDAP_USER_SEARCH_FILTER,
169
SDAP_GROUP_SEARCH_BASE,
170
SDAP_GROUP_SEARCH_SCOPE,
171
SDAP_GROUP_SEARCH_FILTER,
173
SDAP_OFFLINE_TIMEOUT,
174
SDAP_FORCE_UPPER_CASE_REALM,
175
SDAP_ENUM_REFRESH_TIMEOUT,
176
SDAP_CACHE_PURGE_TIMEOUT,
177
SDAP_ENTRY_CACHE_TIMEOUT,
182
SDAP_TLS_CIPHER_SUITE,
192
SDAP_ACCOUNT_CACHE_EXPIRATION,
193
SDAP_DNS_SERVICE_NAME,
194
SDAP_KRB5_TICKET_LIFETIME,
196
SDAP_NETGROUP_SEARCH_BASE,
199
SDAP_ACCOUNT_EXPIRE_POLICY,
202
SDAP_CHPASS_DNS_SERVICE_NAME,
203
SDAP_ENUM_SEARCH_TIMEOUT,
204
SDAP_DISABLE_AUTH_TLS,
207
SDAP_OPTS_BASIC /* opts counter */
210
enum sdap_gen_attrs {
211
SDAP_AT_ENTRY_USN = 0,
214
SDAP_AT_GENERAL /* attrs counter */
217
/* the objectclass must be the first attribute.
218
* Functions depend on this */
219
enum sdap_user_attrs {
229
SDAP_AT_USER_FULLNAME,
230
SDAP_AT_USER_MEMBEROF,
232
SDAP_AT_USER_MODSTAMP,
241
SDAP_AT_KP_LASTCHANGE,
242
SDAP_AT_KP_EXPIRATION,
243
SDAP_AT_PWD_ATTRIBUTE,
245
SDAP_AT_AD_ACCOUNT_EXPIRES,
246
SDAP_AT_AD_USER_ACCOUNT_CONTROL,
247
SDAP_AT_NS_ACCOUNT_LOCK,
249
SDAP_OPTS_USER /* attrs counter */
252
#define SDAP_FIRST_EXTRA_USER_AT SDAP_AT_SP_LSTCHG
254
/* the objectclass must be the first attribute.
255
* Functions depend on this */
256
enum sdap_group_attrs {
261
SDAP_AT_GROUP_MEMBER,
263
SDAP_AT_GROUP_MODSTAMP,
266
SDAP_OPTS_GROUP /* attrs counter */
269
enum sdap_netgroup_attrs {
270
SDAP_OC_NETGROUP = 0,
271
SDAP_AT_NETGROUP_NAME,
272
SDAP_AT_NETGROUP_MEMBER,
273
SDAP_AT_NETGROUP_TRIPLE,
274
SDAP_AT_NETGROUP_UUID,
275
SDAP_AT_NETGROUP_MODSTAMP,
277
SDAP_OPTS_NETGROUP /* attrs counter */
280
struct sdap_attr_map {
281
const char *opt_name;
282
const char *def_name;
283
const char *sys_name;
287
struct sdap_options {
288
struct dp_option *basic;
289
struct sdap_attr_map *gen_map;
290
struct sdap_attr_map *user_map;
291
struct sdap_attr_map *group_map;
292
struct sdap_attr_map *netgroup_map;
294
/* supported schema types */
296
SDAP_SCHEMA_RFC2307 = 1, /* memberUid = uid */
297
SDAP_SCHEMA_RFC2307BIS = 2, /* member = dn */
298
SDAP_SCHEMA_IPA_V1 = 3, /* member/memberof */
299
SDAP_SCHEMA_AD = 4 /* AD's member/memberof */
302
struct ldb_dn *users_base;
303
struct ldb_dn *groups_base;
306
struct sdap_server_opts {
309
char *max_user_value;
310
char *max_group_value;
315
int sdap_get_map(TALLOC_CTX *memctx,
316
struct confdb_ctx *cdb,
317
const char *conf_path,
318
struct sdap_attr_map *def_map,
320
struct sdap_attr_map **_map);
322
int sdap_parse_entry(TALLOC_CTX *memctx,
323
struct sdap_handle *sh, struct sdap_msg *sm,
324
struct sdap_attr_map *map, int attrs_num,
325
struct sysdb_attrs **_attrs, char **_dn);
327
int sdap_parse_user(TALLOC_CTX *memctx, struct sdap_options *opts,
328
struct sdap_handle *sh, struct sdap_msg *sm,
329
struct sysdb_attrs **_attrs, char **_dn);
331
int sdap_parse_group(TALLOC_CTX *memctx, struct sdap_options *opts,
332
struct sdap_handle *sh, struct sdap_msg *sm,
333
struct sysdb_attrs **_attrs, char **_dn);
335
int sdap_get_msg_dn(TALLOC_CTX *memctx, struct sdap_handle *sh,
336
struct sdap_msg *sm, char **_dn);
338
errno_t setup_tls_config(struct dp_option *basic_opts);
340
int sdap_set_rootdse_supported_lists(struct sysdb_attrs *rootdse,
341
struct sdap_handle *sh);
342
bool sdap_check_sup_list(struct sup_list *l, const char *val);
344
#define sdap_is_sasl_mech_supported(sh, sasl_mech) \
345
sdap_check_sup_list(&((sh)->supported_saslmechs), sasl_mech)
347
#define sdap_is_control_supported(sh, ctrl_oid) \
348
sdap_check_sup_list(&((sh)->supported_controls), ctrl_oid)
350
#define sdap_is_extension_supported(sh, ext_oid) \
351
sdap_check_sup_list(&((sh)->supported_extensions), ext_oid)
353
int build_attrs_from_map(TALLOC_CTX *memctx,
354
struct sdap_attr_map *map,
355
size_t size, const char ***_attrs);
356
int append_attrs_to_array(const char **attrs, size_t size, const char *attr);
358
int sdap_control_create(struct sdap_handle *sh, const char *oid, int iscritical,
359
struct berval *value, int dupval, LDAPControl **ctrlp);
361
errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
362
struct sdap_handle *sh,
363
struct sdap_options *opts);
364
int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
366
struct sysdb_attrs *rootdse,
367
struct sdap_options *opts,
368
struct sdap_server_opts **srv_opts);
369
void sdap_steal_server_opts(struct sdap_id_ctx *id_ctx,
370
struct sdap_server_opts **srv_opts);
371
#endif /* _SDAP_H_ */