>From 066dbd5ead75b5fa145013d9eb20e4cd76cf84c2 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 25 Jul 2011 16:55:34 +0200 Subject: [PATCH 2/2] IPA migration fixes * use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924 --- src/providers/ipa/ipa_auth.c | 184 +++++++++++++++++++++++----------------- src/providers/ipa/ipa_common.h | 1 + src/providers/ipa/ipa_init.c | 8 ++ 3 files changed, 116 insertions(+), 77 deletions(-) diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 083508d..ed42a0f 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -31,7 +31,7 @@ #include "providers/krb5/krb5_auth.h" #include "providers/ipa/ipa_common.h" -#define IPA_CONFIG_MIRATION_ENABLED "ipaMigrationEnabled" +#define IPA_CONFIG_MIGRATION_ENABLED "ipaMigrationEnabled" #define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s" #define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" @@ -42,8 +42,8 @@ static void ipa_auth_reply(struct be_req *be_req, int dp_err, int result) struct get_password_migration_flag_state { struct tevent_context *ev; - struct sdap_auth_ctx *sdap_auth_ctx; - struct sdap_handle *sh; + struct sdap_id_op *sdap_op; + struct sdap_id_ctx *sdap_id_ctx; enum sdap_result result; struct fo_server *srv; char *ipa_realm; @@ -55,14 +55,14 @@ static void get_password_migration_flag_done(struct tevent_req *subreq); static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, struct tevent_context *ev, - struct sdap_auth_ctx *sdap_auth_ctx, + struct sdap_id_ctx *sdap_id_ctx, char *ipa_realm) { int ret; struct tevent_req *req, *subreq; struct get_password_migration_flag_state *state; - if (sdap_auth_ctx == NULL || ipa_realm == NULL) { + if (sdap_id_ctx == NULL || ipa_realm == NULL) { DEBUG(1, ("Missing parameter.\n")); return NULL; } @@ -75,30 +75,26 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, } state->ev = ev; - state->sdap_auth_ctx = sdap_auth_ctx; - state->sh = NULL; + state->sdap_id_ctx = sdap_id_ctx; state->result = SDAP_ERROR; state->srv = NULL; state->password_migration = false; state->ipa_realm = ipa_realm; - /* We request to use StartTLS here, because if password migration is - * enabled we will use this connection for authentication, too. */ - ret = dp_opt_set_bool(sdap_auth_ctx->opts->basic, SDAP_ID_TLS, true); - if (ret != EOK) { - DEBUG(1, ("Failed to set SDAP_ID_TLS to true.\n")); + state->sdap_op = sdap_id_op_create(state, state->sdap_id_ctx->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(1, ("sdap_id_op_create failed.\n")); goto fail; } - subreq = sdap_cli_connect_send(state, ev, sdap_auth_ctx->opts, - sdap_auth_ctx->be, sdap_auth_ctx->service, - true, NULL, false); - if (subreq == NULL) { - DEBUG(1, ("sdap_cli_connect_send failed.\n")); + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + DEBUG(1, ("sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret))); goto fail; } - tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, - req); + + tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, req); return req; @@ -113,15 +109,22 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq) struct tevent_req); struct get_password_migration_flag_state *state = tevent_req_data(req, struct get_password_migration_flag_state); - int ret; + int ret, dp_error; char *ldap_basedn; char *search_base; const char **attrs; - ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); + ret = sdap_id_op_connect_recv(subreq, &dp_error); talloc_zfree(subreq); if (ret) { - DEBUG(1, ("sdap_auth request failed.\n")); + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(6, ("No IPA server is available, cannot get the " + "migration flag while offline\n")); + } else { + DEBUG(9, ("Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret))); + } + tevent_req_error(req, ret); return; } @@ -148,13 +151,15 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq) return; } - attrs[0] = IPA_CONFIG_MIRATION_ENABLED; + attrs[0] = IPA_CONFIG_MIGRATION_ENABLED; attrs[1] = NULL; - subreq = sdap_get_generic_send(state, state->ev, state->sdap_auth_ctx->opts, - state->sh, search_base, LDAP_SCOPE_SUBTREE, + subreq = sdap_get_generic_send(state, state->ev, + state->sdap_id_ctx->opts, + sdap_id_op_handle(state->sdap_op), + search_base, LDAP_SCOPE_SUBTREE, IPA_CONFIG_FILTER, attrs, NULL, 0, - dp_opt_get_int(state->sdap_auth_ctx->opts->basic, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, SDAP_SEARCH_TIMEOUT)); if (!subreq) { tevent_req_error(req, ENOMEM); @@ -189,7 +194,7 @@ static void get_password_migration_flag_done(struct tevent_req *subreq) return; } - ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIRATION_ENABLED, &value); + ret = sysdb_attrs_get_string(reply[0], IPA_CONFIG_MIGRATION_ENABLED, &value); if (ret == EOK && strcasecmp(value, "true") == 0) { state->password_migration = true; } @@ -199,8 +204,7 @@ static void get_password_migration_flag_done(struct tevent_req *subreq) static int get_password_migration_flag_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - bool *password_migration, - struct sdap_handle **sh) + bool *password_migration) { struct get_password_migration_flag_state *state = tevent_req_data(req, struct get_password_migration_flag_state); @@ -208,10 +212,6 @@ static int get_password_migration_flag_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *password_migration = state->password_migration; - if (sh != NULL) { - *sh = talloc_steal(mem_ctx, state->sh); - } - return EOK; } @@ -223,10 +223,12 @@ struct ipa_auth_state { struct pam_data *pd; bool password_migration; struct sdap_handle *sh; + bool force_tls; }; static void ipa_auth_handler_done(struct tevent_req *req); static void ipa_get_migration_flag_done(struct tevent_req *req); +static void ipa_migration_flag_connect_done(struct tevent_req *req); static void ipa_auth_ldap_done(struct tevent_req *req); static void ipa_auth_handler_retry_done(struct tevent_req *req); @@ -308,7 +310,7 @@ static void ipa_auth_handler_done(struct tevent_req *req) state->pd->pam_status == PAM_CRED_ERR) { req = get_password_migration_flag_send(state, state->ev, - state->ipa_auth_ctx->sdap_auth_ctx, + state->ipa_auth_ctx->sdap_id_ctx, dp_opt_get_string( state->ipa_auth_ctx->ipa_options, IPA_KRB5_REALM)); @@ -331,14 +333,9 @@ static void ipa_get_migration_flag_done(struct tevent_req *req) struct ipa_auth_state); int ret; int dp_err = DP_ERR_FATAL; - const char **attrs; - struct ldb_message *user_msg; - const char *dn; - struct dp_opt_blob password; ret = get_password_migration_flag_recv(req, state, - &state->password_migration, - &state->sh); + &state->password_migration); talloc_zfree(req); if (ret != EOK) { DEBUG(1, ("get_password_migration_flag request failed.\n")); @@ -348,53 +345,86 @@ static void ipa_get_migration_flag_done(struct tevent_req *req) } if (state->password_migration) { - state->pd->pam_status = PAM_SYSTEM_ERR; - DEBUG(1, ("Assuming Kerberos password is missing, " - "starting password migration.\n")); - - attrs = talloc_array(state, const char *, 2); - if (attrs == NULL) { - DEBUG(1, ("talloc_array failed.\n")); - state->pd->pam_status = PAM_SYSTEM_ERR; - dp_err = DP_ERR_OK; + state->force_tls = true; + req = sdap_cli_connect_send(state, state->ev, + state->ipa_auth_ctx->sdap_auth_ctx->opts, + state->ipa_auth_ctx->sdap_auth_ctx->be, + state->ipa_auth_ctx->sdap_auth_ctx->service, + true, &state->force_tls, true); + if (req == NULL) { + DEBUG(1, ("sdap_cli_connect_send failed.\n")); goto done; } - attrs[0] = SYSDB_ORIG_DN; - attrs[1] = NULL; - ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb, - state->pd->user, attrs, &user_msg); - if (ret != EOK) { - DEBUG(1, ("sysdb_search_user_by_name failed.\n")); - goto done; - } + tevent_req_set_callback(req, ipa_migration_flag_connect_done, state); + return; + } - dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL); - if (dn == NULL) { - DEBUG(1, ("Missing original DN for user [%s].\n", state->pd->user)); - state->pd->pam_status = PAM_SYSTEM_ERR; - dp_err = DP_ERR_OK; - goto done; - } + DEBUG(5, ("Password migration is not enabled.\n")); + dp_err = DP_ERR_OK; +done: + ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); +} - password.data = state->pd->authtok; - password.length = state->pd->authtok_size; +static void ipa_migration_flag_connect_done(struct tevent_req *req) +{ + struct ipa_auth_state *state = tevent_req_callback_data(req, + struct ipa_auth_state); + const char **attrs; + struct ldb_message *user_msg; + const char *dn; + struct dp_opt_blob password; + int dp_err = DP_ERR_FATAL; + int ret; - req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, - "password", password); - if (req == NULL) { - DEBUG(1, ("sdap_auth_send failed.\n")); - goto done; - } + ret = sdap_cli_connect_recv(req, state, NULL, &state->sh, NULL); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(3, ("Cannot connect to LDAP server to perform migration\n")); + goto done; + } - tevent_req_set_callback(req, ipa_auth_ldap_done, state); - return; + state->pd->pam_status = PAM_SYSTEM_ERR; + DEBUG(1, ("Assuming Kerberos password is missing, " + "starting password migration.\n")); + + attrs = talloc_array(state, const char *, 2); + if (attrs == NULL) { + DEBUG(1, ("talloc_array failed.\n")); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + attrs[0] = SYSDB_ORIG_DN; + attrs[1] = NULL; - } else { - DEBUG(5, ("Password migration is not enabled.\n")); + ret = sysdb_search_user_by_name(state, state->be_req->be_ctx->sysdb, + state->pd->user, attrs, &user_msg); + if (ret != EOK) { + DEBUG(1, ("sysdb_search_user_by_name failed.\n")); + goto done; } - dp_err = DP_ERR_OK; + dn = ldb_msg_find_attr_as_string(user_msg, SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + DEBUG(1, ("Missing original DN for user [%s].\n", state->pd->user)); + state->pd->pam_status = PAM_SYSTEM_ERR; + dp_err = DP_ERR_OK; + goto done; + } + + password.data = state->pd->authtok; + password.length = state->pd->authtok_size; + + req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, + "password", password); + if (req == NULL) { + DEBUG(1, ("sdap_auth_send failed.\n")); + goto done; + } + + tevent_req_set_callback(req, ipa_auth_ldap_done, state); + return; done: ipa_auth_reply(state->be_req, dp_err, state->pd->pam_status); diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 76336f3..142a749 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -58,6 +58,7 @@ enum ipa_basic_opt { struct ipa_auth_ctx { struct krb5_ctx *krb5_auth_ctx; + struct sdap_id_ctx *sdap_id_ctx; struct sdap_auth_ctx *sdap_auth_ctx; struct dp_option *ipa_options; }; diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 5d08b8c..9d5d8d6 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -201,6 +201,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, struct ipa_auth_ctx *ipa_auth_ctx; struct krb5_ctx *krb5_auth_ctx; struct sdap_auth_ctx *sdap_auth_ctx; + struct bet_ops *id_ops; FILE *debug_filep; unsigned v; int ret; @@ -225,6 +226,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, } ipa_options->auth_ctx = ipa_auth_ctx; + ret = sssm_ipa_id_init(bectx, &id_ops, + (void **) &ipa_auth_ctx->sdap_id_ctx); + if (ret != EOK) { + DEBUG(1, ("sssm_ipa_id_init failed.\n")); + goto done; + } + ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic, IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options); if (ret != EOK) { -- 1.7.6