On Sun, Sep 25, 2011 at 04:44:55PM +0200, Jakub Hrozek wrote:
> On Tue, Sep 06, 2011 at 01:48:00PM -0400, Stephen Gallagher wrote:
> > On Thu, 2011-08-18 at 18:02 +0200, Jakub Hrozek wrote:
> > > On Thu, Aug 18, 2011 at 05:38:11PM +0200, Sumit Bose wrote:
> > > > On Thu, Aug 18, 2011 at 04:48:32PM +0200, Jan Zelený wrote:
> > > > > The patches look fine, but I didn't manage to set up environment to 
> > > > > test the 
> > > > > new behavior. Nothing seems to be broken though
> > > > 
> > > > If you have a running IPA server you can remove the krbPrincipalKey
> > > > attribute from a user but keep userPassword. This should trigger sssd to
> > > > run the migration code if you try to log in as this user.
> > > > 
> > > > HTH
> > > > 
> > > > bye,
> > > > Sumit
> > > > 
> > > 
> > > If that doesn't work for you, feel free to ping me off list and use my
> > > test environment.
> > 
> > I was trying to test this, but instead of quietly creating the kerberos
> > password, it's prompting me to change the password. I wonder if this is
> > related to LDAP password policy? I cannot ack this until we figure out
> > why this is happening.
> 
> Interesting, I haven't hit this issue. I have tested the migration with
> IPA server nightlies, today it's freeipa-server-2.99.0GITf323d81-0. My
> testing involved creating a bunch of users in 389-ds, migrating them to
> IPA with the migrate-ds script and then logging in with the LDAP
> password. 
> 
> The login went OK and "klist" shows a ticket was granted, also "ipa
> user-show --all --raw" tells the Kerberos attributes were generated,
> including krblastsuccessfulauth.
> 
> I suggest we discuss the patches on #sssd.

I've retested the patches again with SSSD git head + the patches on review and
freeipa-server-2.1.3-2 I've performed about 20 migrations (scripted) and
they went OK.

Attached are patches that are rebased on current master. Because the
migration patch touches most of the ipa-auth.c file I've also fixed the
debug levels there.
From b712341fcdbbdb0e508a8a297dd91bec0fc24e04 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 27 Jul 2011 18:34:04 +0200
Subject: [PATCH 1/2] Provide means of forcing TLS and GSSAPI enabled/disabled
 for sdap connections

---
 src/providers/ipa/ipa_auth.c               |    2 +-
 src/providers/ldap/ldap_id.c               |    3 ++-
 src/providers/ldap/sdap_async.h            |    4 +++-
 src/providers/ldap/sdap_async_connection.c |   28 +++++++++++++++++++++-------
 src/providers/ldap/sdap_id_op.c            |    4 +++-
 5 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 
f0bdd429ea9c99cb345057369835d8126a935b07..083508d29f59ce2c7960aa7db57ee342dfda8a9c
 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -92,7 +92,7 @@ static struct tevent_req 
*get_password_migration_flag_send(TALLOC_CTX *memctx,
 
     subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts,
                                    sdap_auth_ctx->be, sdap_auth_ctx->service,
-                                   true);
+                                   true, NULL, false);
     if (subreq == NULL) {
         DEBUG(1, ("sdap_cli_connect_send failed.\n"));
         goto fail;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 
d300184886244e030fb9fdd629d2596f3c54922b..22e28eeffd81274c5f7151a599d4c9cb5646d710
 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req)
                           struct sdap_id_ctx);
 
     req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts,
-                                be_req->be_ctx, ctx->service, false);
+                                be_req->be_ctx, ctx->service, false,
+                                NULL, false);
     if (req == NULL) {
         DEBUG(1, ("sdap_cli_connect_send failed.\n"));
         goto done;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 
5da2cff4e131ac0a1e11498adf5a5395c943085c..85fa4effad10238abe7d57f752972cbcb3869efd
 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -136,7 +136,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx,
                                          struct sdap_options *opts,
                                          struct be_ctx *be,
                                          struct sdap_service *service,
-                                         bool skip_rootdse);
+                                         bool skip_rootdse,
+                                         bool *force_tls,
+                                         bool skip_auth);
 int sdap_cli_connect_recv(struct tevent_req *req,
                           TALLOC_CTX *memctx,
                           bool *can_retry,
diff --git a/src/providers/ldap/sdap_async_connection.c 
b/src/providers/ldap/sdap_async_connection.c
index 
076e7ee3708d97341bd3cd2a0269331557ff19f1..614e2fda81de25c7a03016a74d88aa2117288b87
 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state {
     struct fo_server *srv;
 
     struct sdap_server_opts *srv_opts;
+
+    bool *force_tls;
+    bool do_auth;
 };
 
 static int sdap_cli_resolve_next(struct tevent_req *req);
@@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX 
*memctx,
                                          struct sdap_options *opts,
                                          struct be_ctx *be,
                                          struct sdap_service *service,
-                                         bool skip_rootdse)
+                                         bool skip_rootdse,
+                                         bool *force_tls,
+                                         bool skip_auth)
 {
     struct sdap_cli_connect_state *state;
     struct tevent_req *req;
@@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX 
*memctx,
     state->srv_opts = NULL;
     state->be = be;
     state->use_rootdse = !skip_rootdse;
+    state->force_tls = force_tls;
+    state->do_auth = !skip_auth;
 
     ret = sdap_cli_resolve_next(req);
     if (ret) {
@@ -1196,8 +1203,9 @@ static void sdap_cli_resolve_done(struct tevent_req 
*subreq)
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
     int ret;
-    bool use_tls = dp_opt_get_bool(state->opts->basic,
-                                   SDAP_ID_TLS);
+    bool use_tls = state->force_tls ? *state->force_tls : \
+                                       dp_opt_get_bool(state->opts->basic,
+                                                       SDAP_ID_TLS);
 
     ret = be_resolve_server_recv(subreq, &state->srv);
     talloc_zfree(subreq);
@@ -1260,7 +1268,7 @@ static void sdap_cli_connect_done(struct tevent_req 
*subreq)
 
     sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
 
-    if (sasl_mech && state->use_rootdse) {
+    if (state->do_auth && sasl_mech && state->use_rootdse) {
         /* check if server claims to support GSSAPI */
         if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
             tevent_req_error(req, ENOTSUP);
@@ -1268,7 +1276,7 @@ static void sdap_cli_connect_done(struct tevent_req 
*subreq)
         }
     }
 
-    if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+    if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) 
{
         if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
             sdap_cli_kinit_step(req);
             return;
@@ -1372,7 +1380,7 @@ static void sdap_cli_rootdse_done(struct tevent_req 
*subreq)
 
     sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
 
-    if (sasl_mech && state->use_rootdse) {
+    if (state->do_auth && sasl_mech && state->use_rootdse) {
         /* check if server claims to support GSSAPI */
         if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
             tevent_req_error(req, ENOTSUP);
@@ -1380,7 +1388,7 @@ static void sdap_cli_rootdse_done(struct tevent_req 
*subreq)
         }
     }
 
-    if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+    if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) 
{
         if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
             sdap_cli_kinit_step(req);
             return;
@@ -1464,6 +1472,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
                                              struct sdap_cli_connect_state);
     struct tevent_req *subreq;
 
+    if (!state->do_auth) {
+        /* No authentication requested or GSSAPI auth forced off */
+        tevent_req_done(req);
+        return;
+    }
+
     subreq = sdap_auth_send(state,
                             state->ev,
                             state->sh,
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index 
11a379cc96a77615bd62b1fe58daa2413f38087a..debc2771ff32d97bb6371012e51f6cfc235b00bb
 100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req)
     subreq = sdap_cli_connect_send(conn_data, state->ev,
                                    state->id_ctx->opts,
                                    state->id_ctx->be,
-                                   state->id_ctx->service, false);
+                                   state->id_ctx->service, false,
+                                   NULL, false);
+
     if (!subreq) {
         ret = ENOMEM;
         goto done;
-- 
1.7.7

From 21264ce15b731b1388fa6ea26e8bdf7aa193ee06 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 25 Jul 2011 16:55:34 +0200
Subject: [PATCH 2/2] IPA migration fixes

* use the id connection for looking up the migration flag
* force TLS on the password based authentication connection

https://fedorahosted.org/sssd/ticket/924
---
 src/providers/ipa/ipa_auth.c   |  234 +++++++++++++++++++++++-----------------
 src/providers/ipa/ipa_common.h |    1 +
 src/providers/ipa/ipa_init.c   |    8 ++
 3 files changed, 144 insertions(+), 99 deletions(-)

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 
083508d29f59ce2c7960aa7db57ee342dfda8a9c..9cb8eeda5393dfe0d96b7fb4c478050a9198392f
 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -31,7 +31,7 @@
 #include "providers/krb5/krb5_auth.h"
 #include "providers/ipa/ipa_common.h"
 
-#define IPA_CONFIG_MIRATION_ENABLED "ipaMigrationEnabled"
+#define IPA_CONFIG_MIGRATION_ENABLED "ipaMigrationEnabled"
 #define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s"
 #define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))"
 
@@ -42,8 +42,8 @@ static void ipa_auth_reply(struct be_req *be_req, int dp_err, 
int result)
 
 struct get_password_migration_flag_state {
     struct tevent_context *ev;
-    struct sdap_auth_ctx *sdap_auth_ctx;
-    struct sdap_handle *sh;
+    struct sdap_id_op *sdap_op;
+    struct sdap_id_ctx *sdap_id_ctx;
     enum sdap_result result;
     struct fo_server *srv;
     char *ipa_realm;
@@ -55,50 +55,46 @@ static void get_password_migration_flag_done(struct 
tevent_req *subreq);
 
 static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx,
                                             struct tevent_context *ev,
-                                            struct sdap_auth_ctx 
*sdap_auth_ctx,
+                                            struct sdap_id_ctx *sdap_id_ctx,
                                             char *ipa_realm)
 {
     int ret;
     struct tevent_req *req, *subreq;
     struct get_password_migration_flag_state *state;
 
-    if (sdap_auth_ctx == NULL || ipa_realm == NULL) {
-        DEBUG(1, ("Missing parameter.\n"));
+    if (sdap_id_ctx == NULL || ipa_realm == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("Missing parameter.\n"));
         return NULL;
     }
 
     req = tevent_req_create(memctx, &state,
                             struct get_password_migration_flag_state);
     if (req == NULL) {
-        DEBUG(1, ("tevent_req_create failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("tevent_req_create failed.\n"));
         return NULL;
     }
 
     state->ev = ev;
-    state->sdap_auth_ctx = sdap_auth_ctx;
-    state->sh = NULL;
+    state->sdap_id_ctx = sdap_id_ctx;
     state->result = SDAP_ERROR;
     state->srv = NULL;
     state->password_migration = false;
     state->ipa_realm = ipa_realm;
 
-    /* We request to use StartTLS here, because if password migration is
-     * enabled we will use this connection for authentication, too. */
-    ret = dp_opt_set_bool(sdap_auth_ctx->opts->basic, SDAP_ID_TLS, true);
-    if (ret != EOK) {
-        DEBUG(1, ("Failed to set SDAP_ID_TLS to true.\n"));
+    state->sdap_op = sdap_id_op_create(state, state->sdap_id_ctx->conn_cache);
+    if (state->sdap_op == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed.\n"));
         goto fail;
     }
 
-    subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts,
-                                   sdap_auth_ctx->be, sdap_auth_ctx->service,
-                                   true, NULL, false);
-    if (subreq == NULL) {
-        DEBUG(1, ("sdap_cli_connect_send failed.\n"));
+    subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+    if (!subreq) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_connect_send failed: %d(%s).\n",
+                                  ret, strerror(ret)));
         goto fail;
     }
-    tevent_req_set_callback(subreq, get_password_migration_flag_auth_done,
-                            req);
+
+    tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, 
req);
 
     return req;
 
@@ -113,22 +109,31 @@ static void get_password_migration_flag_auth_done(struct 
tevent_req *subreq)
                                                       struct tevent_req);
     struct get_password_migration_flag_state *state = tevent_req_data(req,
                                       struct 
get_password_migration_flag_state);
-    int ret;
+    int ret, dp_error;
     char *ldap_basedn;
     char *search_base;
     const char **attrs;
 
-    ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
+    ret = sdap_id_op_connect_recv(subreq, &dp_error);
     talloc_zfree(subreq);
     if (ret) {
-        DEBUG(1, ("sdap_auth request failed.\n"));
+        if (dp_error == DP_ERR_OFFLINE) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  ("No IPA server is available, cannot get the "
+                   "migration flag while offline\n"));
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  ("Failed to connect to IPA server: [%d](%s)\n",
+                   ret, strerror(ret)));
+        }
+
         tevent_req_error(req, ret);
         return;
     }
 
     ret = domain_to_basedn(state, state->ipa_realm, &ldap_basedn);
     if (ret != EOK) {
-        DEBUG(1, ("domain_to_basedn failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("domain_to_basedn failed.\n"));
         tevent_req_error(req, ret);
         return;
     }
@@ -136,25 +141,27 @@ static void get_password_migration_flag_auth_done(struct 
tevent_req *subreq)
     search_base = talloc_asprintf(state, IPA_CONFIG_SEARCH_BASE_TEMPLATE,
                                   ldap_basedn);
     if (search_base == NULL) {
-        DEBUG(1, ("talloc_asprintf failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n"));
         tevent_req_error(req, ENOMEM);
         return;
     }
 
     attrs = talloc_array(state, const char*, 2);
     if (attrs == NULL) {
-        DEBUG(1, ("talloc_array failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
         tevent_req_error(req, ENOMEM);
         return;
     }
 
-    attrs[0] = IPA_CONFIG_MIRATION_ENABLED;
+    attrs[0] = IPA_CONFIG_MIGRATION_ENABLED;
     attrs[1] = NULL;
 
-    subreq = sdap_get_generic_send(state, state->ev, 
state->sdap_auth_ctx->opts,
-                                   state->sh, search_base, LDAP_SCOPE_SUBTREE,
+    subreq = sdap_get_generic_send(state, state->ev,
+                                   state->sdap_id_ctx->opts,
+                                   sdap_id_op_handle(state->sdap_op),
+                                   search_base, LDAP_SCOPE_SUBTREE,
                                    IPA_CONFIG_FILTER, attrs, NULL, 0,
-                                   
dp_opt_get_int(state->sdap_auth_ctx->opts->basic,
+                                   
dp_opt_get_int(state->sdap_id_ctx->opts->basic,
                                                   SDAP_SEARCH_TIMEOUT));
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
@@ -183,13 +190,13 @@ static void get_password_migration_flag_done(struct 
tevent_req *subreq)
     }
 
     if (reply_count != 1) {
-        DEBUG(1, ("Unexpected number of results, expected 1, got %d.\n",
-                  reply_count));
+        DEBUG(SSSDBG_OP_FAILURE, ("Unexpected number of results, expected 1, "
+                                  "got %d.\n", reply_count));
         tevent_req_error(req, EINVAL);
         return;
     }
 
-    ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIRATION_ENABLED, 
&value);
+    ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIGRATION_ENABLED, 
&value);
     if (ret == EOK && strcasecmp(value, "true") == 0) {
         state->password_migration = true;
     }
@@ -199,8 +206,7 @@ static void get_password_migration_flag_done(struct 
tevent_req *subreq)
 
 static int get_password_migration_flag_recv(struct tevent_req *req,
                                             TALLOC_CTX *mem_ctx,
-                                            bool *password_migration,
-                                            struct sdap_handle **sh)
+                                            bool *password_migration)
 {
     struct get_password_migration_flag_state *state = tevent_req_data(req,
                                       struct 
get_password_migration_flag_state);
@@ -208,10 +214,6 @@ static int get_password_migration_flag_recv(struct 
tevent_req *req,
     TEVENT_REQ_RETURN_ON_ERROR(req);
 
     *password_migration = state->password_migration;
-    if (sh != NULL) {
-        *sh = talloc_steal(mem_ctx, state->sh);
-    }
-
     return EOK;
 }
 
@@ -223,10 +225,12 @@ struct ipa_auth_state {
     struct pam_data *pd;
     bool password_migration;
     struct sdap_handle *sh;
+    bool force_tls;
 };
 
 static void ipa_auth_handler_done(struct tevent_req *req);
 static void ipa_get_migration_flag_done(struct tevent_req *req);
+static void ipa_migration_flag_connect_done(struct tevent_req *req);
 static void ipa_auth_ldap_done(struct tevent_req *req);
 static void ipa_auth_handler_retry_done(struct tevent_req *req);
 
@@ -238,7 +242,7 @@ void ipa_auth(struct be_req *be_req)
 
     state = talloc_zero(be_req, struct ipa_auth_state);
     if (state == NULL) {
-        DEBUG(1, ("talloc_zero failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("talloc_zero failed.\n"));
         goto fail;
     }
 
@@ -263,14 +267,14 @@ void ipa_auth(struct be_req *be_req)
                               struct ipa_auth_ctx);
             break;
         default:
-            DEBUG(1, ("Unsupported PAM task.\n"));
+            DEBUG(SSSDBG_OP_FAILURE, ("Unsupported PAM task.\n"));
             goto fail;
     }
 
     req = krb5_auth_send(state, state->ev, be_req->be_ctx, state->pd,
                          state->ipa_auth_ctx->krb5_auth_ctx);
     if (req == NULL) {
-        DEBUG(1, ("krb5_auth_send failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n"));
         goto fail;
     }
 
@@ -295,7 +299,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
     talloc_zfree(req);
     state->pd->pam_status = pam_status;
     if (ret != EOK && pam_status != PAM_CRED_ERR) {
-        DEBUG(1, ("krb5_auth_recv request failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n"));
         dp_err = DP_ERR_OK;
         goto done;
     }
@@ -308,12 +312,13 @@ static void ipa_auth_handler_done(struct tevent_req *req)
         state->pd->pam_status == PAM_CRED_ERR) {
 
         req = get_password_migration_flag_send(state, state->ev,
-                                             
state->ipa_auth_ctx->sdap_auth_ctx,
+                                             state->ipa_auth_ctx->sdap_id_ctx,
                                              dp_opt_get_string(
                                                
state->ipa_auth_ctx->ipa_options,
                                                IPA_KRB5_REALM));
         if (req == NULL) {
-            DEBUG(1, ("get_password_migration_flag failed.\n"));
+            DEBUG(SSSDBG_OP_FAILURE,
+                    ("get_password_migration_flag failed.\n"));
             goto done;
         }
 
@@ -331,70 +336,101 @@ static void ipa_get_migration_flag_done(struct 
tevent_req *req)
                                                          struct 
ipa_auth_state);
     int ret;
     int dp_err = DP_ERR_FATAL;
-    const char **attrs;
-    struct ldb_message *user_msg;
-    const char *dn;
-    struct dp_opt_blob password;
 
     ret = get_password_migration_flag_recv(req, state,
-                                           &state->password_migration,
-                                           &state->sh);
+                                           &state->password_migration);
     talloc_zfree(req);
     if (ret != EOK) {
-        DEBUG(1, ("get_password_migration_flag request failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("get_password_migration_flag "
+                                  "request failed.\n"));
         state->pd->pam_status = PAM_SYSTEM_ERR;
         dp_err = DP_ERR_OK;
         goto done;
     }
 
     if (state->password_migration) {
-        state->pd->pam_status = PAM_SYSTEM_ERR;
-        DEBUG(1, ("Assuming Kerberos password is missing, "
-                  "starting password migration.\n"));
-
-        attrs = talloc_array(state, const char *, 2);
-        if (attrs == NULL) {
-            DEBUG(1, ("talloc_array failed.\n"));
-            state->pd->pam_status = PAM_SYSTEM_ERR;
-            dp_err = DP_ERR_OK;
-            goto done;
-        }
-        attrs[0] = SYSDB_ORIG_DN;
-        attrs[1] = NULL;
-
-        ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb,
-                                        state->pd->user, attrs, &user_msg);
-        if (ret != EOK) {
-            DEBUG(1, ("sysdb_search_user_by_name failed.\n"));
-            goto done;
-        }
-
-        dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL);
-        if (dn == NULL) {
-            DEBUG(1, ("Missing original DN for user [%s].\n", 
state->pd->user));
-            state->pd->pam_status = PAM_SYSTEM_ERR;
-            dp_err = DP_ERR_OK;
-            goto done;
-        }
-
-        password.data = state->pd->authtok;
-        password.length = state->pd->authtok_size;
-
-        req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
-                             "password", password);
+        state->force_tls = true;
+        req = sdap_cli_connect_send(state, state->ev,
+                                    state->ipa_auth_ctx->sdap_auth_ctx->opts,
+                                    state->ipa_auth_ctx->sdap_auth_ctx->be,
+                                    
state->ipa_auth_ctx->sdap_auth_ctx->service,
+                                    true, &state->force_tls, true);
         if (req == NULL) {
-            DEBUG(1, ("sdap_auth_send failed.\n"));
+            DEBUG(SSSDBG_OP_FAILURE, ("sdap_cli_connect_send failed.\n"));
             goto done;
         }
 
-        tevent_req_set_callback(req, ipa_auth_ldap_done, state);
+        tevent_req_set_callback(req, ipa_migration_flag_connect_done, state);
         return;
-
-    } else {
-        DEBUG(5, ("Password migration is not enabled.\n"));
     }
 
+    DEBUG(SSSDBG_CONF_SETTINGS, ("Password migration is not enabled.\n"));
     dp_err = DP_ERR_OK;
+done:
+    ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status);
+}
+
+static void ipa_migration_flag_connect_done(struct tevent_req *req)
+{
+    struct ipa_auth_state *state = tevent_req_callback_data(req,
+                                                         struct 
ipa_auth_state);
+    const char **attrs;
+    struct ldb_message *user_msg;
+    const char *dn;
+    struct dp_opt_blob password;
+    int dp_err = DP_ERR_FATAL;
+    int ret;
+
+    ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL);
+    talloc_zfree(req);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              ("Cannot connect to LDAP server to perform migration\n"));
+        goto done;
+    }
+
+    state->pd->pam_status = PAM_SYSTEM_ERR;
+    DEBUG(SSSDBG_TRACE_FUNC, ("Assuming Kerberos password is missing, "
+                              "starting password migration.\n"));
+
+    attrs = talloc_array(state, const char *, 2);
+    if (attrs == NULL) {
+        DEBUG(1, ("talloc_array failed.\n"));
+        state->pd->pam_status = PAM_SYSTEM_ERR;
+        dp_err = DP_ERR_OK;
+        goto done;
+    }
+    attrs[0] = SYSDB_ORIG_DN;
+    attrs[1] = NULL;
+
+    ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb,
+                                    state->pd->user, attrs, &user_msg);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sysdb_search_user_by_name failed.\n"));
+        goto done;
+    }
+
+    dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL);
+    if (dn == NULL) {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Missing original DN for user [%s].\n",
+                                     state->pd->user));
+        state->pd->pam_status = PAM_SYSTEM_ERR;
+        dp_err = DP_ERR_OK;
+        goto done;
+    }
+
+    password.data = state->pd->authtok;
+    password.length = state->pd->authtok_size;
+
+    req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
+                         "password", password);
+    if (req == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n"));
+        goto done;
+    }
+
+    tevent_req_set_callback(req, ipa_auth_ldap_done, state);
+    return;
 
 done:
     ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status);
@@ -411,7 +447,7 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
     ret = sdap_auth_recv(req, state, &result, NULL);
     talloc_zfree(req);
     if (ret != EOK) {
-        DEBUG(1, ("auth_send request failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n"));
         state->pd->pam_status = PAM_SYSTEM_ERR;
         dp_err = DP_ERR_OK;
         goto done;
@@ -419,21 +455,21 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
 
 /* TODO: do we need to handle expired passwords? */
     if (result != SDAP_AUTH_SUCCESS) {
-        DEBUG(1, ("LDAP authentication failed, "
-                  "Password migration not possible.\n"));
+        DEBUG(SSSDBG_MINOR_FAILURE, ("LDAP authentication failed, "
+                                     "Password migration not possible.\n"));
         state->pd->pam_status = PAM_CRED_INSUFFICIENT;
         dp_err = DP_ERR_OK;
         goto done;
     }
 
-    DEBUG(1, ("LDAP authentication succeded, "
-              "trying Kerberos authentication again.\n"));
+    DEBUG(SSSDBG_TRACE_FUNC, ("LDAP authentication succeded, "
+                              "trying Kerberos authentication again.\n"));
 
     req = krb5_auth_send(state, state->ev,
                          state->be_req->be_ctx, state->pd,
                          state->ipa_auth_ctx->krb5_auth_ctx);
     if (req == NULL) {
-        DEBUG(1, ("krb5_auth_send failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n"));
         goto done;
     }
 
@@ -455,7 +491,7 @@ static void ipa_auth_handler_retry_done(struct tevent_req 
*req)
     ret = krb5_auth_recv(req, &pam_status, &dp_err);
     talloc_zfree(req);
     if (ret != EOK) {
-        DEBUG(1, ("krb5_auth_recv request failed.\n"));
+        DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n"));
         state->pd->pam_status = PAM_SYSTEM_ERR;
         dp_err = DP_ERR_OK;
         goto done;
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 
40c5e53205285d761a43f6f0a77764006a5d79ca..4241bf5d719f38fe85c62cf2579c81384dbabca7
 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -58,6 +58,7 @@ enum ipa_basic_opt {
 
 struct ipa_auth_ctx {
     struct krb5_ctx *krb5_auth_ctx;
+    struct sdap_id_ctx *sdap_id_ctx;
     struct sdap_auth_ctx *sdap_auth_ctx;
     struct dp_option *ipa_options;
 };
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 
5d08b8c18769369470ee2668d683843c1c8d011c..9d5d8d6277563bc34a68996192d2d0a2dc495511
 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -201,6 +201,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
     struct ipa_auth_ctx *ipa_auth_ctx;
     struct krb5_ctx *krb5_auth_ctx;
     struct sdap_auth_ctx *sdap_auth_ctx;
+    struct bet_ops *id_ops;
     FILE *debug_filep;
     unsigned v;
     int ret;
@@ -225,6 +226,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
     }
     ipa_options->auth_ctx = ipa_auth_ctx;
 
+    ret = sssm_ipa_id_init(bectx, &id_ops,
+                           (void **) &ipa_auth_ctx->sdap_id_ctx);
+    if (ret != EOK) {
+        DEBUG(1, ("sssm_ipa_id_init failed.\n"));
+        goto done;
+    }
+
     ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic,
                           IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options);
     if (ret != EOK) {
-- 
1.7.7

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to