[Freeipa-devel] [PATCH] slapi-nis support for trusted domains

Jakub Hrozek jhrozek at redhat.com
Tue Jul 16 10:08:30 UTC 2013 

On Mon, Jul 15, 2013 at 08:30:03PM +0300, Alexander Bokovoy wrote:
> Hi!
> 
> Attached please find two patches against slapi-nis 0.47 to serve trusted
> domain users and groups to old clients. FreeIPA master needs to be
> enabled with this, see my patch 0108 (on freeipa-devel@).
> 
> The patches add both lookup and PAM-based authentication bind for the
> users returned by SSSD lookup.
> 
> Here is the logic:
> 
> 0. Configuration is performed by setting
> 
>    schema-compat-lookup-sssd: <user|group>
>    schema-compat-sssd-min-id: <value>
> 
> in corresponding schema-compat plugin tree (cn=users and cn=groups).
> 
> If schema-compat-sssd-min-id is not set, it will default to 1000. It is
> used to filter out attempts to fetch system users (<1000 on Fedora by
> default).
> 
> 1. On query, we parse query filter to identify what type of request is
> this: user or group lookup and then issue getpwnam_r()/getgrnam_r() and
> getsidbyid() for libsss_nss_idmap to fetch all needed information.
> 
> SSSD caches these requests they should be relatively fast.
> 
> 2. Once we served the request, it is cached in schema-compat cache map.
> The entry in the cache is currently not expired explicitly but I'm
> working on expiring it on wrong authentication -- if PAM stack returns a
> response telling there is no such user.
> 
> 3. Authentication bind for cached entries is done via PAM service
> 'system-auth'. If HBAC rule 'allow_all' is disabled in FreeIPA, one
> needs to create a rule with service 'system-auth' and allow all users to
> access it on IPA masters. Since system-auth is never used explicitly by
> any application (it is always included through PAM stack and only
> top-level PAM service is used to drive the HBAC ruleset), there is no
> problem.
> 
> PAM authentication code is taken from pam_passthru DS plugin. We cannot
> use it unchanged because pam_passthru expects that LDAP entry will exist
> in DS, while it is not true for these synthetic entries representing
> trusted domain users.
> 
> On Fedora one needs pam-devel and libsss_nss_idmap-devel to build the
> plugin with new functionality.
> 
> -- 
> / Alexander Bokovoy

Hi,

so far I've only built the code, testing is next. So far I have some
comments about the first patch, see inline:

> >From d3433f2033015724fc6580c00d89627afbc06c1d Mon Sep 17 00:00:00 2001
> From: Alexander Bokovoy <abokovoy at redhat.com>
> Date: Mon, 15 Jul 2013 14:18:52 +0300
> Subject: [PATCH 1/2] configure: add configure checks for sss_idmap and define
>  attribute to lookup sssd
> 
> If schema compat plugin configuration has 'schema-compat-lookup-sssd: user|group'
> then schema compat plugin will perform lookups of users/groups that were not found
> in the main store using getpwnam_r()/getgrnam_r() and libsss_idmap library.
> 
> This is special case to support legacy clients. Schema compat plugin in the
> case is assumed to be running on FreeIPA master configured with trusts against
> Active Directory and SSSD configure as ipa_server_mode = True.
> 
> Additionally, such entries are added to schema compat plugin's map cache and can
> be used for authentication purposes. They will use PAM authentication pass-through
> to system-auth service.
> ---
>  configure.ac    | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  src/Makefile.am |  6 ++++++
>  2 files changed, 54 insertions(+)
> 
> diff --git a/configure.ac b/configure.ac
> index 8d7cbe1..4a47d36 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -309,6 +309,47 @@ AC_SUBST(ASYNCNS_CFLAGS)
>  AC_SUBST(ASYNCNS_LIBS)
>  fi
>  
> +AC_ARG_WITH(sss_nss_idmap,
> +	    AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap]),
> +	    use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO)
> +if pkg-config sss_nss_idmap 2> /dev/null ; then
> +	    if test x$use_sss_nss_idmap != xno ; then
> +		AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.])
> +		PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
> +	    else
> +		SSS_NSS_IDMAP_CFLAGS=
> +		SSS_NSS_IDMAP_LIBS=
> +	    fi
> +else
> +	if test $use_sss_idmap = yes ; then
> +		PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap)
> +	else
> +		SSS_NSS_IDMAP_CFLAGS=
> +		SSS_NSS_IDMAP_LIBS=
> +	fi
> +fi
> +AM_CONDITIONAL([SSS_NSS_IDMAP], [test x$SSS_NSS_IDMAP_LIBS != x])
> +AC_SUBST(SSS_NSS_IDMAP_CFLAGS)
> +AC_SUBST(SSS_NSS_IDMAP_LIBS)
> +
> +if x$SSS_NSS_IDMAP_LIBS != x ; then

I think you should use test or square brackets here, otherwise I'm
seeing:

checking for SSS_NSS_IDMAP... yes
./configure: line 12952: x-lsss_nss_idmap: command not found

> +	AC_CHECK_HEADERS(pam.h)

I don't see any pam.h in pam-devel RPM. In SSSD we look for
security/pam_appl.h

> +	if test x$ac_cv_header_pam_h = xno ; then
> +		use_pam=yes
> +	else
> +		use_pam=no
> +	fi
> +
> +	if test $use_pam = yes ; then
> +		PAM_CFLAGS=
> +		PAM_LIBS=-lpam
> +	else
> +		AC_ERROR([<pam.h> not found and it is required for SSSD mode])
> +	fi
> +	AC_SUBST(PAM_CFLAGS)
> +	AC_SUBST(PAM_LIBS)
> +fi
> +
>  mylibdir=`eval echo "$libdir" | sed "s,NONE,${ac_default_prefix},g"`
>  mylibdir=`eval echo "$mylibdir" | sed "s,NONE,${ac_prefix},g"`
>  case "$server" in
> @@ -401,6 +442,13 @@ AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_RDN_ATTR,"$rdnattr",
>  attrattr=schema-compat-entry-attribute
>  AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_ATTR_ATTR,"$attrattr",
>  		   [Define to name of the attribute which is used to specify attributes to be used when constructing entries.])
> +sssdattr=schema-compat-lookup-sssd
> +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_ATTR,"$sssdattr",
> +		   [Define to name of the attribute which dictates whether or not SSSD on FreeIPA master is consulted about trusted domains' users.])
> +sssdminidattr=schema-compat-sssd-min-id
> +AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_SSSD_MIN_ID_ATTR,"$sssdminidattr",
> +		   [Define to name of the attribute which is used to define lower bound of IDs (uid or gid) looked up through sssd. Everything below is not considered belonging to trusted domains.])
> +
>  
>  maxvalue_attr=nis-max-value-size
>  AC_DEFINE_UNQUOTED(NIS_PLUGIN_CONFIGURATION_MAXVALUE_ATTR,"$maxvalue_attr",
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 6c8666b..59b6948 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -51,6 +51,7 @@ nisserver_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) $(TIRPC_LIBS) $(LIBWRA
>  
>  schemacompat_plugin_la_SOURCES = \
>  	back-sch.c \
> +	back-sch.h \

This file is only added in the second patch, so maybe the whole
Makefile.am hunk should be moved there.

>  	backend.h \
>  	back-shr.c \
>  	back-shr.h \
> @@ -64,6 +65,11 @@ schemacompat_plugin_la_SOURCES = \
>  	wrap.h
>  schemacompat_plugin_la_LIBADD = $(LDAP_LIBS) $(RUNTIME_LIBS) $(LIBPTHREAD) $(CONFIGURED_LINK_FLAGS)
>  
> +if SSS_NSS_IDMAP
> +schemacompat_plugin_la_SOURCES += back-sch-sssd.c back-sch-pam.c
> +schemacompat_plugin_la_LIBADD += $(SSS_NSS_IDMAP_LIBS) $(PAM_LIBS)
> +endif
> +
>  noinst_LTLIBRARIES = dummy-nis-plugin.la
>  dummy_nis_plugin_la_SOURCES = \
>  	disp-nis.c \
> -- 
> 1.8.3.1
>

More information about the Freeipa-devel mailing list