Hi, this patch addresses https://fedorahosted.org/sssd/ticket/109. It should now be possbile to get users with 'UNIX attributes' set from AD. For me the following config options worked:
... provider = ldap ldapUri = ldap://your.ldap.server userSearchBase = cn=users,dc=example,dc=com groupSearchBase = cn=groups,dc=example,dc=com defaultBindDn = cn=Administrator,cn=Users,dc=example,dc=com defaultAuthtokType = password defaultAuthtok = YOUR_PASSWORD userObjectClass = person userName = msSFU30Name userUidNumber = msSFU30UidNumber userGidNumber = msSFU30GidNumber userHomeDirectory = msSFU30HomeDirectory userShell = msSFU30LoginShell tls_reqcert = never ... I'm currently trying to get authentication against AD working, too. I will include a sample configuration and more man page option with a following patch. bye, Sumit
>From 05a5a12d42a0717fb7f2d5bcb7f9341074a4d808 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 18 Aug 2009 21:38:58 +0200 Subject: [PATCH] enable usage of defaultBindDn --- server/man/sssd-ldap.5.xml | 21 +++++++++++++++++++++ server/providers/ldap/ldap_auth.c | 2 +- server/providers/ldap/ldap_id.c | 35 +++++++++++++++++++++++++++-------- server/providers/ldap/sdap.c | 1 + server/providers/ldap/sdap_async.c | 18 ++++++++++++++++++ server/providers/ldap/sdap_async.h | 1 + 6 files changed, 69 insertions(+), 9 deletions(-) diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 8512209..385a299 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -72,6 +72,27 @@ </varlistentry> <varlistentry> + <term>defaultAuthtokType (string)</term> + <listitem> + <para> + The type of the authentication token of the + default bind DN. So far "password" is the only + supported value. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>defaultAuthtok (string)</term> + <listitem> + <para> + The authentication token of the default bind DN. + So far only a clear text password is supported. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>userSearchBase (string)</term> <listitem> <para> diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index f0b12a0..47ed0f0 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -256,7 +256,7 @@ static void auth_get_user_dn_done(struct tevent_req *subreq) } subreq = sdap_auth_send(state, state->ev, state->sh, - state->dn, state->password); + state->dn, "password", state->password); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/server/providers/ldap/ldap_id.c b/server/providers/ldap/ldap_id.c index 3008f9b..bb65cd4 100644 --- a/server/providers/ldap/ldap_id.c +++ b/server/providers/ldap/ldap_id.c @@ -115,17 +115,23 @@ struct sdap_id_connect_state { struct tevent_context *ev; struct sdap_id_ctx *ctx; bool use_start_tls; + char *defaultBindDn; + char *defaultAuthtokType; + char *defaultAuthtok; struct sdap_handle *sh; }; static void sdap_id_connect_done(struct tevent_req *subreq); -static void sdap_id_anon_bind_done(struct tevent_req *subreq); +static void sdap_id_bind_done(struct tevent_req *subreq); struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_id_ctx *ctx, - bool use_start_tls) + bool use_start_tls, + char *defaultBindDn, + char *defaultAuthtokType, + char *defaultAuthtok) { struct tevent_req *req, *subreq; struct sdap_id_connect_state *state; @@ -136,6 +142,9 @@ struct tevent_req *sdap_id_connect_send(TALLOC_CTX *memctx, state->ev = ev; state->ctx = ctx; state->use_start_tls = use_start_tls; + state->defaultBindDn = defaultBindDn; + state->defaultAuthtokType = defaultAuthtokType; + state->defaultAuthtok = defaultAuthtok; subreq = sdap_connect_send(state, ev, ctx->opts, use_start_tls); if (!subreq) { @@ -163,16 +172,17 @@ static void sdap_id_connect_done(struct tevent_req *subreq) } /* TODO: use authentication (SASL/GSSAPI) when necessary */ - subreq = sdap_auth_send(state, state->ev, state->sh, NULL, NULL); + subreq = sdap_auth_send(state, state->ev, state->sh, state->defaultBindDn, + state->defaultAuthtokType, state->defaultAuthtok); if (!subreq) { tevent_req_error(req, ENOMEM); return; } - tevent_req_set_callback(subreq, sdap_id_anon_bind_done, req); + tevent_req_set_callback(subreq, sdap_id_bind_done, req); } -static void sdap_id_anon_bind_done(struct tevent_req *subreq) +static void sdap_id_bind_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -282,7 +292,10 @@ static struct tevent_req *users_get_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; @@ -439,7 +452,10 @@ static struct tevent_req *groups_get_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; @@ -571,7 +587,10 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, /* FIXME: add option to decide if tls should be used * or SASL/GSSAPI, etc ... */ - subreq = sdap_id_connect_send(state, ev, ctx, false); + subreq = sdap_id_connect_send(state, ev, ctx, false, + ctx->opts->basic[SDAP_DEFAULT_BIND_DN].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK_TYPE].value, + ctx->opts->basic[SDAP_DEFAULT_AUTHTOK].value); if (!subreq) { ret = ENOMEM; goto fail; diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c index 9c957ff..0b16db4 100644 --- a/server/providers/ldap/sdap.c +++ b/server/providers/ldap/sdap.c @@ -233,6 +233,7 @@ static int sdap_parse_entry(TALLOC_CTX *memctx, goto fail; } + DEBUG(9, ("OriginalDN: [%s].\n", str)); ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str); if (ret) goto fail; if (_dn) { diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index b2e0fb2..b71b61f 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -728,11 +728,17 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_handle *sh, const char *user_dn, + const char *authtok_type, const char *password) { struct tevent_req *req, *subreq; struct sdap_auth_state *state; + if (authtok_type != NULL && strcasecmp(authtok_type,"password") != 0) { + DEBUG(1,("Authentication token type [%s] is not supported")); + return NULL; + } + req = tevent_req_create(memctx, &state, struct sdap_auth_state); if (!req) return NULL; @@ -884,6 +890,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, ret = sysdb_attrs_get_el(state->attrs, opts->user_map[SDAP_AT_USER_UID].sys_name, &el); if (ret) goto fail; + if (el->num_values == 0) { + DEBUG(1, ("no uid provided for user [%s] in domain [%s].\n", name, + dom->name)); + ret = EINVAL; + goto fail; + } errno = 0; l = strtol((const char *)el->values[0].data, NULL, 0); if (errno) { @@ -895,6 +907,12 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, ret = sysdb_attrs_get_el(state->attrs, opts->user_map[SDAP_AT_USER_GID].sys_name, &el); if (ret) goto fail; + if (el->num_values == 0) { + DEBUG(1, ("no gid provided for user [%s] in domain [%s].\n", name, + dom->name)); + ret = EINVAL; + goto fail; + } errno = 0; l = strtol((const char *)el->values[0].data, NULL, 0); if (errno) { diff --git a/server/providers/ldap/sdap_async.h b/server/providers/ldap/sdap_async.h index 1cf00d4..0cb0b90 100644 --- a/server/providers/ldap/sdap_async.h +++ b/server/providers/ldap/sdap_async.h @@ -56,6 +56,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_handle *sh, const char *user_dn, + const char *authtok_type, const char *password); int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result); -- 1.6.2.5
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
