[Freeipa-devel] [PATCH] slapi-nis support for trusted domains
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 31 12:53:21 UTC 2013
Hi Nalin,
On Tue, 23 Jul 2013, Nalin Dahyabhai wrote:
>On Tue, Jul 23, 2013 at 10:15:47AM +0300, Alexander Bokovoy wrote:
>> On Tue, 23 Jul 2013, Nalin Dahyabhai wrote:
>> >Apologies for the delay.
>> Thanks for the review!
>>
>> One short comment -- PAM code is from PAM pass-through plugin from
>> 389-ds. That's the reason why its code doesn't follow slapi-nis way and
>> why it has that license. I tried to keep it mostly intact to share
>> changes but looking at git log it gets roughly two commits per year so
>> maybe it is better to rework it completely.
>
>That'd be my preference. Other than knowing how to map specific
>PAM error codes to LDAP-level errors, there doesn't seem to be a lot of
>magic that needs to be preserved in there.
>
>> I'll address other comments and will send updated version for the
>> review today. This was my first sizable SLAPI code so errors are
>> inevitable.
>
>No worries. I think there's already a lot in there that's right.
I think I'm ready now with my patches. :)
At http://fedorapeople.org/cgit/abbra/public_git/slapi-nis.git/log/?h=slapi-nis-ad
you can find twelve patches that form support for the trusted domain users
and groups lookups via SSSD and their authentication via PAM stack.
The code no longer is experiencing deadlocks as any potential access
that could cause contention on the slapi-nis map cache lock is
eliminated.
I implemented lookups to all needed functions, including working
getgrouplist()/initgroups(), getgrnam_r(), getpwnam_r(), getgrgid_r(),
getpwuid_r(). SIDs are also looked up through libsss_nss_idmap library
provided by SSSD.
Authentication is handled for both IPA and trusted domain users. The
former case requires some specific handling of the SLAPI_BIND_TARGET_SDN
to rewrite it to the original entry's DN. As result successful bind
looks like this in the dirsrv logs:
[31/Jul/2013:15:49:03 +0300] conn=15 fd=79 slot=79 SSL connection from 192.168.111.216 to 192.168.111.216
[31/Jul/2013:15:49:03 +0300] conn=15 SSL 256-bit AES
[31/Jul/2013:15:49:03 +0300] conn=15 op=0 BIND dn="uid=admin,cn=users,cn=compat,dc=example,dc=com" method=128 version=3
[31/Jul/2013:15:49:03 +0300] conn=15 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=foobar)" attrs=ALL
[31/Jul/2013:15:49:03 +0300] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[31/Jul/2013:15:49:03 +0300] conn=15 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[31/Jul/2013:15:49:03 +0300] conn=15 op=2 UNBIND
[31/Jul/2013:15:49:03 +0300] conn=15 op=2 fd=79 closed - U1
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list