On Tue, Nov 22, 2011 at 10:23:33AM -0500, Stephen Gallagher wrote:
> On Mon, 2011-11-07 at 14:34 +0100, Jakub Hrozek wrote:
> > On Sun, Sep 25, 2011 at 04:44:55PM +0200, Jakub Hrozek wrote:
> > > On Tue, Sep 06, 2011 at 01:48:00PM -0400, Stephen Gallagher wrote:
> > > > On Thu, 2011-08-18 at 18:02 +0200, Jakub Hrozek wrote:
> > > > > On Thu, Aug 18, 2011 at 05:38:11PM +0200, Sumit Bose wrote:
> > > > > > On Thu, Aug 18, 2011 at 04:48:32PM +0200, Jan Zelený wrote:
> > > > > > > The patches look fine, but I didn't manage to set up environment
> > > > > > > to test the
> > > > > > > new behavior. Nothing seems to be broken though
> > > > > >
> > > > > > If you have a running IPA server you can remove the krbPrincipalKey
> > > > > > attribute from a user but keep userPassword. This should trigger
> > > > > > sssd to
> > > > > > run the migration code if you try to log in as this user.
> > > > > >
> > > > > > HTH
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > >
> > > > > If that doesn't work for you, feel free to ping me off list and use my
> > > > > test environment.
> > > >
> > > > I was trying to test this, but instead of quietly creating the kerberos
> > > > password, it's prompting me to change the password. I wonder if this is
> > > > related to LDAP password policy? I cannot ack this until we figure out
> > > > why this is happening.
> > >
> > > Interesting, I haven't hit this issue. I have tested the migration with
> > > IPA server nightlies, today it's freeipa-server-2.99.0GITf323d81-0. My
> > > testing involved creating a bunch of users in 389-ds, migrating them to
> > > IPA with the migrate-ds script and then logging in with the LDAP
> > > password.
> > >
> > > The login went OK and "klist" shows a ticket was granted, also "ipa
> > > user-show --all --raw" tells the Kerberos attributes were generated,
> > > including krblastsuccessfulauth.
> > >
> > > I suggest we discuss the patches on #sssd.
> >
> > I've retested the patches again with SSSD git head + the patches on review
> > and
> > freeipa-server-2.1.3-2 I've performed about 20 migrations (scripted) and
> > they went OK.
> >
> > Attached are patches that are rebased on current master. Because the
> > migration patch touches most of the ipa-auth.c file I've also fixed the
> > debug levels there.
>
> Nack.
>
> Looks good for the most part, but I'm not a huge fan of the "three-way
> boolean" you're using for force_tls. I'd much prefer it if you just used
> an enum instead of a reference to a boolean.
Done.
From 966ead1dff1c6f12099e258d5b6b794cdd5b924d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 27 Jul 2011 18:34:04 +0200
Subject: [PATCH 1/2] Provide means of forcing TLS and GSSAPI enabled/disabled
for sdap connections
---
src/providers/ipa/ipa_auth.c | 2 +-
src/providers/ldap/ldap_id.c | 3 +-
src/providers/ldap/sdap_async.h | 10 +++++++-
src/providers/ldap/sdap_async_connection.c | 35 ++++++++++++++++++++++-----
src/providers/ldap/sdap_id_op.c | 4 ++-
5 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index
f0bdd429ea9c99cb345057369835d8126a935b07..713bf3e767b3037245a35cd6bad930943a974984
100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -92,7 +92,7 @@ static struct tevent_req
*get_password_migration_flag_send(TALLOC_CTX *memctx,
subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts,
sdap_auth_ctx->be, sdap_auth_ctx->service,
- true);
+ true, CON_TLS_DFL, false);
if (subreq == NULL) {
DEBUG(1, ("sdap_cli_connect_send failed.\n"));
goto fail;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index
bd46dc9d88bbba0073f1a234a95781452a3cd8cc..a1984cefd457f91a84d59879f17c0fe41448817b
100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -672,7 +672,8 @@ void sdap_check_online(struct be_req *be_req)
struct sdap_id_ctx);
req = sdap_cli_connect_send(be_req, be_req->be_ctx->ev, ctx->opts,
- be_req->be_ctx, ctx->service, false);
+ be_req->be_ctx, ctx->service, false,
+ CON_TLS_DFL, false);
if (req == NULL) {
DEBUG(1, ("sdap_cli_connect_send failed.\n"));
goto done;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index
5da2cff4e131ac0a1e11498adf5a5395c943085c..4ba2770c989968e5398feeca0dbeb8a99206a009
100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -131,12 +131,20 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
enum sdap_result *result,
char **user_error_msg);
+enum connect_tls {
+ CON_TLS_DFL,
+ CON_TLS_ON,
+ CON_TLS_OFF
+};
+
struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
struct be_ctx *be,
struct sdap_service *service,
- bool skip_rootdse);
+ bool skip_rootdse,
+ enum connect_tls force_tls,
+ bool skip_auth);
int sdap_cli_connect_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
bool *can_retry,
diff --git a/src/providers/ldap/sdap_async_connection.c
b/src/providers/ldap/sdap_async_connection.c
index
dfec3548ab5bc19ab2255d3eeb748bc325b9528d..63dad5f923f87ed207498c94aafdbfa1f7f523e1
100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1125,6 +1125,9 @@ struct sdap_cli_connect_state {
struct fo_server *srv;
struct sdap_server_opts *srv_opts;
+
+ enum connect_tls force_tls;
+ bool do_auth;
};
static int sdap_cli_resolve_next(struct tevent_req *req);
@@ -1142,7 +1145,9 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX
*memctx,
struct sdap_options *opts,
struct be_ctx *be,
struct sdap_service *service,
- bool skip_rootdse)
+ bool skip_rootdse,
+ enum connect_tls force_tls,
+ bool skip_auth)
{
struct sdap_cli_connect_state *state;
struct tevent_req *req;
@@ -1159,6 +1164,8 @@ struct tevent_req *sdap_cli_connect_send(TALLOC_CTX
*memctx,
state->srv_opts = NULL;
state->be = be;
state->use_rootdse = !skip_rootdse;
+ state->force_tls = force_tls;
+ state->do_auth = !skip_auth;
ret = sdap_cli_resolve_next(req);
if (ret) {
@@ -1196,8 +1203,16 @@ static void sdap_cli_resolve_done(struct tevent_req
*subreq)
struct sdap_cli_connect_state *state = tevent_req_data(req,
struct sdap_cli_connect_state);
int ret;
- bool use_tls = dp_opt_get_bool(state->opts->basic,
- SDAP_ID_TLS);
+ bool use_tls;
+
+ switch (state->force_tls) {
+ case CON_TLS_DFL:
+ use_tls = dp_opt_get_bool(state->opts->basic, SDAP_ID_TLS);
+ case CON_TLS_ON:
+ use_tls = true;
+ case CON_TLS_OFF:
+ use_tls = false;
+ }
ret = be_resolve_server_recv(subreq, &state->srv);
talloc_zfree(subreq);
@@ -1260,7 +1275,7 @@ static void sdap_cli_connect_done(struct tevent_req
*subreq)
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
- if (sasl_mech && state->use_rootdse) {
+ if (state->do_auth && sasl_mech && state->use_rootdse) {
/* check if server claims to support GSSAPI */
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
tevent_req_error(req, ENOTSUP);
@@ -1268,7 +1283,7 @@ static void sdap_cli_connect_done(struct tevent_req
*subreq)
}
}
- if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+ if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0))
{
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
sdap_cli_kinit_step(req);
return;
@@ -1371,7 +1386,7 @@ static void sdap_cli_rootdse_done(struct tevent_req
*subreq)
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
- if (sasl_mech && state->use_rootdse) {
+ if (state->do_auth && sasl_mech && state->use_rootdse) {
/* check if server claims to support GSSAPI */
if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) {
tevent_req_error(req, ENOTSUP);
@@ -1379,7 +1394,7 @@ static void sdap_cli_rootdse_done(struct tevent_req
*subreq)
}
}
- if (sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) {
+ if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0))
{
if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) {
sdap_cli_kinit_step(req);
return;
@@ -1463,6 +1478,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
struct sdap_cli_connect_state);
struct tevent_req *subreq;
+ if (!state->do_auth) {
+ /* No authentication requested or GSSAPI auth forced off */
+ tevent_req_done(req);
+ return;
+ }
+
subreq = sdap_auth_send(state,
state->ev,
state->sh,
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index
11a379cc96a77615bd62b1fe58daa2413f38087a..5087cddc683ad813c4f6065aaafb1afb2b544787
100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -465,7 +465,9 @@ static int sdap_id_op_connect_step(struct tevent_req *req)
subreq = sdap_cli_connect_send(conn_data, state->ev,
state->id_ctx->opts,
state->id_ctx->be,
- state->id_ctx->service, false);
+ state->id_ctx->service, false,
+ CON_TLS_DFL, false);
+
if (!subreq) {
ret = ENOMEM;
goto done;
--
1.7.7.3
From 8e9d2e021748d14fbc848581f4c0b96c6e44eb25 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 25 Jul 2011 16:55:34 +0200
Subject: [PATCH 2/2] IPA migration fixes
* use the id connection for looking up the migration flag
* force TLS on the password based authentication connection
https://fedorahosted.org/sssd/ticket/924
---
src/providers/ipa/ipa_auth.c | 232 +++++++++++++++++++++++-----------------
src/providers/ipa/ipa_common.h | 1 +
src/providers/ipa/ipa_init.c | 9 ++
3 files changed, 143 insertions(+), 99 deletions(-)
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index
713bf3e767b3037245a35cd6bad930943a974984..70accd6979e97f54768abc0a90d2bcb9483ca1ce
100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -31,7 +31,7 @@
#include "providers/krb5/krb5_auth.h"
#include "providers/ipa/ipa_common.h"
-#define IPA_CONFIG_MIRATION_ENABLED "ipaMigrationEnabled"
+#define IPA_CONFIG_MIGRATION_ENABLED "ipaMigrationEnabled"
#define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s"
#define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))"
@@ -42,8 +42,8 @@ static void ipa_auth_reply(struct be_req *be_req, int dp_err,
int result)
struct get_password_migration_flag_state {
struct tevent_context *ev;
- struct sdap_auth_ctx *sdap_auth_ctx;
- struct sdap_handle *sh;
+ struct sdap_id_op *sdap_op;
+ struct sdap_id_ctx *sdap_id_ctx;
enum sdap_result result;
struct fo_server *srv;
char *ipa_realm;
@@ -55,50 +55,46 @@ static void get_password_migration_flag_done(struct
tevent_req *subreq);
static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
- struct sdap_auth_ctx
*sdap_auth_ctx,
+ struct sdap_id_ctx *sdap_id_ctx,
char *ipa_realm)
{
int ret;
struct tevent_req *req, *subreq;
struct get_password_migration_flag_state *state;
- if (sdap_auth_ctx == NULL || ipa_realm == NULL) {
- DEBUG(1, ("Missing parameter.\n"));
+ if (sdap_id_ctx == NULL || ipa_realm == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Missing parameter.\n"));
return NULL;
}
req = tevent_req_create(memctx, &state,
struct get_password_migration_flag_state);
if (req == NULL) {
- DEBUG(1, ("tevent_req_create failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("tevent_req_create failed.\n"));
return NULL;
}
state->ev = ev;
- state->sdap_auth_ctx = sdap_auth_ctx;
- state->sh = NULL;
+ state->sdap_id_ctx = sdap_id_ctx;
state->result = SDAP_ERROR;
state->srv = NULL;
state->password_migration = false;
state->ipa_realm = ipa_realm;
- /* We request to use StartTLS here, because if password migration is
- * enabled we will use this connection for authentication, too. */
- ret = dp_opt_set_bool(sdap_auth_ctx->opts->basic, SDAP_ID_TLS, true);
- if (ret != EOK) {
- DEBUG(1, ("Failed to set SDAP_ID_TLS to true.\n"));
+ state->sdap_op = sdap_id_op_create(state, state->sdap_id_ctx->conn_cache);
+ if (state->sdap_op == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed.\n"));
goto fail;
}
- subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts,
- sdap_auth_ctx->be, sdap_auth_ctx->service,
- true, CON_TLS_DFL, false);
- if (subreq == NULL) {
- DEBUG(1, ("sdap_cli_connect_send failed.\n"));
+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+ if (!subreq) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_connect_send failed: %d(%s).\n",
+ ret, strerror(ret)));
goto fail;
}
- tevent_req_set_callback(subreq, get_password_migration_flag_auth_done,
- req);
+
+ tevent_req_set_callback(subreq, get_password_migration_flag_auth_done,
req);
return req;
@@ -113,22 +109,31 @@ static void get_password_migration_flag_auth_done(struct
tevent_req *subreq)
struct tevent_req);
struct get_password_migration_flag_state *state = tevent_req_data(req,
struct
get_password_migration_flag_state);
- int ret;
+ int ret, dp_error;
char *ldap_basedn;
char *search_base;
const char **attrs;
- ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
+ ret = sdap_id_op_connect_recv(subreq, &dp_error);
talloc_zfree(subreq);
if (ret) {
- DEBUG(1, ("sdap_auth request failed.\n"));
+ if (dp_error == DP_ERR_OFFLINE) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("No IPA server is available, cannot get the "
+ "migration flag while offline\n"));
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Failed to connect to IPA server: [%d](%s)\n",
+ ret, strerror(ret)));
+ }
+
tevent_req_error(req, ret);
return;
}
ret = domain_to_basedn(state, state->ipa_realm, &ldap_basedn);
if (ret != EOK) {
- DEBUG(1, ("domain_to_basedn failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("domain_to_basedn failed.\n"));
tevent_req_error(req, ret);
return;
}
@@ -136,25 +141,27 @@ static void get_password_migration_flag_auth_done(struct
tevent_req *subreq)
search_base = talloc_asprintf(state, IPA_CONFIG_SEARCH_BASE_TEMPLATE,
ldap_basedn);
if (search_base == NULL) {
- DEBUG(1, ("talloc_asprintf failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n"));
tevent_req_error(req, ENOMEM);
return;
}
attrs = talloc_array(state, const char*, 2);
if (attrs == NULL) {
- DEBUG(1, ("talloc_array failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
tevent_req_error(req, ENOMEM);
return;
}
- attrs[0] = IPA_CONFIG_MIRATION_ENABLED;
+ attrs[0] = IPA_CONFIG_MIGRATION_ENABLED;
attrs[1] = NULL;
- subreq = sdap_get_generic_send(state, state->ev,
state->sdap_auth_ctx->opts,
- state->sh, search_base, LDAP_SCOPE_SUBTREE,
+ subreq = sdap_get_generic_send(state, state->ev,
+ state->sdap_id_ctx->opts,
+ sdap_id_op_handle(state->sdap_op),
+ search_base, LDAP_SCOPE_SUBTREE,
IPA_CONFIG_FILTER, attrs, NULL, 0,
-
dp_opt_get_int(state->sdap_auth_ctx->opts->basic,
+
dp_opt_get_int(state->sdap_id_ctx->opts->basic,
SDAP_SEARCH_TIMEOUT));
if (!subreq) {
tevent_req_error(req, ENOMEM);
@@ -183,13 +190,13 @@ static void get_password_migration_flag_done(struct
tevent_req *subreq)
}
if (reply_count != 1) {
- DEBUG(1, ("Unexpected number of results, expected 1, got %d.\n",
- reply_count));
+ DEBUG(SSSDBG_OP_FAILURE, ("Unexpected number of results, expected 1, "
+ "got %d.\n", reply_count));
tevent_req_error(req, EINVAL);
return;
}
- ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIRATION_ENABLED,
&value);
+ ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIGRATION_ENABLED,
&value);
if (ret == EOK && strcasecmp(value, "true") == 0) {
state->password_migration = true;
}
@@ -199,8 +206,7 @@ static void get_password_migration_flag_done(struct
tevent_req *subreq)
static int get_password_migration_flag_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- bool *password_migration,
- struct sdap_handle **sh)
+ bool *password_migration)
{
struct get_password_migration_flag_state *state = tevent_req_data(req,
struct
get_password_migration_flag_state);
@@ -208,10 +214,6 @@ static int get_password_migration_flag_recv(struct
tevent_req *req,
TEVENT_REQ_RETURN_ON_ERROR(req);
*password_migration = state->password_migration;
- if (sh != NULL) {
- *sh = talloc_steal(mem_ctx, state->sh);
- }
-
return EOK;
}
@@ -227,6 +229,7 @@ struct ipa_auth_state {
static void ipa_auth_handler_done(struct tevent_req *req);
static void ipa_get_migration_flag_done(struct tevent_req *req);
+static void ipa_migration_flag_connect_done(struct tevent_req *req);
static void ipa_auth_ldap_done(struct tevent_req *req);
static void ipa_auth_handler_retry_done(struct tevent_req *req);
@@ -238,7 +241,7 @@ void ipa_auth(struct be_req *be_req)
state = talloc_zero(be_req, struct ipa_auth_state);
if (state == NULL) {
- DEBUG(1, ("talloc_zero failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_zero failed.\n"));
goto fail;
}
@@ -263,14 +266,14 @@ void ipa_auth(struct be_req *be_req)
struct ipa_auth_ctx);
break;
default:
- DEBUG(1, ("Unsupported PAM task.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("Unsupported PAM task.\n"));
goto fail;
}
req = krb5_auth_send(state, state->ev, be_req->be_ctx, state->pd,
state->ipa_auth_ctx->krb5_auth_ctx);
if (req == NULL) {
- DEBUG(1, ("krb5_auth_send failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n"));
goto fail;
}
@@ -295,7 +298,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
talloc_zfree(req);
state->pd->pam_status = pam_status;
if (ret != EOK && pam_status != PAM_CRED_ERR) {
- DEBUG(1, ("krb5_auth_recv request failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n"));
dp_err = DP_ERR_OK;
goto done;
}
@@ -308,12 +311,13 @@ static void ipa_auth_handler_done(struct tevent_req *req)
state->pd->pam_status == PAM_CRED_ERR) {
req = get_password_migration_flag_send(state, state->ev,
-
state->ipa_auth_ctx->sdap_auth_ctx,
+ state->ipa_auth_ctx->sdap_id_ctx,
dp_opt_get_string(
state->ipa_auth_ctx->ipa_options,
IPA_KRB5_REALM));
if (req == NULL) {
- DEBUG(1, ("get_password_migration_flag failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("get_password_migration_flag failed.\n"));
goto done;
}
@@ -331,70 +335,100 @@ static void ipa_get_migration_flag_done(struct
tevent_req *req)
struct
ipa_auth_state);
int ret;
int dp_err = DP_ERR_FATAL;
- const char **attrs;
- struct ldb_message *user_msg;
- const char *dn;
- struct dp_opt_blob password;
ret = get_password_migration_flag_recv(req, state,
- &state->password_migration,
- &state->sh);
+ &state->password_migration);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(1, ("get_password_migration_flag request failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("get_password_migration_flag "
+ "request failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_OK;
goto done;
}
if (state->password_migration) {
- state->pd->pam_status = PAM_SYSTEM_ERR;
- DEBUG(1, ("Assuming Kerberos password is missing, "
- "starting password migration.\n"));
-
- attrs = talloc_array(state, const char *, 2);
- if (attrs == NULL) {
- DEBUG(1, ("talloc_array failed.\n"));
- state->pd->pam_status = PAM_SYSTEM_ERR;
- dp_err = DP_ERR_OK;
- goto done;
- }
- attrs[0] = SYSDB_ORIG_DN;
- attrs[1] = NULL;
-
- ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb,
- state->pd->user, attrs, &user_msg);
- if (ret != EOK) {
- DEBUG(1, ("sysdb_search_user_by_name failed.\n"));
- goto done;
- }
-
- dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL);
- if (dn == NULL) {
- DEBUG(1, ("Missing original DN for user [%s].\n",
state->pd->user));
- state->pd->pam_status = PAM_SYSTEM_ERR;
- dp_err = DP_ERR_OK;
- goto done;
- }
-
- password.data = state->pd->authtok;
- password.length = state->pd->authtok_size;
-
- req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
- "password", password);
+ req = sdap_cli_connect_send(state, state->ev,
+ state->ipa_auth_ctx->sdap_auth_ctx->opts,
+ state->ipa_auth_ctx->sdap_auth_ctx->be,
+
state->ipa_auth_ctx->sdap_auth_ctx->service,
+ true, CON_TLS_ON, true);
if (req == NULL) {
- DEBUG(1, ("sdap_auth_send failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("sdap_cli_connect_send failed.\n"));
goto done;
}
- tevent_req_set_callback(req, ipa_auth_ldap_done, state);
+ tevent_req_set_callback(req, ipa_migration_flag_connect_done, state);
return;
-
- } else {
- DEBUG(5, ("Password migration is not enabled.\n"));
}
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Password migration is not enabled.\n"));
dp_err = DP_ERR_OK;
+done:
+ ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status);
+}
+
+static void ipa_migration_flag_connect_done(struct tevent_req *req)
+{
+ struct ipa_auth_state *state = tevent_req_callback_data(req,
+ struct
ipa_auth_state);
+ const char **attrs;
+ struct ldb_message *user_msg;
+ const char *dn;
+ struct dp_opt_blob password;
+ int dp_err = DP_ERR_FATAL;
+ int ret;
+
+ ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL);
+ talloc_zfree(req);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Cannot connect to LDAP server to perform migration\n"));
+ goto done;
+ }
+
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ DEBUG(SSSDBG_TRACE_FUNC, ("Assuming Kerberos password is missing, "
+ "starting password migration.\n"));
+
+ attrs = talloc_array(state, const char *, 2);
+ if (attrs == NULL) {
+ DEBUG(1, ("talloc_array failed.\n"));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ dp_err = DP_ERR_OK;
+ goto done;
+ }
+ attrs[0] = SYSDB_ORIG_DN;
+ attrs[1] = NULL;
+
+ ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb,
+ state->pd->user, attrs, &user_msg);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_search_user_by_name failed.\n"));
+ goto done;
+ }
+
+ dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL);
+ if (dn == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Missing original DN for user [%s].\n",
+ state->pd->user));
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ dp_err = DP_ERR_OK;
+ goto done;
+ }
+
+ password.data = state->pd->authtok;
+ password.length = state->pd->authtok_size;
+
+ req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
+ "password", password);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n"));
+ goto done;
+ }
+
+ tevent_req_set_callback(req, ipa_auth_ldap_done, state);
+ return;
done:
ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status);
@@ -411,7 +445,7 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
ret = sdap_auth_recv(req, state, &result, NULL);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(1, ("auth_send request failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_OK;
goto done;
@@ -419,21 +453,21 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
/* TODO: do we need to handle expired passwords? */
if (result != SDAP_AUTH_SUCCESS) {
- DEBUG(1, ("LDAP authentication failed, "
- "Password migration not possible.\n"));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("LDAP authentication failed, "
+ "Password migration not possible.\n"));
state->pd->pam_status = PAM_CRED_INSUFFICIENT;
dp_err = DP_ERR_OK;
goto done;
}
- DEBUG(1, ("LDAP authentication succeded, "
- "trying Kerberos authentication again.\n"));
+ DEBUG(SSSDBG_TRACE_FUNC, ("LDAP authentication succeded, "
+ "trying Kerberos authentication again.\n"));
req = krb5_auth_send(state, state->ev,
state->be_req->be_ctx, state->pd,
state->ipa_auth_ctx->krb5_auth_ctx);
if (req == NULL) {
- DEBUG(1, ("krb5_auth_send failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_send failed.\n"));
goto done;
}
@@ -455,7 +489,7 @@ static void ipa_auth_handler_retry_done(struct tevent_req
*req)
ret = krb5_auth_recv(req, &pam_status, &dp_err);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(1, ("krb5_auth_recv request failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, ("krb5_auth_recv request failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
dp_err = DP_ERR_OK;
goto done;
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index
6c33e870f1511dcfd166419213bbe5d86cb41e53..165f8fda0a98ab477a92eb0f7f4a7978c4985d41
100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -80,6 +80,7 @@ enum ipa_host_attrs {
struct ipa_auth_ctx {
struct krb5_ctx *krb5_auth_ctx;
+ struct sdap_id_ctx *sdap_id_ctx;
struct sdap_auth_ctx *sdap_auth_ctx;
struct dp_option *ipa_options;
};
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index
9fbca3ae4a0a2796a1dad63afb5efb4bb01e57f7..57b4180cc25ad044b3c7dd2c61afc8c34f0eb4b8
100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -208,8 +208,10 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
void **pvt_data)
{
struct ipa_auth_ctx *ipa_auth_ctx;
+ struct ipa_id_ctx *id_ctx;
struct krb5_ctx *krb5_auth_ctx;
struct sdap_auth_ctx *sdap_auth_ctx;
+ struct bet_ops *id_ops;
FILE *debug_filep;
unsigned v;
int ret;
@@ -234,6 +236,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
}
ipa_options->auth_ctx = ipa_auth_ctx;
+ ret = sssm_ipa_id_init(bectx, &id_ops, (void **) &id_ctx);
+ if (ret != EOK) {
+ DEBUG(1, ("sssm_ipa_id_init failed.\n"));
+ goto done;
+ }
+ ipa_auth_ctx->sdap_id_ctx = id_ctx->sdap_id_ctx;
+
ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic,
IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options);
if (ret != EOK) {
--
1.7.7.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
