Hi Nalin,
On Tue, 23 Jul 2013, Nalin Dahyabhai wrote:
On Tue, Jul 23, 2013 at 10:15:47AM +0300, Alexander Bokovoy wrote:
On Tue, 23 Jul 2013, Nalin Dahyabhai wrote:
>Apologies for the delay.
Thanks for the review!
One short comment -- PAM code is from PAM pass-through plugin from
389-ds. That's the reason why its code doesn't follow slapi-nis way and
why it has that license. I tried to keep it mostly intact to share
changes but looking at git log it gets roughly two commits per year so
maybe it is better to rework it completely.
That'd be my preference. Other than knowing how to map specific
PAM error codes to LDAP-level errors, there doesn't seem to be a lot of
magic that needs to be preserved in there.
I'll address other comments and will send updated version for the
review today. This was my first sizable SLAPI code so errors are
inevitable.
No worries. I think there's already a lot in there that's right.
I think I'm ready now with my patches. :)
At
http://fedorapeople.org/cgit/abbra/public_git/slapi-nis.git/log/?h=slapi-nis-ad
you can find twelve patches that form support for the trusted domain users
and groups lookups via SSSD and their authentication via PAM stack.
The code no longer is experiencing deadlocks as any potential access
that could cause contention on the slapi-nis map cache lock is
eliminated.
I implemented lookups to all needed functions, including working
getgrouplist()/initgroups(), getgrnam_r(), getpwnam_r(), getgrgid_r(),
getpwuid_r(). SIDs are also looked up through libsss_nss_idmap library
provided by SSSD.
Authentication is handled for both IPA and trusted domain users. The
former case requires some specific handling of the SLAPI_BIND_TARGET_SDN
to rewrite it to the original entry's DN. As result successful bind
looks like this in the dirsrv logs:
[31/Jul/2013:15:49:03 +0300] conn=15 fd=79 slot=79 SSL connection from
192.168.111.216 to 192.168.111.216
[31/Jul/2013:15:49:03 +0300] conn=15 SSL 256-bit AES
[31/Jul/2013:15:49:03 +0300] conn=15 op=0 BIND
dn="uid=admin,cn=users,cn=compat,dc=example,dc=com" method=128 version=3
[31/Jul/2013:15:49:03 +0300] conn=15 op=1 SRCH base="dc=example,dc=com" scope=2
filter="(uid=foobar)" attrs=ALL
[31/Jul/2013:15:49:03 +0300] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[31/Jul/2013:15:49:03 +0300] conn=15 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[31/Jul/2013:15:49:03 +0300] conn=15 op=2 UNBIND
[31/Jul/2013:15:49:03 +0300] conn=15 op=2 fd=79 closed - U1
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
