On Sun, Sep 25, 2011 at 04:44:55PM +0200, Jakub Hrozek wrote: > On Tue, Sep 06, 2011 at 01:48:00PM -0400, Stephen Gallagher wrote: > > On Thu, 2011-08-18 at 18:02 +0200, Jakub Hrozek wrote: > > > On Thu, Aug 18, 2011 at 05:38:11PM +0200, Sumit Bose wrote: > > > > On Thu, Aug 18, 2011 at 04:48:32PM +0200, Jan Zelený wrote: > > > > > The patches look fine, but I didn't manage to set up environment to > > > > > test the > > > > > new behavior. Nothing seems to be broken though > > > > > > > > If you have a running IPA server you can remove the krbPrincipalKey > > > > attribute from a user but keep userPassword. This should trigger sssd to > > > > run the migration code if you try to log in as this user. > > > > > > > > HTH > > > > > > > > bye, > > > > Sumit > > > > > > > > > > If that doesn't work for you, feel free to ping me off list and use my > > > test environment. > > > > I was trying to test this, but instead of quietly creating the kerberos > > password, it's prompting me to change the password. I wonder if this is > > related to LDAP password policy? I cannot ack this until we figure out > > why this is happening. > > Interesting, I haven't hit this issue. I have tested the migration with > IPA server nightlies, today it's freeipa-server-2.99.0GITf323d81-0. My > testing involved creating a bunch of users in 389-ds, migrating them to > IPA with the migrate-ds script and then logging in with the LDAP > password. > > The login went OK and "klist" shows a ticket was granted, also "ipa > user-show --all --raw" tells the Kerberos attributes were generated, > including krblastsuccessfulauth. > > I suggest we discuss the patches on #sssd.
I've retested the patches again with SSSD git head + the patches on review and freeipa-server-2.1.3-2 I've performed about 20 migrations (scripted) and they went OK. Attached are patches that are rebased on current master. Because the migration patch touches most of the ipa-auth.c file I've also fixed the debug levels there.
From b712341fcdbbdb0e508a8a297dd91bec0fc24e04 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 27 Jul 2011 18:34:04 +0200 Subject: [PATCH 1/2] Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections --- src/providers/ipa/ipa_auth.c | 2 +- src/providers/ldap/ldap_id.c | 3 ++- src/providers/ldap/sdap_async.h | 4 +++- src/providers/ldap/sdap_async_connection.c | 28 +++++++++++++++++++++------- src/providers/ldap/sdap_id_op.c | 4 +++- 5 files changed, 30 insertions(+), 11 deletions(-) diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index f0bdd429ea9c99cb345057369835d8126a935b07..083508d29f59ce2c7960aa7db57ee342dfda8a9c 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -92,7 +92,7 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts, sdap_auth_ctx->be, sdap_auth_ctx->service, - true); + true, NULL, false); if (subreq == NULL) { DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto fail; diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index d300184886244e030fb9fdd629d2596f3c54922b..22e28eeffd81274c5f7151a599d4c9cb5646d710 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req) struct sdap_id_ctx); req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts, - be_req->be_ctx, ctx->service, false); + be_req->be_ctx, ctx->service, false, + NULL, false); if (req == NULL) { DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto done; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 5da2cff4e131ac0a1e11498adf5a5395c943085c..85fa4effad10238abe7d57f752972cbcb3869efd 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -136,7 +136,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse); + bool skip_rootdse, + bool *force_tls, + bool skip_auth); int sdap_cli_connect_recv(struct tevent_req *req, TALLOC_CTX *memctx, bool *can_retry, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 076e7ee3708d97341bd3cd2a0269331557ff19f1..614e2fda81de25c7a03016a74d88aa2117288b87 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state { struct fo_server *srv; struct sdap_server_opts *srv_opts; + + bool *force_tls; + bool do_auth; }; static int sdap_cli_resolve_next(struct tevent_req *req); @@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, struct sdap_options *opts, struct be_ctx *be, struct sdap_service *service, - bool skip_rootdse) + bool skip_rootdse, + bool *force_tls, + bool skip_auth) { struct sdap_cli_connect_state *state; struct tevent_req *req; @@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, state->srv_opts = NULL; state->be = be; state->use_rootdse = !skip_rootdse; + state->force_tls = force_tls; + state->do_auth = !skip_auth; ret = sdap_cli_resolve_next(req); if (ret) { @@ -1196,8 +1203,9 @@ static void sdap_cli_resolve_done(struct tevent_req *subreq) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); int ret; - bool use_tls = dp_opt_get_bool(state->opts->basic, - SDAP_ID_TLS); + bool use_tls = state->force_tls ? *state->force_tls : \ + dp_opt_get_bool(state->opts->basic, + SDAP_ID_TLS); ret = be_resolve_server_recv(subreq, &state->srv); talloc_zfree(subreq); @@ -1260,7 +1268,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1268,7 +1276,7 @@ static void sdap_cli_connect_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1372,7 +1380,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); - if (sasl_mech && state->use_rootdse) { + if (state->do_auth && sasl_mech && state->use_rootdse) { /* check if server claims to support GSSAPI */ if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { tevent_req_error(req, ENOTSUP); @@ -1380,7 +1388,7 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq) } } - if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { sdap_cli_kinit_step(req); return; @@ -1464,6 +1472,12 @@ static void sdap_cli_auth_step(struct tevent_req *req) struct sdap_cli_connect_state); struct tevent_req *subreq; + if (!state->do_auth) { + /* No authentication requested or GSSAPI auth forced off */ + tevent_req_done(req); + return; + } + subreq = sdap_auth_send(state, state->ev, state->sh, diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c index 11a379cc96a77615bd62b1fe58daa2413f38087a..debc2771ff32d97bb6371012e51f6cfc235b00bb 100644 --- a/src/providers/ldap/sdap_id_op.c +++ b/src/providers/ldap/sdap_id_op.c @@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req) subreq = sdap_cli_connect_send(conn_data, state->ev, state->id_ctx->opts, state->id_ctx->be, - state->id_ctx->service, false); + state->id_ctx->service, false, + NULL, false); + if (!subreq) { ret = ENOMEM; goto done; -- 1.7.7
From 21264ce15b731b1388fa6ea26e8bdf7aa193ee06 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 25 Jul 2011 16:55:34 +0200 Subject: [PATCH 2/2] IPA migration fixes * use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924 --- src/providers/ipa/ipa_auth.c | 234 +++++++++++++++++++++++----------------- src/providers/ipa/ipa_common.h | 1 + src/providers/ipa/ipa_init.c | 8 ++ 3 files changed, 144 insertions(+), 99 deletions(-) diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 083508d29f59ce2c7960aa7db57ee342dfda8a9c..9cb8eeda5393dfe0d96b7fb4c478050a9198392f 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -31,7 +31,7 @@ #include "providers/krb5/krb5_auth.h" #include "providers/ipa/ipa_common.h" -#define IPA_CONFIG_MIRATION_ENABLED "ipaMigrationEnabled" +#define IPA_CONFIG_MIGRATION_ENABLED "ipaMigrationEnabled" #define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s" #define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" @@ -42,8 +42,8 @@ static void ipa_auth_reply(struct be_req *be_req, int dp_err, int result) struct get_password_migration_flag_state { struct tevent_context *ev; - struct sdap_auth_ctx *sdap_auth_ctx; - struct sdap_handle *sh; + struct sdap_id_op *sdap_op; + struct sdap_id_ctx *sdap_id_ctx; enum sdap_result result; struct fo_server *srv; char *ipa_realm; @@ -55,50 +55,46 @@ static void get_password_migration_flag_done(struct tevent_req *subreq); static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, struct tevent_context *ev, - struct sdap_auth_ctx *sdap_auth_ctx, + struct sdap_id_ctx *sdap_id_ctx, char *ipa_realm) { int ret; struct tevent_req *req, *subreq; struct get_password_migration_flag_state *state; - if (sdap_auth_ctx == NULL || ipa_realm == NULL) { - DEBUG(1, ("Missing parameter.\n")); + if (sdap_id_ctx == NULL || ipa_realm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("Missing parameter.\n")); return NULL; } req = tevent_req_create(memctx, &state, struct get_password_migration_flag_state); if (req == NULL) { - DEBUG(1, ("tevent_req_create failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("tevent_req_create failed.\n")); return NULL; } state->ev = ev; - state->sdap_auth_ctx = sdap_auth_ctx; - state->sh = NULL; + state->sdap_id_ctx = sdap_id_ctx; state->result = SDAP_ERROR; state->srv = NULL; state->password_migration = false; state->ipa_realm = ipa_realm; - /* We request to use StartTLS here, because if password migration is - * enabled we will use this connection for authentication, too. */ - ret = dp_opt_set_bool(sdap_auth_ctx->opts->basic, SDAP_ID_TLS, true); - if (ret != EOK) { - DEBUG(1, ("Failed to set SDAP_ID_TLS to true.\n")); + state->sdap_op = sdap_id_op_create(state, state->sdap_id_ctx->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed.\n")); goto fail; } - subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts, - sdap_auth_ctx->be, sdap_auth_ctx->service, - true, NULL, false); - if (subreq == NULL) { - DEBUG(1, ("sdap_cli_connect_send failed.\n")); + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret))); goto fail; } - tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, - req); + + tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, req); return req; @@ -113,22 +109,31 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq) struct tevent_req); struct get_password_migration_flag_state *state = tevent_req_data(req, struct get_password_migration_flag_state); - int ret; + int ret, dp_error; char *ldap_basedn; char *search_base; const char **attrs; - ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); + ret = sdap_id_op_connect_recv(subreq, &dp_error); talloc_zfree(subreq); if (ret) { - DEBUG(1, ("sdap_auth request failed.\n")); + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("No IPA server is available, cannot get the " + "migration flag while offline\n")); + } else { + DEBUG(SSSDBG_OP_FAILURE, + ("Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret))); + } + tevent_req_error(req, ret); return; } ret = domain_to_basedn(state, state->ipa_realm, &ldap_basedn); if (ret != EOK) { - DEBUG(1, ("domain_to_basedn failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("domain_to_basedn failed.\n")); tevent_req_error(req, ret); return; } @@ -136,25 +141,27 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq) search_base = talloc_asprintf(state, IPA_CONFIG_SEARCH_BASE_TEMPLATE, ldap_basedn); if (search_base == NULL) { - DEBUG(1, ("talloc_asprintf failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n")); tevent_req_error(req, ENOMEM); return; } attrs = talloc_array(state, const char*, 2); if (attrs == NULL) { - DEBUG(1, ("talloc_array failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n")); tevent_req_error(req, ENOMEM); return; } - attrs[0] = IPA_CONFIG_MIRATION_ENABLED; + attrs[0] = IPA_CONFIG_MIGRATION_ENABLED; attrs[1] = NULL; - subreq = sdap_get_generic_send(state, state->ev, state->sdap_auth_ctx->opts, - state->sh, search_base, LDAP_SCOPE_SUBTREE, + subreq = sdap_get_generic_send(state, state->ev, + state->sdap_id_ctx->opts, + sdap_id_op_handle(state->sdap_op), + search_base, LDAP_SCOPE_SUBTREE, IPA_CONFIG_FILTER, attrs, NULL, 0, - dp_opt_get_int(state->sdap_auth_ctx->opts->basic, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, SDAP_SEARCH_TIMEOUT)); if (!subreq) { tevent_req_error(req, ENOMEM); @@ -183,13 +190,13 @@ static void get_password_migration_flag_done(struct tevent_req *subreq) } if (reply_count != 1) { - DEBUG(1, ("Unexpected number of results, expected 1, got %d.\n", - reply_count)); + DEBUG(SSSDBG_OP_FAILURE, ("Unexpected number of results, expected 1, " + "got %d.\n", reply_count)); tevent_req_error(req, EINVAL); return; } - ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIRATION_ENABLED, &value); + ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIGRATION_ENABLED, &value); if (ret == EOK && strcasecmp(value, "true") == 0) { state->password_migration = true; } @@ -199,8 +206,7 @@ static void get_password_migration_flag_done(struct tevent_req *subreq) static int get_password_migration_flag_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - bool *password_migration, - struct sdap_handle **sh) + bool *password_migration) { struct get_password_migration_flag_state *state = tevent_req_data(req, struct get_password_migration_flag_state); @@ -208,10 +214,6 @@ static int get_password_migration_flag_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *password_migration = state->password_migration; - if (sh != NULL) { - *sh = talloc_steal(mem_ctx, state->sh); - } - return EOK; } @@ -223,10 +225,12 @@ struct ipa_auth_state { struct pam_data *pd; bool password_migration; struct sdap_handle *sh; + bool force_tls; }; static void ipa_auth_handler_done(struct tevent_req *req); static void ipa_get_migration_flag_done(struct tevent_req *req); +static void ipa_migration_flag_connect_done(struct tevent_req *req); static void ipa_auth_ldap_done(struct tevent_req *req); static void ipa_auth_handler_retry_done(struct tevent_req *req); @@ -238,7 +242,7 @@ void ipa_auth(struct be_req *be_req) state = talloc_zero(be_req, struct ipa_auth_state); if (state == NULL) { - DEBUG(1, ("talloc_zero failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("talloc_zero failed.\n")); goto fail; } @@ -263,14 +267,14 @@ void ipa_auth(struct be_req *be_req) struct ipa_auth_ctx); break; default: - DEBUG(1, ("Unsupported PAM task.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("Unsupported PAM task.\n")); goto fail; } req = krb5_auth_send(state, state->ev, be_req->be_ctx, state->pd, state->ipa_auth_ctx->krb5_auth_ctx); if (req == NULL) { - DEBUG(1, ("krb5_auth_send failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n")); goto fail; } @@ -295,7 +299,7 @@ static void ipa_auth_handler_done(struct tevent_req *req) talloc_zfree(req); state->pd->pam_status = pam_status; if (ret != EOK && pam_status != PAM_CRED_ERR) { - DEBUG(1, ("krb5_auth_recv request failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n")); dp_err = DP_ERR_OK; goto done; } @@ -308,12 +312,13 @@ static void ipa_auth_handler_done(struct tevent_req *req) state->pd->pam_status == PAM_CRED_ERR) { req = get_password_migration_flag_send(state, state->ev, - state->ipa_auth_ctx->sdap_auth_ctx, + state->ipa_auth_ctx->sdap_id_ctx, dp_opt_get_string( state->ipa_auth_ctx->ipa_options, IPA_KRB5_REALM)); if (req == NULL) { - DEBUG(1, ("get_password_migration_flag failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, + ("get_password_migration_flag failed.\n")); goto done; } @@ -331,70 +336,101 @@ static void ipa_get_migration_flag_done(struct tevent_req *req) struct ipa_auth_state); int ret; int dp_err = DP_ERR_FATAL; - const char **attrs; - struct ldb_message *user_msg; - const char *dn; - struct dp_opt_blob password; ret = get_password_migration_flag_recv(req, state, - &state->password_migration, - &state->sh); + &state->password_migration); talloc_zfree(req); if (ret != EOK) { - DEBUG(1, ("get_password_migration_flag request failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("get_password_migration_flag " + "request failed.\n")); state->pd->pam_status = PAM_SYSTEM_ERR; dp_err = DP_ERR_OK; goto done; } if (state->password_migration) { - state->pd->pam_status = PAM_SYSTEM_ERR; - DEBUG(1, ("Assuming Kerberos password is missing, " - "starting password migration.\n")); - - attrs = talloc_array(state, const char *, 2); - if (attrs == NULL) { - DEBUG(1, ("talloc_array failed.\n")); - state->pd->pam_status = PAM_SYSTEM_ERR; - dp_err = DP_ERR_OK; - goto done; - } - attrs[0] = SYSDB_ORIG_DN; - attrs[1] = NULL; - - ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb, - state->pd->user, attrs, &user_msg); - if (ret != EOK) { - DEBUG(1, ("sysdb_search_user_by_name failed.\n")); - goto done; - } - - dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL); - if (dn == NULL) { - DEBUG(1, ("Missing original DN for user [%s].\n", state->pd->user)); - state->pd->pam_status = PAM_SYSTEM_ERR; - dp_err = DP_ERR_OK; - goto done; - } - - password.data = state->pd->authtok; - password.length = state->pd->authtok_size; - - req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, - "password", password); + state->force_tls = true; + req = sdap_cli_connect_send(state, state->ev, + state->ipa_auth_ctx->sdap_auth_ctx->opts, + state->ipa_auth_ctx->sdap_auth_ctx->be, + state->ipa_auth_ctx->sdap_auth_ctx->service, + true, &state->force_tls, true); if (req == NULL) { - DEBUG(1, ("sdap_auth_send failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("sdap_cli_connect_send failed.\n")); goto done; } - tevent_req_set_callback(req, ipa_auth_ldap_done, state); + tevent_req_set_callback(req, ipa_migration_flag_connect_done, state); return; - - } else { - DEBUG(5, ("Password migration is not enabled.\n")); } + DEBUG(SSSDBG_CONF_SETTINGS, ("Password migration is not enabled.\n")); dp_err = DP_ERR_OK; +done: + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); +} + +static void ipa_migration_flag_connect_done(struct tevent_req *req) +{ + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); + const char **attrs; + struct ldb_message *user_msg; + const char *dn; + struct dp_opt_blob password; + int dp_err = DP_ERR_FATAL; + int ret; + + ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Cannot connect to LDAP server to perform migration\n")); + goto done; + } + + state->pd->pam_status = PAM_SYSTEM_ERR; + DEBUG(SSSDBG_TRACE_FUNC, ("Assuming Kerberos password is missing, " + "starting password migration.\n")); + + attrs = talloc_array(state, const char *, 2); + if (attrs == NULL) { + DEBUG(1, ("talloc_array failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + attrs[0] = SYSDB_ORIG_DN; + attrs[1] = NULL; + + ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb, + state->pd->user, attrs, &user_msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_search_user_by_name failed.\n")); + goto done; + } + + dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Missing original DN for user [%s].\n", + state->pd->user)); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + + password.data = state->pd->authtok; + password.length = state->pd->authtok_size; + + req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, + "password", password); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n")); + goto done; + } + + tevent_req_set_callback(req, ipa_auth_ldap_done, state); + return; done: ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); @@ -411,7 +447,7 @@ static void ipa_auth_ldap_done(struct tevent_req *req) ret = sdap_auth_recv(req, state, &result, NULL); talloc_zfree(req); if (ret != EOK) { - DEBUG(1, ("auth_send request failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n")); state->pd->pam_status = PAM_SYSTEM_ERR; dp_err = DP_ERR_OK; goto done; @@ -419,21 +455,21 @@ static void ipa_auth_ldap_done(struct tevent_req *req) /* TODO: do we need to handle expired passwords? */ if (result != SDAP_AUTH_SUCCESS) { - DEBUG(1, ("LDAP authentication failed, " - "Password migration not possible.\n")); + DEBUG(SSSDBG_MINOR_FAILURE, ("LDAP authentication failed, " + "Password migration not possible.\n")); state->pd->pam_status = PAM_CRED_INSUFFICIENT; dp_err = DP_ERR_OK; goto done; } - DEBUG(1, ("LDAP authentication succeded, " - "trying Kerberos authentication again.\n")); + DEBUG(SSSDBG_TRACE_FUNC, ("LDAP authentication succeded, " + "trying Kerberos authentication again.\n")); req = krb5_auth_send(state, state->ev, state->be_req->be_ctx, state->pd, state->ipa_auth_ctx->krb5_auth_ctx); if (req == NULL) { - DEBUG(1, ("krb5_auth_send failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n")); goto done; } @@ -455,7 +491,7 @@ static void ipa_auth_handler_retry_done(struct tevent_req *req) ret = krb5_auth_recv(req, &pam_status, &dp_err); talloc_zfree(req); if (ret != EOK) { - DEBUG(1, ("krb5_auth_recv request failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n")); state->pd->pam_status = PAM_SYSTEM_ERR; dp_err = DP_ERR_OK; goto done; diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 40c5e53205285d761a43f6f0a77764006a5d79ca..4241bf5d719f38fe85c62cf2579c81384dbabca7 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -58,6 +58,7 @@ enum ipa_basic_opt { struct ipa_auth_ctx { struct krb5_ctx *krb5_auth_ctx; + struct sdap_id_ctx *sdap_id_ctx; struct sdap_auth_ctx *sdap_auth_ctx; struct dp_option *ipa_options; }; diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 5d08b8c18769369470ee2668d683843c1c8d011c..9d5d8d6277563bc34a68996192d2d0a2dc495511 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -201,6 +201,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, struct ipa_auth_ctx *ipa_auth_ctx; struct krb5_ctx *krb5_auth_ctx; struct sdap_auth_ctx *sdap_auth_ctx; + struct bet_ops *id_ops; FILE *debug_filep; unsigned v; int ret; @@ -225,6 +226,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, } ipa_options->auth_ctx = ipa_auth_ctx; + ret = sssm_ipa_id_init(bectx, &id_ops, + (void **) &ipa_auth_ctx->sdap_id_ctx); + if (ret != EOK) { + DEBUG(1, ("sssm_ipa_id_init failed.\n")); + goto done; + } + ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic, IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options); if (ret != EOK) { -- 1.7.7
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel