freeipa/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: freeipa:7215534981fb776a3793c9977afea9743414c9d4
Branches Tags
freeipa:master
freeipa:pristine-tar
freeipa:upstream
freeipa:debian/4.8.10-2_1633258737
freeipa:debian/4.8.10-2
freeipa:upstream/4.8.10
freeipa:debian/4.3.1-0ubuntu1
freeipa:upstream/4.3.1
freeipa:debian/4.7.2-3_1633255473
freeipa:debian/4.7.2-3
freeipa:upstream/4.7.2
freeipa:debian/4.0.5-6_numeezy_1628560756
freeipa:debian/4.0.5-6_numeezy
freeipa:upstream/4.0.5
freeipa:debian/4.6.2-4_numeezy
freeipa:upstream/4.6.2
...
compare: freeipa:8bc559c5a1c7f4f9e0bc6f8cce8cf2b60eabd337
Branches Tags
freeipa:master
freeipa:pristine-tar
freeipa:upstream
freeipa:debian/4.8.10-2_1633258737
freeipa:debian/4.8.10-2
freeipa:upstream/4.8.10
freeipa:debian/4.3.1-0ubuntu1
freeipa:upstream/4.3.1
freeipa:debian/4.7.2-3_1633255473
freeipa:debian/4.7.2-3
freeipa:upstream/4.7.2
freeipa:debian/4.0.5-6_numeezy_1628560756
freeipa:debian/4.0.5-6_numeezy
freeipa:upstream/4.0.5
freeipa:debian/4.6.2-4_numeezy
freeipa:upstream/4.6.2

2 Commits
7215534981 ... 8bc559c5a1

Author SHA1 Message Date
Timo Aaltonen
8bc559c5a1 Imported Debian patch 4.7.2-3 2021-10-03 12:04:33 +02:00
Mario Fetka
27edeba051 Ipa for bullseye 2021-10-03 12:04:10 +02:00
917 changed files with 1068993 additions and 1184676 deletions
Show Stats Expand all files Collapse all files

11
.mailmap
View File

@ -1,15 +1,7 @@
Ana Krivokapić <akrivoka@redhat.com> Ana Krivokapic <akrivoka@redhat.com>
Adam Misnyovszki <amisnyov@redhat.com> <amisnyov@redhat.com>
Alexander Bokovoy <abokovoy@redhat.com> <ab@vda.li>
Amit Kumar <amitkuma@redhat.com> <amitkuma@redhat.com> <amitkuma@redhat.com>
Endi Sukma Dewata <edewata@redhat.com> System Administrator <root@dhcp-100-3-211.bos.redhat.com>
Endi Sukma Dewata <edewata@redhat.com>
Felipe Volpone <felipevolpone@gmail.com> Felipe Barreto <fbarreto@redhat.com>
Felipe Volpone <felipevolpone@gmail.com> felipe <fbarreto@localhost.localdomain>
Felipe Volpone <felipevolpone@gmail.com> Felipe Volpone <fbarreto@redhat.com>
Felipe Volpone <fbarreto@redhat.com>
François Cami <fcami@redhat.com>
François Cami <fcami@redhat.com> <fcami@fedoraproject.org>
Gabe Alford <redhatrises@gmail.com>
Ganna Kaihorodova <gkaihoro@redhat.com> <gkaihoro@example.com>
Jan Zelený <jzeleny@redhat.com>
@ -18,7 +10,6 @@ John Dennis <jdennis@redhat.com> <jdennis@VAIO>
Jr Aquino <jr.aquino@citrix.com>
Jr Aquino <jr.aquino@citrix.com> <Jr.Aquino@citrix.com>
Jr Aquino <jr.aquino@citrix.com> <jr.aquino@citrixonline.com>
Jayesh Garg <jgarg@redhat.com>
Karl MacMillan <kmacmill@redhat.com> <kmacmillan@mentalrootkit.com>
Karl MacMillan <kmacmill@redhat.com> <kmacmillan@redhat.com>
Karl MacMillan <kmacmill@redhat.com> <kmcmillan@redhat.com>
@ -58,8 +49,6 @@ Rob Crittenden <rcritten@redhat.com> <rcrit@rhel1.greyoak.com>
Rob Crittenden <rcritten@redhat.com> rcritten <devnull@localhost>
Rob Crittenden <rcritten@redhat.com> <rcrit@thor.greyoak.com>
Rob Crittenden <rcritten@redhat.com> <rcrit@tove.greyoak.com>
Serhii Tsymbaliuk <stsymbal@redhat.com> <stsymbal@localhost.localdomain>
Sudhir Menon <sumenon@redhat.com>
Simo Sorce <ssorce@redhat.com> <simo@redhat.com>
Sumit Bose <sbose@redhat.com> <sbose@ipa17-devel.ipa17.devel>
Sumit Bose <sbose@redhat.com> <sbose@ipa18-devel.ipa18.devel>

36
ACI.txt
View File

@ -61,7 +61,7 @@ aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilte
dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
@ -99,7 +99,7 @@ aci: (targetattr = "ipaexternalmember")(targetfilter = "(objectclass=ipaexternal
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || membermanager || mepmanagedby || objectclass")(targetfilter = "(&(!(cn=admins))(|(objectclass=ipausergroup)(objectclass=posixgroup)))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipaexternalmember")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read External Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
@ -109,9 +109,9 @@ aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser"
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || membermanager || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(&(!(|(cn=admins)(cn=trust admins)(cn=default smb group)))(|(objectclass=ipausergroup)(objectclass=posixgroup)))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Add HBAC Rule";allow (add) groupdn = "ldap:///cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbac,dc=ipa,dc=example
@ -141,7 +141,7 @@ aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "enrolledby || nshardwareplatform || nsosversion || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Certificates";allow (write) groupdn = "ldap:///cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
@ -169,25 +169,25 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || membermanager")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || membermanager || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || memberof || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=views,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipadomainresolutionorder || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbauthindmaxrenewableage || krbauthindmaxticketlife || krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=locations,cn=etc,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=locations,cn=etc,dc=ipa,dc=example
@ -273,8 +273,6 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbprincipalauthind || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || ipantsecurityidentifier || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read POSIX details of SMB services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
@ -355,19 +353,17 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example)")(version 3.0;acl "permission:System: Change Admin User password";allow (write) groupdn = "ldap:///cn=System: Change Admin User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Manage User Certificates";allow (write) groupdn = "ldap:///cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificates";allow (write) groupdn = "ldap:///cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Manage User Principals";allow (write) groupdn = "ldap:///cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Principals";allow (write) groupdn = "ldap:///cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@ -389,9 +385,9 @@ aci: (targetattr = "cn || createtimestamp || description || displayname || entry
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Add Vaults";allow (add) groupdn = "ldap:///cn=System: Add Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example

216
API.txt
View File

@ -1075,7 +1075,7 @@ args: 0,1,1
option: Str('version?')
output: Output('result')
command: config_mod/1
args: 0,28,3
args: 0,27,3
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
@ -1089,7 +1089,6 @@ option: Str('ipagroupobjectclasses*', autofill=False, cli_name='groupobjectclass
option: IA5Str('ipagroupsearchfields?', autofill=False, cli_name='groupsearch')
option: IA5Str('ipahomesrootdir?', autofill=False, cli_name='homedirectory')
option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'nfs:NONE'])
option: Int('ipamaxhostnamelength?', autofill=False, cli_name='maxhostname')
option: Int('ipamaxusernamelength?', autofill=False, cli_name='maxusername')
option: Bool('ipamigrationenabled?', autofill=False, cli_name='enable_migration')
option: Int('ipapwdexpadvnotify?', autofill=False, cli_name='pwdexpnotify')
@ -1097,7 +1096,7 @@ option: Int('ipasearchrecordslimit?', autofill=False, cli_name='searchrecordslim
option: Int('ipasearchtimelimit?', autofill=False, cli_name='searchtimelimit')
option: Str('ipaselinuxusermapdefault?', autofill=False)
option: Str('ipaselinuxusermaporder?', autofill=False)
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened', u'disabled'])
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'disabled'])
option: Str('ipauserobjectclasses*', autofill=False, cli_name='userobjectclasses')
option: IA5Str('ipausersearchfields?', autofill=False, cli_name='usersearch')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@ -1959,11 +1958,10 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_add_member/1
args: 1,9,3
args: 1,8,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('idoverrideuser*', alwaysask=True, cli_name='idoverrideusers')
option: Str('ipaexternalmember*', cli_name='external')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@ -1973,18 +1971,6 @@ option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: group_add_member_manager/1
args: 1,6,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: group_del/1
args: 1,2,3
arg: Str('cn+', cli_name='group_name')
@ -2001,7 +1987,7 @@ output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_find/1
args: 1,36,4
args: 1,30,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('cn?', autofill=False, cli_name='group_name')
@ -2009,16 +1995,12 @@ option: Str('description?', autofill=False, cli_name='desc')
option: Flag('external', autofill=True, cli_name='external', default=False)
option: Int('gidnumber?', autofill=False, cli_name='gid')
option: Str('group*', cli_name='groups')
option: Str('idoverrideuser*', cli_name='idoverrideusers')
option: Str('in_group*', cli_name='in_groups')
option: Str('in_hbacrule*', cli_name='in_hbacrules')
option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('membermanager_group*', cli_name='membermanager_groups')
option: Str('membermanager_user*', cli_name='membermanager_users')
option: Str('no_group*', cli_name='no_groups')
option: Str('no_idoverrideuser*', cli_name='no_idoverrideusers')
option: Flag('no_members', autofill=True, default=True)
option: Principal('no_service*', cli_name='no_services')
option: Str('no_user*', cli_name='no_users')
@ -2028,8 +2010,6 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_role*', cli_name='not_in_roles')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
option: Str('not_membermanager_group*', cli_name='not_membermanager_groups')
option: Str('not_membermanager_user*', cli_name='not_membermanager_users')
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('posix', autofill=True, cli_name='posix', default=False)
option: Flag('private', autofill=True, cli_name='private', default=False)
@ -2063,11 +2043,10 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: group_remove_member/1
args: 1,9,3
args: 1,8,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('idoverrideuser*', alwaysask=True, cli_name='idoverrideusers')
option: Str('ipaexternalmember*', cli_name='external')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@ -2077,18 +2056,6 @@ option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: group_remove_member_manager/1
args: 1,6,3
arg: Str('cn', cli_name='group_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: group_show/1
args: 1,5,3
arg: Str('cn', cli_name='group_name')
@ -2474,7 +2441,7 @@ option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', cli_name='auth_ind')
option: Str('l?', cli_name='locality')
option: Str('macaddress*')
option: Flag('no_members', autofill=True, default=False)
@ -2487,7 +2454,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Certificate('usercertificate*', cli_name='certificate')
option: Str('userclass*', cli_name='class')
option: HostPassword('userpassword?', cli_name='password')
option: Str('userpassword?', cli_name='password')
option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
@ -2598,7 +2565,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: host_find/1
args: 1,34,4
args: 1,35,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('description?', autofill=False, cli_name='desc')
@ -2610,7 +2577,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('ipaassignedidview?', autofill=False)
option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
option: Str('l?', autofill=False, cli_name='locality')
option: Str('macaddress*', autofill=False)
option: Str('man_by_host*', cli_name='man_by_hosts')
@ -2633,6 +2600,7 @@ option: Int('sizelimit?', autofill=False)
option: Int('timelimit?', autofill=False)
option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
option: Str('userclass*', autofill=False, cli_name='class')
option: Str('userpassword?', autofill=False, cli_name='password')
option: Str('version?')
output: Output('count', type=[<type 'int'>])
output: ListOfEntries('result')
@ -2650,7 +2618,7 @@ option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
option: Principal('krbprincipalname*', autofill=False)
option: Str('l?', autofill=False, cli_name='locality')
option: Str('macaddress*', autofill=False)
@ -2665,7 +2633,7 @@ option: Str('setattr*', cli_name='setattr')
option: Flag('updatedns?', autofill=True, default=False)
option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
option: Str('userclass*', autofill=False, cli_name='class')
option: HostPassword('userpassword?', autofill=False, cli_name='password')
option: Str('userpassword?', autofill=False, cli_name='password')
option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
@ -2740,18 +2708,6 @@ option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: hostgroup_add_member_manager/1
args: 1,6,3
arg: Str('cn', cli_name='hostgroup_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: hostgroup_del/1
args: 1,2,3
arg: Str('cn+', cli_name='hostgroup_name')
@ -2761,7 +2717,7 @@ output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value')
command: hostgroup_find/1
args: 1,25,4
args: 1,21,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('cn?', autofill=False, cli_name='hostgroup_name')
@ -2772,8 +2728,6 @@ option: Str('in_hbacrule*', cli_name='in_hbacrules')
option: Str('in_hostgroup*', cli_name='in_hostgroups')
option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('membermanager_group*', cli_name='membermanager_groups')
option: Str('membermanager_user*', cli_name='membermanager_users')
option: Str('no_host*', cli_name='no_hosts')
option: Str('no_hostgroup*', cli_name='no_hostgroups')
option: Flag('no_members', autofill=True, default=True)
@ -2781,8 +2735,6 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules')
option: Str('not_in_hostgroup*', cli_name='not_in_hostgroups')
option: Str('not_in_netgroup*', cli_name='not_in_netgroups')
option: Str('not_in_sudorule*', cli_name='not_in_sudorules')
option: Str('not_membermanager_group*', cli_name='not_membermanager_groups')
option: Str('not_membermanager_user*', cli_name='not_membermanager_users')
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Int('sizelimit?', autofill=False)
@ -2793,7 +2745,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: hostgroup_mod/1
args: 1,10,3
args: 1,9,3
arg: Str('cn', cli_name='hostgroup_name')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@ -2801,7 +2753,6 @@ option: Str('delattr*', cli_name='delattr')
option: Str('description?', autofill=False, cli_name='desc')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('rename?', cli_name='rename')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('version?')
@ -2820,18 +2771,6 @@ option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: hostgroup_remove_member_manager/1
args: 1,6,3
arg: Str('cn', cli_name='hostgroup_name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('user*', alwaysask=True, cli_name='users')
option: Str('version?')
output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: hostgroup_show/1
args: 1,5,3
arg: Str('cn', cli_name='hostgroup_name')
@ -2924,7 +2863,7 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: idoverrideuser_add/1
args: 2,17,3
args: 2,16,3
arg: Str('idviewcn', cli_name='idview')
arg: Str('ipaanchoruuid', cli_name='anchor')
option: Str('addattr*', cli_name='addattr')
@ -2937,7 +2876,6 @@ option: Str('homedirectory?', cli_name='homedir')
option: Str('ipaoriginaluid?')
option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('loginshell?', cli_name='shell')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('uid?', cli_name='login')
@ -2948,12 +2886,11 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: idoverrideuser_add_cert/1
args: 2,6,3
args: 2,5,3
arg: Str('idviewcn', cli_name='idview')
arg: Str('ipaanchoruuid', cli_name='anchor')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('fallback_to_ldap?', autofill=True, default=False)
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Certificate('usercertificate+', alwaysask=True, cli_name='certificate')
option: Str('version?')
@ -2971,7 +2908,7 @@ output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value')
command: idoverrideuser_find/1
args: 2,17,4
args: 2,16,4
arg: Str('idviewcn', cli_name='idview')
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
@ -2983,7 +2920,6 @@ option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('ipaanchoruuid?', autofill=False, cli_name='anchor')
option: Str('ipaoriginaluid?', autofill=False)
option: Str('loginshell?', autofill=False, cli_name='shell')
option: Flag('no_members', autofill=True, default=True)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Int('sizelimit?', autofill=False)
@ -2996,7 +2932,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: idoverrideuser_mod/1
args: 2,20,3
args: 2,19,3
arg: Str('idviewcn', cli_name='idview')
arg: Str('ipaanchoruuid', cli_name='anchor')
option: Str('addattr*', cli_name='addattr')
@ -3010,7 +2946,6 @@ option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('ipaoriginaluid?', autofill=False)
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
option: Str('loginshell?', autofill=False, cli_name='shell')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('rename?', cli_name='rename')
option: Flag('rights', autofill=True, default=False)
@ -3023,12 +2958,11 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: idoverrideuser_remove_cert/1
args: 2,6,3
args: 2,5,3
arg: Str('idviewcn', cli_name='idview')
arg: Str('ipaanchoruuid', cli_name='anchor')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('fallback_to_ldap?', autofill=True, default=False)
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Certificate('usercertificate+', alwaysask=True, cli_name='certificate')
option: Str('version?')
@ -3036,12 +2970,11 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: idoverrideuser_show/1
args: 2,6,3
args: 2,5,3
arg: Str('idviewcn', cli_name='idview')
arg: Str('ipaanchoruuid', cli_name='anchor')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('fallback_to_ldap?', autofill=True, default=False)
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Flag('rights', autofill=True, default=False)
option: Str('version?')
@ -3230,19 +3163,11 @@ output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: krbtpolicy_mod/1
args: 1,17,3
args: 1,9,3
arg: Str('uid?', cli_name='user')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('delattr*', cli_name='delattr')
option: Int('krbauthindmaxrenewableage_hardened?', autofill=False, cli_name='hardened_maxrenew')
option: Int('krbauthindmaxrenewableage_otp?', autofill=False, cli_name='otp_maxrenew')
option: Int('krbauthindmaxrenewableage_pkinit?', autofill=False, cli_name='pkinit_maxrenew')
option: Int('krbauthindmaxrenewableage_radius?', autofill=False, cli_name='radius_maxrenew')
option: Int('krbauthindmaxticketlife_hardened?', autofill=False, cli_name='hardened_maxlife')
option: Int('krbauthindmaxticketlife_otp?', autofill=False, cli_name='otp_maxlife')
option: Int('krbauthindmaxticketlife_pkinit?', autofill=False, cli_name='pkinit_maxlife')
option: Int('krbauthindmaxticketlife_radius?', autofill=False, cli_name='radius_maxlife')
option: Int('krbmaxrenewableage?', autofill=False, cli_name='maxrenew')
option: Int('krbmaxticketlife?', autofill=False, cli_name='maxlife')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@ -3688,7 +3613,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('attrs*')
option: Str('extratargetfilter*', cli_name='filter')
option: Str('filter*')
option: StrEnum('ipapermbindruletype', autofill=True, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous', u'self'])
option: StrEnum('ipapermbindruletype', autofill=True, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous'])
option: DNOrURL('ipapermlocation?', alwaysask=True, autofill=False, cli_name='subtree')
option: StrEnum('ipapermright*', alwaysask=True, autofill=False, cli_name='right', values=[u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'])
option: DNParam('ipapermtarget?', cli_name='target')
@ -3746,7 +3671,7 @@ option: Str('attrs*', autofill=False)
option: Str('cn?', autofill=False, cli_name='name')
option: Str('extratargetfilter*', autofill=False, cli_name='filter')
option: Str('filter*', autofill=False)
option: StrEnum('ipapermbindruletype?', autofill=False, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous', u'self'])
option: StrEnum('ipapermbindruletype?', autofill=False, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous'])
option: Str('ipapermdefaultattr*', autofill=False, cli_name='defaultattrs')
option: Str('ipapermexcludedattr*', autofill=False, cli_name='excludedattrs')
option: Str('ipapermincludedattr*', autofill=False, cli_name='includedattrs')
@ -3780,7 +3705,7 @@ option: Str('attrs*', autofill=False)
option: Str('delattr*', cli_name='delattr')
option: Str('extratargetfilter*', autofill=False, cli_name='filter')
option: Str('filter*', autofill=False)
option: StrEnum('ipapermbindruletype?', autofill=False, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous', u'self'])
option: StrEnum('ipapermbindruletype?', autofill=False, cli_name='bindtype', default=u'permission', values=[u'permission', u'all', u'anonymous'])
option: Str('ipapermexcludedattr*', autofill=False, cli_name='excludedattrs')
option: Str('ipapermincludedattr*', autofill=False, cli_name='includedattrs')
option: DNOrURL('ipapermlocation?', autofill=False, cli_name='subtree')
@ -4157,13 +4082,12 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: role_add_member/1
args: 1,10,3
args: 1,9,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('host*', alwaysask=True, cli_name='hosts')
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups')
option: Str('idoverrideuser*', alwaysask=True, cli_name='idoverrideusers')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('service*', alwaysask=True, cli_name='services')
@ -4224,13 +4148,12 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: role_remove_member/1
args: 1,10,3
args: 1,9,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('group*', alwaysask=True, cli_name='groups')
option: Str('host*', alwaysask=True, cli_name='hosts')
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups')
option: Str('idoverrideuser*', alwaysask=True, cli_name='idoverrideusers')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('service*', alwaysask=True, cli_name='services')
@ -4524,7 +4447,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('role_servrole?', autofill=False, cli_name='role')
option: Str('server_server?', autofill=False, cli_name='server')
option: Int('sizelimit?', autofill=False)
option: StrEnum('status?', autofill=False, cli_name='status', default=u'enabled', values=[u'enabled', u'configured', u'hidden', u'absent'])
option: StrEnum('status?', autofill=False, cli_name='status', default=u'enabled', values=[u'enabled', u'configured', u'absent'])
option: Int('timelimit?', autofill=False)
option: Str('version?')
output: Output('count', type=[<type 'int'>])
@ -4552,14 +4475,6 @@ option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: server_state/1
args: 1,2,3
arg: Str('cn', cli_name='name')
option: StrEnum('state', values=[u'enabled', u'hidden'])
option: Str('version?')
output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: service_add/1
args: 1,14,3
arg: Principal('krbcanonicalname', cli_name='canonical_principal')
@ -4570,7 +4485,7 @@ option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PA
option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', cli_name='auth_ind')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
@ -4613,22 +4528,6 @@ option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: service_add_smb/1
args: 2,9,3
arg: Str('fqdn', cli_name='hostname')
arg: Str('ipantflatname?', cli_name='netbiosname')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Certificate('usercertificate*', cli_name='certificate')
option: Str('version?')
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: service_allow_create_keytab/1
args: 1,8,3
arg: Principal('krbcanonicalname', cli_name='canonical_principal')
@ -4706,7 +4605,7 @@ arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
option: Principal('krbcanonicalname?', autofill=False, cli_name='canonical_principal')
option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Str('man_by_host*', cli_name='man_by_hosts')
option: Flag('no_members', autofill=True, default=True)
@ -4730,7 +4629,7 @@ option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=
option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened'])
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
option: Flag('no_members', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@ -4978,7 +4877,7 @@ option: Str('initials?', autofill=True)
option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
@ -5064,7 +4963,7 @@ output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value')
command: stageuser_find/1
args: 1,58,4
args: 1,54,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@ -5084,13 +4983,9 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@ -5129,7 +5024,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: stageuser_mod/1
args: 1,51,3
args: 1,47,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@ -5146,14 +5041,10 @@ option: Int('gidnumber?', autofill=False)
option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@ -5870,21 +5761,11 @@ option: Str('version?')
output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value')
command: trust_enable_agent/1
args: 1,2,3
arg: Str('remote_cn', cli_name='remote_name')
option: Flag('enable_compat', autofill=True, default=False)
option: Str('version?')
output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: trust_fetch_domains/1
args: 1,7,4
args: 1,5,4
arg: Str('cn', cli_name='realm')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('realm_admin?', cli_name='admin')
option: Password('realm_passwd?', cli_name='password', confirm=False)
option: Str('realm_server?', cli_name='server')
option: Flag('rights', autofill=True, default=False)
option: Str('version?')
@ -6061,7 +5942,7 @@ option: Str('initials?', autofill=True)
option: Str('ipasshpubkey*', cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', cli_name='radius')
option: Str('ipatokenradiususername?', cli_name='radius_username')
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=True, cli_name='principal')
@ -6164,7 +6045,7 @@ output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: user_find/1
args: 1,61,4
args: 1,57,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('carlicense*', autofill=False)
@ -6184,13 +6065,9 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@ -6232,7 +6109,7 @@ output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: user_mod/1
args: 1,52,3
args: 1,48,3
arg: Str('uid', cli_name='login')
option: Str('addattr*', cli_name='addattr')
option: Flag('all', autofill=True, cli_name='all', default=False)
@ -6249,14 +6126,10 @@ option: Int('gidnumber?', autofill=False)
option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp'])
option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration')
option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration')
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
@ -6824,13 +6697,11 @@ default: env/1
default: group/1
default: group_add/1
default: group_add_member/1
default: group_add_member_manager/1
default: group_del/1
default: group_detach/1
default: group_find/1
default: group_mod/1
default: group_remove_member/1
default: group_remove_member_manager/1
default: group_show/1
default: hbacrule/1
default: hbacrule_add/1
@ -6883,12 +6754,10 @@ default: host_show/1
default: hostgroup/1
default: hostgroup_add/1
default: hostgroup_add_member/1
default: hostgroup_add_member_manager/1
default: hostgroup_del/1
default: hostgroup_find/1
default: hostgroup_mod/1
default: hostgroup_remove_member/1
default: hostgroup_remove_member_manager/1
default: hostgroup_show/1
default: i18n_messages/1
default: idoverridegroup/1
@ -7036,13 +6905,11 @@ default: server_role/1
default: server_role_find/1
default: server_role_show/1
default: server_show/1
default: server_state/1
default: service/1
default: service_add/1
default: service_add_cert/1
default: service_add_host/1
default: service_add_principal/1
default: service_add_smb/1
default: service_allow_create_keytab/1
default: service_allow_retrieve_keytab/1
default: service_del/1
@ -7145,7 +7012,6 @@ default: topologysuffix_verify/1
default: trust/1
default: trust_add/1
default: trust_del/1
default: trust_enable_agent/1
default: trust_fetch_domains/1
default: trust_find/1
default: trust_mod/1

291
Contributors.txt
View File

@ -4,176 +4,140 @@ The following people have contributed to the FreeIPA project.
(Listed in alphabetical order within category)
Developers:
Abhijeet Kasurde
Adam Misnyovszki
Adam Williamson
Adam Young
Ade Lee
Aleksei Slaikovskii
Ales 'alich' Marecek
Alex Zeleznikov
Alexander Bokovoy
Alexander Koksharov
Alexander Scheel
Alexandre Mulatinho
Alexey Slaykovsky
Amit Kumar
Ana Krivokapić
Andrew Wnuk
Anuja More
Armando Neto
Ben Lipton
Benjamin Drung
Brian Cook
Brian J. Murrell
Cédric Jeanneret
Changmin Teng
Christian Heimes
Christian Hermann
David Kreitschmann
David Kupka
David O'Brien
David Spångberg
Diane Trout
Dinesh Prasanth M K
Diogo Nunes
Dmitri Pal
Don Davis
Drew Erny
Endi Sukma Dewata
Fabiano Fidêncio
Felipe Volpone
Filip Skola
Florence Blanc-Renaud
Francesco Marella
Francisco Trivino
François Cami
Frank Cusack
Fraser Tweedale
Timo Aaltonen
Gabe Alford
Ganna Kaihorodova
Gaurav Talreja
German Parente
Gowrishankar Rajaiyan
Günther Deschner
Ian Kumlien
Ian Pilcher
Isaac Boukris
Jakub Hrozek
James Groffen
Jan Barta
Jan Cholasta
Jan Pazdziora
Jan Zelený
Jason Gerard DeRose
Jason Woods
Jayesh Garg
Jeremy Frasier
Jérôme Fenal
Jim Meyering
John Dennis
John L
John Morris
Jr Aquino
Justin Stephenson
Kaleemullah Siddiqui
Karl MacMillan
Kevin McCarthy
Krzysztof Klimonda
Kyle Baker
Lars Sjostrom
Lenka Doudova
Lenka Ryznarova
Lewis Eason
Lubomír Rintel
Ludwig Krispenz
Lukáš Slebodník
Lynn Root
Mark McLoughlin
Mark Reynolds
Marko Myllynen
Tomáš Babej
Martin Babinsky
Kyle Baker
Felipe Barreto
Jan Barta
Martin Bašti
Martin Košek
Martin Nagy
Matt Rogers
Michael Simacek
Michal Polovka
Michal Reznik
Michal Židek
Milan Kubík
Miro Hrončok
MIZUTA Takeshi
Mohammad Rizwan
Mohammad Rizwan Yusuf
Sylvain Baubeau
Florence Blanc-Renaud
Alexander Bokovoy
Thierry Bordaz
Sumit Bose
François Cami
Petr Čech
Xiao-Long Chen
Jan Cholasta
Yuri Chornoivan
Brian Cook
Rob Crittenden
Frank Cusack
Nalin Dahyabhai
Nathan Kinder
Nathaniel McCallum
ndehadra
Nick Hatch
Rishabh Dave
Don Davis
Nikhil Dehadrai
Nikolai Kondrashov
Niranjan Mallapadi
Niranjan MR
John Dennis
Jason Gerard DeRose
Günther Deschner
Endi Sukma Dewata
Lenka Doudova
Benjamin Drung
Patrice Duc-Jacquet
Tibor Dudlák
Lewis Eason
Drew Erny
Oleg Fayans
Oleg Kozlov
Jérôme Fenal
Fabiano Fidêncio
Stephen Gallagher
René Genz
James Groffen
Oliver Gutierrez
Ondřej Hamada
Orion Poplawski
Patrice Duc-Jacquet
Pavel Picka
Pavel Vomáčka
Pavel Zůna
Pete Rowley
Peter Keresztes Schmidt
Robbie Harwood
Nick Hatch
Christian Heimes
Jakub Hrozek
Ganna Kaihorodova
Abhijeet Kasurde
Nathan Kinder
Krzysztof Klimonda
Alexander Koksharov
Nikolai Kondrashov
Martin Košek
David Kreitschmann
Ludwig Krispenz
Ana Krivokapić
Tomáš Křížek
Milan Kubík
Amit Kumar
Ian Kumlien
David Kupka
Robert Kuska
John L
Peter Lacko
Petr Čech
Stanislav Laznicka
Ade Lee
Stanislav Levin
Ben Lipton
Karl MacMillan
Niranjan Mallapadi
Ales 'alich' Marecek
Francesco Marella
Nathaniel McCallum
William Jon McCann
Kevin McCarthy
Mark McLoughlin
Rich Megginson
Sudhir Menon
Jim Meyering
Adam Misnyovszki
Takeshi MIZUTA
Anuja More
John Morris
Niranjan MR
Brian J. Murrell
Varun Mylaraiah
Marko Myllynen
Martin Nagy
Armando Neto
David O'Brien
Dmitri Pal
Jan Pazdziora
W. Michael Petullo
Pavel Picka
Orion Poplawski
Gowrishankar Rajaiyan
realsobek
Michal Reznik
Lubomír Rintel
Matt Rogers
Lynn Root
Pete Rowley
Lenka Ryznarova
Alexander Scheel
Thorsten Scherf
shanyin
Kaleemullah Siddiqui
Michael Simacek
Lars Sjostrom
Filip Skola
Aleksei Slaikovskii
Lukáš Slebodník
Simo Sorce
Petr Špaček
David Spångberg
Justin Stephenson
Diane Trout
Serhii Tsymbaliuk
Fraser Tweedale
Petr Viktorin
Petr Voborník
Rafael Guterres Jeffman
realsobek
René Genz
Rich Megginson
Rishabh Dave
Rob Crittenden
Robbie Harwood
Robert Kuska
Sam Morris
Sergey Orlov
Sergio Oliveira Campos
Serhii Tsymbaliuk
shanyin
Simo Sorce
Spencer E. Olson
Stanislav Laznicka
Stanislav Levin
Stasiek Michalski
Stephen Gallagher
sudharsanomprakash
Sudhir Menon
Sumedh Sidhaye
Sumit Bose
Sylvain Baubeau
Takeshi MIZUTA
Theodor van Nahl
Thierry Bordaz
Felipe Volpone
Pavel Vomáčka
Andrew Wnuk
Thomas Woerner
Thorsten Scherf
Tibor Dudlák
Timo Aaltonen
Tomáš Babej
Tomas Halman
Tomáš Křížek
Varun Mylaraiah
Viktor Ashirov
Vit Mojzis
W. Michael Petullo
William Brown
William Jon McCann
Xiao-Long Chen
Yuri Chornoivan
Zdenek Pytela
Jason Woods
Adam Young
Mohammad Rizwan Yusuf
Jan Zelený
Alex Zeleznikov
Michal Židek
Pavel Zůna
Documentation:
Gabe Alford
@ -197,39 +161,26 @@ Testing:
Yi Zhang
Translators:
A S Alam
Abhijeet Kasurde
Alex
Alexander Bokovoy
Andi Chandler
Andrew Martynov
Brian Curtich
David Kreitschmann
dominique
A S Alam
Emilio Herrera
Gundachandru
Héctor Daniel Cabrera
Jake Li
Jérôme Fenal
Josef Hruška
Manuela Silva
Marco Aurélio Krause
Martin Bašti
Martin Kosek
Martin Liu
Olesya Gerasimenko
Omar Berroterán S.
Paul Ritter
Pavel Borecki
Pavel Vomacka
Piotr Drąg
Robert Antoni Buj Gelonch
Sankarshan Mukhopadhyay
Teguh DC
Tomas Babej
Yuri Chornoivan
Zdenek
zhenglei
Wiki, Solution and Idea Contributors:
James Hogarth

159
Makefile.am
View File

@ -13,30 +13,8 @@ endif
IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
PYTHON_SUBDIRS = $(IPACLIENT_SUBDIRS) $(IPATESTS_SUBDIRS) $(IPASERVER_SUBDIRS)
PYTHON_SCRIPT_SUBDIRS = \
$(top_builddir) \
$(top_builddir)/client \
$(top_builddir)/daemons/dnssec \
$(top_builddir)/install/certmonger \
$(top_builddir)/install/oddjob \
$(top_builddir)/install/restart_scripts \
$(top_builddir)/install/tools \
$(NULL)
AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure
IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
SUBDIRS = \
asn1 \
util \
client \
contrib \
po \
pypi \
selinux \
$(PYTHON_SUBDIRS) \
$(SERVER_SUBDIRS) \
$(NULL)
SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
GENERATED_PYTHON_FILES = \
$(top_builddir)/ipaplatform/override.py \
@ -101,8 +79,6 @@ clean-local:
rm -rf "$(top_builddir)/.tox"
rm -rf "$(top_srcdir)/__pycache__"
rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
rm -rf "$(top_srcdir)/cov-int"
rm -f "$(top_srcdir)/freeipa.tgz"
# convenience targets for RPM build
.PHONY: rpmroot rpmdistdir version-update _dist-version-bakein _rpms-prep \
@ -193,7 +169,7 @@ endif WITH_PYLINT
if WITH_JSLINT
JSLINT_TARGET = jslint
endif WITH_JSLINT
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) rpmlint yamllint
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
.PHONY: devcheck
devcheck: all
@ -206,21 +182,39 @@ endif
if ! WITH_JSLINT
@echo "ERROR: jslint not available"; exit 1
endif
if ! WITH_PYTHON2
@echo "ERROR: python2 not available"; exit 1
endif
@ # run all linters, tests, and check with Python 2
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON2) ipatests/ipa-run-tests \
--ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
if WITH_PYTHON3
@ # just tests, aci, api and pylint on Python 3
PATH=$(abspath ipatests):$$PATH PYTHONPATH=$(abspath $(top_srcdir)) \
$(PYTHON) ipatests/ipa-run-tests --ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint rpmlint yamllint check
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
--ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint jslint check
else
@echo "WARNING: python3 not available"
endif
@echo "All tests passed."
.PHONY: fastcheck fasttest fastlint
fastcheck:
@$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint rpmlint yamllint fasttest apilint acilint
if WITH_PYTHON2
@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) \
fastlint fasttest apilint acilint
endif
if WITH_PYTHON3
@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) \
fastlint fasttest apilint acilint
endif
fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
@ # --ignore doubles speed of total test run compared to pytest.skip()
@ # on module.
PATH=$(abspath ipatests):$$PATH PYTHONPATH=$(abspath $(top_srcdir)) \
$(PYTHON) ipatests/ipa-run-tests \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
--skip-ipaapi \
--ignore $(abspath $(top_srcdir))/ipatests/test_integration \
--ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
@ -232,19 +226,8 @@ endif
@echo "Fast linting with $(PYTHON) from branch '$(GIT_BRANCH)'"
@MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \
PYFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.py$$' ); \
INFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.in$$' \
| xargs -n1 file 2>/dev/null | grep Python \
| cut -d':' -f1; ); \
if [ -n "$${PYFILES}" ] && [ -n "$${INFILES}" ]; then \
FILES="$$( printf $${PYFILES}\\n$${INFILES} )" ; \
elif [ -n "$${PYFILES}" ]; then \
FILES="$${PYFILES}" ; \
else \
FILES="$${INFILES}" ; \
fi ; \
FILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.py$$'); \
if [ -n "$${FILES}" ]; then \
echo -e "Fast linting files:\n$${FILES}\n"; \
echo "pycodestyle"; \
@ -272,61 +255,17 @@ $(top_builddir)/ipapython/version.py:
.PHONY: acilint
acilint: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeaci --validate
.PHONY: aci
aci: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeaci
cd $(srcdir); $(PYTHON) ./makeaci --validate
.PHONY: apilint
apilint: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeapi --validate
.PHONY: api
api: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeapi
cd $(srcdir); $(PYTHON) ./makeapi --validate
.PHONY: polint
polint:
$(MAKE) -C $(srcdir)/po PYTHON=$(PYTHON) \
validate-src-strings validate-po test-gettext
.PHONY: rpmlint
rpmlint: freeipa.spec
rpmlint ./$<
# Try to load yml/yaml files via safe_load, which recognizes only standard
# YAML tags and cannot construct an arbitrary Python object.
# There are Jinja yaml templates, which differ from reqular ones. These
# files should be placed on skip list (YAML_TEMPLATE_FILES), otherwise
# safe_load fails.
.PHONY: yamllint
yamllint:
YAML_TEMPLATE_FILES="\
$(top_srcdir)/ipatests/azure/templates/ipa-test-config-template.yaml \
"; \
echo "jinja template files:"; \
for YAML in $${YAML_TEMPLATE_FILES}; do \
echo $${YAML}; \
$(PYTHON) -c "import yaml; f = open('$${YAML}'); yaml.safe_load(f); f.close()" >/dev/null 2>&1 \
&& { echo Unexpected PASS of parsing yaml: $${YAML}. This file is a regular yaml.; exit 1; }; \
done; \
YAML_FILES=`find $(top_srcdir) \
\( -name '*.yaml' -o \
-name '*.yml' \) \
$$(printf '! -path %s ' $${YAML_TEMPLATE_FILES})`; \
echo -e "\nlint yaml files"; \
echo "-----------"; \
for YAML in $${YAML_FILES}; do \
echo $${YAML}; \
$(PYTHON) -c "import yaml; f = open('$${YAML}'); yaml.safe_load(f); f.close()" || { echo Your YAML file: $${YAML} has a wrong syntax or this is a Jinja template. In the latter clause, consider to add your YAML file to the YAML_TEMPLATE_FILES list in Makefile.am.; exit 1; } \
done; \
echo "-----------"
# Run pylint for all python files. Finds all python files/packages, skips
# folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
# *.in, *~. Finally print all python files, including scripts that do not
@ -335,7 +274,9 @@ yamllint:
.PHONY: pylint
if WITH_PYLINT
pylint: $(GENERATED_PYTHON_FILES) ipasetup.py python_scripts
pylint: $(GENERATED_PYTHON_FILES) ipasetup.py
@# build CLI scripts
$(MAKE) -C $(top_builddir)/install/tools
FILES=`find $(top_srcdir) \
-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
-path './rpmbuild' -prune -o \
@ -348,8 +289,7 @@ pylint: $(GENERATED_PYTHON_FILES) ipasetup.py python_scripts
-name '*~' -o \
-name '*.py' -print -o \
-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
FILES=`echo -e "$${FILES}\n$(AZURE_PYTHON_SCRIPT_SUBDIR)"`; \
echo -e "Pylint on $(PYTHON) is running over files:\n$${FILES}\nPlease wait ...\n"; \
echo "Pylint on $(PYTHON) is running, please wait ..."; \
PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
--rcfile=$(top_srcdir)/pylintrc \
--load-plugins pylint_plugins \
@ -443,41 +383,10 @@ python_install:
$(MAKE) $(AM_MAKEFLAGS) -C $${dir} install || exit 1; \
done
.PHONY: python_scripts
python_scripts:
for dir in $(PYTHON_SCRIPT_SUBDIRS); do \
$(MAKE) $(AM_MAKEFLAGS) -C $${dir} python_scripts_sub || exit 1; \
done
.PHONY:
strip-po:
$(MAKE) -C po strip-po
.PHONY: cov-scan
cov-scan:
$(MAKE) clean
@# analyse C code with workaround for missing _Float types
@# https://stackoverflow.com/questions/50434236/coverity-scan-fails-to-build-stdlib-h-with-gnu-source-defined
cov-build --dir cov-int $(MAKE) all \
CFLAGS="-D_Float32=float -D_Float32x=double -D_Float64=double -D_Float64x='long double' -D_Float128='long double'"
@# remove build directories and analyse Python
rm -rf ipa*/build
cov-build --dir cov-int --no-command \
$(foreach d,$(PYTHON_SUBDIRS),--fs-capture-search $(d))
@# analyze JS files
cov-build --dir cov-int --no-command --fs-capture-search install/ui
@# compress and upload
tar czvf freeipa.tgz cov-int
if [ -n "$${COVERITY_SCAN_TOKEN}" ]; then \
curl --progress-bar --output /dev/null \
--form token=$${COVERITY_SCAN_TOKEN} \
--form email=scan@mg.freeipa.org \
--form file=@freeipa.tgz \
--form version="$(VERSION)" \
--form description="FreeIPA" \
"https://scan.coverity.com/builds?project=freeipa%2Ffreeipa"; \
fi
PYTHON_SHEBANG = \
ipa \
makeaci \

189
Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -177,8 +177,8 @@ am__recursive_targets = \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir distdir-am dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \
config.h.in
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \
$(LISP)config.h.in
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
@ -198,9 +198,8 @@ am__define_uniq_tagged_files = \
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = asn1 util client contrib po pypi selinux ipaclient \
ipalib ipaplatform ipapython ipatests ipaserver daemons init \
install
DIST_SUBDIRS = asn1 util client contrib po pypi ipaclient ipalib \
ipaplatform ipapython ipatests ipaserver daemons init install
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(top_srcdir)/Makefile.pythonscripts.am ABOUT-NLS COPYING \
compile config.guess config.rpath config.sub install-sh \
@ -304,8 +303,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -348,10 +345,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -372,6 +370,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -459,9 +459,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -479,30 +477,8 @@ ACLOCAL_AMFLAGS = -I m4
@WITH_IPATESTS_TRUE@IPATESTS_SUBDIRS = ipatests
IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
PYTHON_SUBDIRS = $(IPACLIENT_SUBDIRS) $(IPATESTS_SUBDIRS) $(IPASERVER_SUBDIRS)
PYTHON_SCRIPT_SUBDIRS = \
$(top_builddir) \
$(top_builddir)/client \
$(top_builddir)/daemons/dnssec \
$(top_builddir)/install/certmonger \
$(top_builddir)/install/oddjob \
$(top_builddir)/install/restart_scripts \
$(top_builddir)/install/tools \
$(NULL)
AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure
IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
SUBDIRS = \
asn1 \
util \
client \
contrib \
po \
pypi \
selinux \
$(PYTHON_SUBDIRS) \
$(SERVER_SUBDIRS) \
$(NULL)
SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
GENERATED_PYTHON_FILES = \
$(top_builddir)/ipaplatform/override.py \
$(top_builddir)/ipapython/version.py \
@ -861,10 +837,6 @@ dist-xz: distdir
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-zstd: distdir
tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@ -907,8 +879,6 @@ distcheck: dist
eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
*.tar.zst*) \
zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
@ -1091,8 +1061,8 @@ uninstall-am: uninstall-nodist_binSCRIPTS
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool clean-local cscope cscopelist-am ctags ctags-am \
dist dist-all dist-bzip2 dist-gzip dist-hook dist-lzip \
dist-shar dist-tarZ dist-xz dist-zip dist-zstd distcheck \
distclean distclean-generic distclean-hdr distclean-libtool \
dist-shar dist-tarZ dist-xz dist-zip distcheck distclean \
distclean-generic distclean-hdr distclean-libtool \
distclean-tags distcleancheck distdir distuninstallcheck dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
@ -1124,8 +1094,6 @@ clean-local:
rm -rf "$(top_builddir)/.tox"
rm -rf "$(top_srcdir)/__pycache__"
rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
rm -rf "$(top_srcdir)/cov-int"
rm -f "$(top_srcdir)/freeipa.tgz"
# convenience targets for RPM build
.PHONY: rpmroot rpmdistdir version-update _dist-version-bakein _rpms-prep \
@ -1199,28 +1167,37 @@ lite-server: $(GENERATED_PYTHON_FILES)
contrib/lite-server.py $(LITESERVER_ARGS)
.PHONY: lint
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) rpmlint yamllint
lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
.PHONY: devcheck
devcheck: all
@WITH_POLINT_FALSE@ @echo "ERROR: polint not available"; exit 1
@WITH_PYLINT_FALSE@ @echo "ERROR: pylint not available"; exit 1
@WITH_JSLINT_FALSE@ @echo "ERROR: jslint not available"; exit 1
@ # just tests, aci, api and pylint on Python 3
PATH=$(abspath ipatests):$$PATH PYTHONPATH=$(abspath $(top_srcdir)) \
$(PYTHON) ipatests/ipa-run-tests --ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint rpmlint yamllint check
@WITH_PYTHON2_FALSE@ @echo "ERROR: python2 not available"; exit 1
@ # run all linters, tests, and check with Python 2
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON2) ipatests/ipa-run-tests \
--ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
@WITH_PYTHON3_TRUE@ @ # just tests, aci, api and pylint on Python 3
@WITH_PYTHON3_TRUE@ PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
@WITH_PYTHON3_TRUE@ --ipaclient-unittests
@WITH_PYTHON3_TRUE@ $(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint jslint check
@WITH_PYTHON3_FALSE@ @echo "WARNING: python3 not available"
@echo "All tests passed."
.PHONY: fastcheck fasttest fastlint
fastcheck:
@$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint rpmlint yamllint fasttest apilint acilint
@WITH_PYTHON2_TRUE@ @$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) \
@WITH_PYTHON2_TRUE@ fastlint fasttest apilint acilint
@WITH_PYTHON3_TRUE@ @$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) \
@WITH_PYTHON3_TRUE@ fastlint fasttest apilint acilint
fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
@ # --ignore doubles speed of total test run compared to pytest.skip()
@ # on module.
PATH=$(abspath ipatests):$$PATH PYTHONPATH=$(abspath $(top_srcdir)) \
$(PYTHON) ipatests/ipa-run-tests \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
--skip-ipaapi \
--ignore $(abspath $(top_srcdir))/ipatests/test_integration \
--ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
@ -1230,19 +1207,8 @@ fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py
@echo "Fast linting with $(PYTHON) from branch '$(GIT_BRANCH)'"
@MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \
PYFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.py$$' ); \
INFILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.in$$' \
| xargs -n1 file 2>/dev/null | grep Python \
| cut -d':' -f1; ); \
if [ -n "$${PYFILES}" ] && [ -n "$${INFILES}" ]; then \
FILES="$$( printf $${PYFILES}\\n$${INFILES} )" ; \
elif [ -n "$${PYFILES}" ]; then \
FILES="$${PYFILES}" ; \
else \
FILES="$${INFILES}" ; \
fi ; \
FILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
| grep -E '\.py$$'); \
if [ -n "$${FILES}" ]; then \
echo -e "Fast linting files:\n$${FILES}\n"; \
echo "pycodestyle"; \
@ -1269,61 +1235,17 @@ $(top_builddir)/ipapython/version.py:
.PHONY: acilint
acilint: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeaci --validate
.PHONY: aci
aci: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeaci
cd $(srcdir); $(PYTHON) ./makeaci --validate
.PHONY: apilint
apilint: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeapi --validate
.PHONY: api
api: $(GENERATED_PYTHON_FILES)
cd $(srcdir); \
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) ./makeapi
cd $(srcdir); $(PYTHON) ./makeapi --validate
.PHONY: polint
polint:
$(MAKE) -C $(srcdir)/po PYTHON=$(PYTHON) \
validate-src-strings validate-po test-gettext
.PHONY: rpmlint
rpmlint: freeipa.spec
rpmlint ./$<
# Try to load yml/yaml files via safe_load, which recognizes only standard
# YAML tags and cannot construct an arbitrary Python object.
# There are Jinja yaml templates, which differ from reqular ones. These
# files should be placed on skip list (YAML_TEMPLATE_FILES), otherwise
# safe_load fails.
.PHONY: yamllint
yamllint:
YAML_TEMPLATE_FILES="\
$(top_srcdir)/ipatests/azure/templates/ipa-test-config-template.yaml \
"; \
echo "jinja template files:"; \
for YAML in $${YAML_TEMPLATE_FILES}; do \
echo $${YAML}; \
$(PYTHON) -c "import yaml; f = open('$${YAML}'); yaml.safe_load(f); f.close()" >/dev/null 2>&1 \
&& { echo Unexpected PASS of parsing yaml: $${YAML}. This file is a regular yaml.; exit 1; }; \
done; \
YAML_FILES=`find $(top_srcdir) \
\( -name '*.yaml' -o \
-name '*.yml' \) \
$$(printf '! -path %s ' $${YAML_TEMPLATE_FILES})`; \
echo -e "\nlint yaml files"; \
echo "-----------"; \
for YAML in $${YAML_FILES}; do \
echo $${YAML}; \
$(PYTHON) -c "import yaml; f = open('$${YAML}'); yaml.safe_load(f); f.close()" || { echo Your YAML file: $${YAML} has a wrong syntax or this is a Jinja template. In the latter clause, consider to add your YAML file to the YAML_TEMPLATE_FILES list in Makefile.am.; exit 1; } \
done; \
echo "-----------"
# Run pylint for all python files. Finds all python files/packages, skips
# folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
# *.in, *~. Finally print all python files, including scripts that do not
@ -1331,7 +1253,9 @@ yamllint:
.PHONY: pylint
@WITH_PYLINT_TRUE@pylint: $(GENERATED_PYTHON_FILES) ipasetup.py python_scripts
@WITH_PYLINT_TRUE@pylint: $(GENERATED_PYTHON_FILES) ipasetup.py
@WITH_PYLINT_TRUE@ @# build CLI scripts
@WITH_PYLINT_TRUE@ $(MAKE) -C $(top_builddir)/install/tools
@WITH_PYLINT_TRUE@ FILES=`find $(top_srcdir) \
@WITH_PYLINT_TRUE@ -type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@WITH_PYLINT_TRUE@ -path './rpmbuild' -prune -o \
@ -1344,8 +1268,7 @@ yamllint:
@WITH_PYLINT_TRUE@ -name '*~' -o \
@WITH_PYLINT_TRUE@ -name '*.py' -print -o \
@WITH_PYLINT_TRUE@ -type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
@WITH_PYLINT_TRUE@ FILES=`echo -e "$${FILES}\n$(AZURE_PYTHON_SCRIPT_SUBDIR)"`; \
@WITH_PYLINT_TRUE@ echo -e "Pylint on $(PYTHON) is running over files:\n$${FILES}\nPlease wait ...\n"; \
@WITH_PYLINT_TRUE@ echo "Pylint on $(PYTHON) is running, please wait ..."; \
@WITH_PYLINT_TRUE@ PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
@WITH_PYLINT_TRUE@ --rcfile=$(top_srcdir)/pylintrc \
@WITH_PYLINT_TRUE@ --load-plugins pylint_plugins \
@ -1430,49 +1353,15 @@ python_install:
$(MAKE) $(AM_MAKEFLAGS) -C $${dir} install || exit 1; \
done
.PHONY: python_scripts
python_scripts:
for dir in $(PYTHON_SCRIPT_SUBDIRS); do \
$(MAKE) $(AM_MAKEFLAGS) -C $${dir} python_scripts_sub || exit 1; \
done
.PHONY:
strip-po:
$(MAKE) -C po strip-po
.PHONY: cov-scan
cov-scan:
$(MAKE) clean
@# analyse C code with workaround for missing _Float types
@# https://stackoverflow.com/questions/50434236/coverity-scan-fails-to-build-stdlib-h-with-gnu-source-defined
cov-build --dir cov-int $(MAKE) all \
CFLAGS="-D_Float32=float -D_Float32x=double -D_Float64=double -D_Float64x='long double' -D_Float128='long double'"
@# remove build directories and analyse Python
rm -rf ipa*/build
cov-build --dir cov-int --no-command \
$(foreach d,$(PYTHON_SUBDIRS),--fs-capture-search $(d))
@# analyze JS files
cov-build --dir cov-int --no-command --fs-capture-search install/ui
@# compress and upload
tar czvf freeipa.tgz cov-int
if [ -n "$${COVERITY_SCAN_TOKEN}" ]; then \
curl --progress-bar --output /dev/null \
--form token=$${COVERITY_SCAN_TOKEN} \
--form email=scan@mg.freeipa.org \
--form file=@freeipa.tgz \
--form version="$(VERSION)" \
--form description="FreeIPA" \
"https://scan.coverity.com/builds?project=freeipa%2Ffreeipa"; \
fi
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

5
Makefile.pythonscripts.am
View File

@ -1,7 +1,4 @@
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)

2
README.md
View File

@ -75,5 +75,5 @@ Please see the file called COPYING.
https://pagure.io/freeipa/issues
* If you want to participate in actively developing IPA please
subscribe to the freeipa-devel mailing list at
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join
https://www.redhat.com/mailman/listinfo/freeipa-devel/ or join
us in IRC at <irc://irc.freenode.net/freeipa>

11
VERSION.m4
View File

@ -20,17 +20,14 @@
# -> "1.0.0" #
########################################################
define(IPA_VERSION_MAJOR, 4)
define(IPA_VERSION_MINOR, 8)
define(IPA_VERSION_RELEASE, 10)
define(IPA_VERSION_MINOR, 7)
define(IPA_VERSION_RELEASE, 2)
########################################################
# For 'pre' releases the version will be #
# #
# <MAJOR>.<MINOR>.<RELEASE><PRE_RELEASE> #
# #
# pre releases start with RELEASE 90. After pre1 has #
# been released, RELEASE is bumpled to 91, and so on #
# #
# e.g. define(IPA_VERSION_PRE_RELEASE, rc1) #
# -> "1.0.0rc1" #
########################################################
@ -86,8 +83,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
define(IPA_API_VERSION_MINOR, 239)
# Last change: allow ID overrides for users to be members of groups and roles
define(IPA_API_VERSION_MINOR, 230)
# Last change: Added `automember-find-orphans' command
########################################################

52
aclocal.m4 vendored
View File

@ -1,6 +1,6 @@
# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -364,7 +364,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
[AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
])dnl PKG_HAVE_DEFINE_WITH_MODULES
# Copyright (C) 2002-2020 Free Software Foundation, Inc.
# Copyright (C) 2002-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -379,7 +379,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.16'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.16.2], [],
m4_if([$1], [1.16.1], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@ -395,14 +395,14 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.16.2])dnl
[AM_AUTOMAKE_VERSION([1.16.1])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# AM_AUX_DIR_EXPAND -*- Autoconf -*-
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -454,7 +454,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd`
# AM_COND_IF -*- Autoconf -*-
# Copyright (C) 2008-2020 Free Software Foundation, Inc.
# Copyright (C) 2008-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -491,7 +491,7 @@ fi[]dnl
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
# Copyright (C) 1997-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -522,7 +522,7 @@ AC_CONFIG_COMMANDS_PRE(
Usually this means the macro was only invoked conditionally.]])
fi])])
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -713,7 +713,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
# Generate code to set up dependency tracking. -*- Autoconf -*-
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -752,9 +752,7 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
done
if test $am_rc -ne 0; then
AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments
for automatic dependency tracking. If GNU make was not used, consider
re-running the configure script with MAKE="gmake" (or whatever is
necessary). You can also try re-running configure with the
for automatic dependency tracking. Try re-running configure with the
'--disable-dependency-tracking' option to at least be able to build
the package (albeit without support for automatic dependency tracking).])
fi
@ -781,7 +779,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
# Do all the work for Automake. -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -978,7 +976,7 @@ for _am_header in $config_headers :; do
done
echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -999,7 +997,7 @@ if test x"${install_sh+set}" != xset; then
fi
AC_SUBST([install_sh])])
# Copyright (C) 2003-2020 Free Software Foundation, Inc.
# Copyright (C) 2003-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1020,7 +1018,7 @@ AC_SUBST([am__leading_dot])])
# Check to see how 'make' treats includes. -*- Autoconf -*-
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1063,7 +1061,7 @@ AC_SUBST([am__quote])])
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
# Copyright (C) 1997-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1102,7 +1100,7 @@ fi
# Helper functions for option handling. -*- Autoconf -*-
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1131,7 +1129,7 @@ AC_DEFUN([_AM_SET_OPTIONS],
AC_DEFUN([_AM_IF_OPTION],
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1178,7 +1176,7 @@ AC_LANG_POP([C])])
# For backward compatibility.
AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1416,7 +1414,7 @@ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]]
sys.exit(sys.hexversion < minverhex)"
AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])])
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1435,7 +1433,7 @@ AC_DEFUN([AM_RUN_LOG],
# Check to make sure that the build environment is sane. -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1516,7 +1514,7 @@ AC_CONFIG_COMMANDS_PRE(
rm -f conftest.file
])
# Copyright (C) 2009-2020 Free Software Foundation, Inc.
# Copyright (C) 2009-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1576,7 +1574,7 @@ AC_SUBST([AM_BACKSLASH])dnl
_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
])
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1604,7 +1602,7 @@ fi
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
AC_SUBST([INSTALL_STRIP_PROGRAM])])
# Copyright (C) 2006-2020 Free Software Foundation, Inc.
# Copyright (C) 2006-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1623,7 +1621,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
# Check how to create a tarball. -*- Autoconf -*-
# Copyright (C) 2004-2020 Free Software Foundation, Inc.
# Copyright (C) 2004-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,

13
asn1/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -279,8 +279,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -323,10 +321,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -347,6 +346,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -434,9 +435,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
asn1/asn1c/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -259,8 +259,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -303,10 +301,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -327,6 +326,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -414,9 +415,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

10
client/Makefile.am
View File

@ -43,8 +43,6 @@ sbin_SCRIPTS = \
ipa-certupdate \
ipa-client-automount \
ipa-client-install \
ipa-client-samba \
ipa-epn \
$(NULL)
ipa_getkeytab_SOURCES = \
@ -92,13 +90,9 @@ ipa_join_LDADD = \
$(NULL)
SUBDIRS = \
share \
share \
man \
sysconfig \
systemd \
$(NULL)
# init
noinst_HEADERS = \
ipa-client-common.h
@ -107,8 +101,6 @@ EXTRA_DIST = \
ipa-certupdate.in \
ipa-client-automount.in \
ipa-client-install.in \
ipa-client-samba.in \
ipa-epn.in \
$(NULL)
install-data-hook:

27
client/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -344,8 +344,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -388,10 +386,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -412,6 +411,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -499,9 +500,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -539,8 +538,6 @@ sbin_SCRIPTS = \
ipa-certupdate \
ipa-client-automount \
ipa-client-install \
ipa-client-samba \
ipa-epn \
$(NULL)
ipa_getkeytab_SOURCES = \
@ -588,13 +585,10 @@ ipa_join_LDADD = \
$(NULL)
SUBDIRS = \
share \
share \
man \
sysconfig \
systemd \
$(NULL)
# init
noinst_HEADERS = \
ipa-client-common.h
@ -602,8 +596,6 @@ EXTRA_DIST = \
ipa-certupdate.in \
ipa-client-automount.in \
ipa-client-install.in \
ipa-client-samba.in \
ipa-epn.in \
$(NULL)
PYTHON_SHEBANG = $(sbin_SCRIPTS)
@ -1092,12 +1084,9 @@ install-data-hook:
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

2
client/ipa-certupdate.in
View File

@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat

526
client/ipa-client-automount.in
View File

@ -1,9 +1,9 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2012, 2019 Red Hat
# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@ -21,7 +21,523 @@
#
# Configure the automount client for ldap.
from ipaclient.install.ipa_client_automount import main
from __future__ import print_function
if __name__ == '__main__':
main()
import logging
import sys
import os
import time
import tempfile
import gssapi
try:
from xml.etree import cElementTree as etree
except ImportError:
from xml.etree import ElementTree as etree
import SSSDConfig
# pylint: disable=import-error
from six.moves.urllib.parse import urlsplit
# pylint: enable=import-error
from optparse import OptionParser # pylint: disable=deprecated-module
from ipaclient.install import ipachangeconf, ipadiscovery
from ipaclient.install.client import (CLIENT_NOT_CONFIGURED,
CLIENT_ALREADY_CONFIGURED)
from ipalib import api, errors
from ipalib.install import sysrestore
from ipalib.install.kinit import kinit_keytab
from ipalib.util import check_client_configuration
from ipapython import ipautil
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython.admintool import ScriptError
logger = logging.getLogger(os.path.basename(__file__))
def parse_options():
usage = "%prog [options]\n"
parser = OptionParser(usage=usage)
parser.add_option("--server", dest="server", help="FQDN of IPA server")
parser.add_option("--location", dest="location", help="Automount location",
default="default")
parser.add_option("-S", "--no-sssd", dest="sssd",
action="store_false", default=True,
help="Do not configure the client to use SSSD for automount")
parser.add_option("--debug", dest="debug", action="store_true",
default=False, help="enable debugging")
parser.add_option("-U", "--unattended", dest="unattended",
action="store_true", default=False,
help="unattended installation never prompts the user")
parser.add_option("--uninstall", dest="uninstall", action="store_true",
default=False, help="Unconfigure automount")
options, args = parser.parse_args()
return options, args
def wait_for_sssd():
"""
It takes a bit for sssd to get going, lets loop until it is
serving data.
This function returns nothing.
"""
n = 0
found = False
time.sleep(1)
while n < 10 and not found:
try:
ipautil.run([paths.GETENT, "passwd", "admin@%s" % api.env.realm])
found = True
except Exception:
time.sleep(1)
n = n + 1
# This should never happen but if it does, may as well warn the user
if not found:
err_msg = ("Unable to find 'admin' user with "
"'getent passwd admin@%s'!" % api.env.realm)
logger.debug('%s', err_msg)
print(err_msg)
print("This may mean that sssd didn't re-start properly after the configuration changes.")
def configure_xml(fstore):
authconf = paths.AUTOFS_LDAP_AUTH_CONF
fstore.backup_file(authconf)
try:
tree = etree.parse(authconf)
except IOError as e:
logger.debug('Unable to open file %s', e)
logger.debug('Creating new from template')
tree = etree.ElementTree(
element=etree.Element('autofs_ldap_sasl_conf')
)
element = tree.getroot()
if element.tag != 'autofs_ldap_sasl_conf':
raise RuntimeError('Invalid XML root in file %s' % authconf)
element.set('usetls', 'no')
element.set('tlsrequired', 'no')
element.set('authrequired', 'yes')
element.set('authtype', 'GSSAPI')
element.set('clientprinc', 'host/%s@%s' % (api.env.host, api.env.realm))
try:
tree.write(authconf, xml_declaration=True, encoding='UTF-8')
except IOError as e:
print("Unable to write %s: %s" % (authconf, e))
else:
print("Configured %s" % authconf)
def configure_nsswitch(fstore, options):
"""
Point automount to ldap in nsswitch.conf. This function is for non-SSSD
setups only
"""
fstore.backup_file(paths.NSSWITCH_CONF)
conf = ipachangeconf.IPAChangeConf("IPA Installer")
conf.setOptionAssignment(':')
nss_value = ' files ldap'
opts = [{'name':'automount', 'type':'option', 'action':'set', 'value':nss_value},
{'name':'empty', 'type':'empty'}]
conf.changeConf(paths.NSSWITCH_CONF, opts)
print("Configured %s" % paths.NSSWITCH_CONF)
def configure_autofs_sssd(fstore, statestore, autodiscover, options):
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
domains = sssdconfig.list_active_domains()
except Exception as e:
sys.exit(e)
try:
sssdconfig.new_service('autofs')
except SSSDConfig.ServiceAlreadyExists:
pass
except SSSDConfig.ServiceNotRecognizedError:
logger.error("Unable to activate the Autofs service in SSSD config.")
logger.info(
"Please make sure you have SSSD built with autofs support "
"installed.")
logger.info(
"Configure autofs support manually in /etc/sssd/sssd.conf.")
sys.exit("Cannot create the autofs service in sssd.conf")
sssdconfig.activate_service('autofs')
domain = None
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if provider == "ipa":
domain.add_provider('ipa', 'autofs')
try:
domain.get_option('ipa_automount_location')
print('An automount location is already configured')
sys.exit(CLIENT_ALREADY_CONFIGURED)
except SSSDConfig.NoOptionError:
domain.set_option('ipa_automount_location', options.location)
break
if domain is None:
sys.exit('SSSD is not configured.')
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
sssd = services.service('sssd', api)
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
def configure_autofs(fstore, statestore, autodiscover, server, options):
"""
fstore: the FileStore to back up files in
options.server: the IPA server to use
options.location: the Automount location to use
"""
if not autodiscover:
ldap_uri = "ldap://%s" % server
else:
ldap_uri = "ldap:///%s" % api.env.basedn
search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
replacevars = {
'MAP_OBJECT_CLASS': 'automountMap',
'ENTRY_OBJECT_CLASS': 'automount',
'MAP_ATTRIBUTE': 'automountMapName',
'ENTRY_ATTRIBUTE': 'automountKey',
'VALUE_ATTRIBUTE': 'automountInformation',
'SEARCH_BASE': search_base,
'LDAP_URI': ldap_uri,
}
ipautil.backup_config_and_replace_variables(fstore,
paths.SYSCONFIG_AUTOFS, replacevars=replacevars)
tasks.restore_context(paths.SYSCONFIG_AUTOFS)
statestore.backup_state('autofs', 'sssd', False)
print("Configured %s" % paths.SYSCONFIG_AUTOFS)
def configure_autofs_common(fstore, statestore, options):
autofs = services.knownservices.autofs
statestore.backup_state('autofs', 'enabled', autofs.is_enabled())
statestore.backup_state('autofs', 'running', autofs.is_running())
try:
autofs.restart()
print("Started %s" % autofs.service_name)
except Exception as e:
logger.error("%s failed to restart: %s", autofs.service_name, e)
try:
autofs.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (autofs.service_name))
logger.error("Failed to enable automatic startup of the %s daemon: %s",
autofs.service_name, str(e))
def uninstall(fstore, statestore):
RESTORE_FILES=[
paths.SYSCONFIG_AUTOFS,
paths.NSSWITCH_CONF,
paths.AUTOFS_LDAP_AUTH_CONF,
paths.SYSCONFIG_NFS,
paths.IDMAPD_CONF,
]
STATES=['autofs', 'rpcidmapd', 'rpcgssd']
# automount only touches /etc/nsswitch.conf if LDAP is
# used. Don't restore it otherwise.
if (statestore.get_state('authconfig', 'sssd') or
(statestore.get_state('authselect', 'profile') == 'sssd')):
RESTORE_FILES.remove(paths.NSSWITCH_CONF)
if (not any(fstore.has_file(f) for f in RESTORE_FILES) or
not any(statestore.has_state(s) for s in STATES)):
print("IPA automount is not configured on this system")
return CLIENT_NOT_CONFIGURED
print("Restoring configuration")
for filepath in RESTORE_FILES:
if fstore.has_file(filepath):
fstore.restore_file(filepath)
if statestore.has_state('autofs'):
enabled = statestore.restore_state('autofs', 'enabled')
running = statestore.restore_state('autofs', 'running')
sssd = statestore.restore_state('autofs', 'sssd')
autofs = services.knownservices.autofs
if not enabled:
autofs.disable()
if not running:
autofs.stop()
if sssd:
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
sssdconfig.deactivate_service('autofs')
domains = sssdconfig.list_active_domains()
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if provider == "ipa":
domain.remove_option('ipa_automount_location')
domain.remove_provider('autofs')
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
sssd = services.service('sssd', api)
sssd.restart()
wait_for_sssd()
except Exception as e:
print('Unable to restore SSSD configuration: %s' % str(e))
logger.debug('Unable to restore SSSD configuration: %s',
str(e))
if statestore.has_state('rpcidmapd'):
enabled = statestore.restore_state('rpcidmapd', 'enabled')
running = statestore.restore_state('rpcidmapd', 'running')
rpcidmapd = services.knownservices.rpcidmapd
if not enabled:
rpcidmapd.disable()
if not running:
rpcidmapd.stop()
if statestore.has_state('rpcgssd'):
enabled = statestore.restore_state('rpcgssd', 'enabled')
running = statestore.restore_state('rpcgssd', 'running')
rpcgssd = services.knownservices.rpcgssd
if not enabled:
rpcgssd.disable()
if not running:
rpcgssd.stop()
return 0
def configure_nfs(fstore, statestore):
"""
Configure secure NFS
"""
replacevars = {
constants.SECURE_NFS_VAR: 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
paths.SYSCONFIG_NFS, replacevars=replacevars)
tasks.restore_context(paths.SYSCONFIG_NFS)
print("Configured %s" % paths.SYSCONFIG_NFS)
# Prepare the changes
# We need to use IPAChangeConf as simple regexp substitution
# does not cut it here
conf = ipachangeconf.IPAChangeConf("IPA automount installer")
conf.case_insensitive_sections = False
conf.setOptionAssignment(" = ")
conf.setSectionNameDelimiters(("[", "]"))
changes = [conf.setOption('Domain', api.env.domain)]
section_with_changes = [conf.setSection('General', changes)]
# Backup the file and apply the changes
fstore.backup_file(paths.IDMAPD_CONF)
conf.changeConf(paths.IDMAPD_CONF, section_with_changes)
tasks.restore_context(paths.IDMAPD_CONF)
print("Configured %s" % paths.IDMAPD_CONF)
rpcidmapd = services.knownservices.rpcidmapd
statestore.backup_state('rpcidmapd', 'enabled', rpcidmapd.is_enabled())
statestore.backup_state('rpcidmapd', 'running', rpcidmapd.is_running())
try:
rpcidmapd.restart()
print("Started %s" % rpcidmapd.service_name)
except Exception as e:
logger.error("%s failed to restart: %s", rpcidmapd.service_name, e)
try:
rpcidmapd.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name))
logger.error("Failed to enable automatic startup of the %s daemon: %s",
rpcidmapd.service_name, str(e))
rpcgssd = services.knownservices.rpcgssd
statestore.backup_state('rpcgssd', 'enabled', rpcgssd.is_enabled())
statestore.backup_state('rpcgssd', 'running', rpcgssd.is_running())
try:
rpcgssd.restart()
print("Started %s" % rpcgssd.service_name)
except Exception as e:
logger.error("%s failed to restart: %s", rpcgssd.service_name, e)
try:
rpcgssd.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name))
logger.error("Failed to enable automatic startup of the %s daemon: %s",
rpcgssd.service_name, str(e))
def main():
try:
check_client_configuration()
except ScriptError as e:
print(e.msg)
sys.exit(e.rval)
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
options, _args = parse_options()
standard_logging_setup(
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
cfg = dict(
context='cli_installer',
confdir=paths.ETC_IPA,
in_server=False,
debug=options.debug,
verbose=0,
)
# Bootstrap API early so that env object is available
api.bootstrap(**cfg)
if options.uninstall:
return uninstall(fstore, statestore)
ca_cert_path = None
if os.path.exists(paths.IPA_CA_CRT):
ca_cert_path = paths.IPA_CA_CRT
if statestore.has_state('autofs'):
print('An automount location is already configured')
sys.exit(CLIENT_ALREADY_CONFIGURED)
autodiscover = False
ds = ipadiscovery.IPADiscovery()
if not options.server:
print("Searching for IPA server...")
ret = ds.search(ca_cert_path=ca_cert_path)
logger.debug('Executing DNS discovery')
if ret == ipadiscovery.NO_LDAP_SERVER:
logger.debug('Autodiscovery did not find LDAP server')
s = urlsplit(api.env.xmlrpc_uri)
server = [s.netloc]
logger.debug('Setting server to %s', s.netloc)
else:
autodiscover = True
if not ds.servers:
sys.exit('Autodiscovery was successful but didn\'t return a server')
logger.debug('Autodiscovery success, possible servers %s',
','.join(ds.servers))
server = ds.servers[0]
else:
server = options.server
logger.debug("Verifying that %s is an IPA server", server)
ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
print("Anonymous access to the LDAP server is disabled.")
print("Proceeding without strict verification.")
print("Note: This is not an error if anonymous access has been explicitly restricted.")
elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
logger.warning("Unencrypted access to LDAP is not supported.")
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)
if not autodiscover:
print("IPA server: %s" % server)
logger.debug('Using fixed server %s', server)
else:
print("IPA server: DNS discovery")
logger.debug('Configuring to use DNS discovery')
print("Location: %s" % options.location)
logger.debug('Using automount location %s', options.location)
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
sys.exit("Failed to obtain host TGT: %s" % e)
# Finalize API when TGT obtained using host keytab exists
api.finalize()
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
except errors.KerberosError as e:
sys.exit('Cannot connect to the server due to ' + str(e))
try:
# Use the RPC directly so older servers are supported
api.Backend.rpcclient.forward(
'automountlocation_show',
ipautil.fsdecode(options.location),
version=u'2.0',
)
except errors.VersionError as e:
sys.exit('This client is incompatible: ' + str(e))
except errors.NotFound:
sys.exit("Automount location '%s' does not exist" % options.location)
except errors.PublicError as e:
sys.exit("Cannot connect to the server due to generic error: %s" % str(e))
finally:
os.remove(ccache_name)
os.rmdir(ccache_dir)
if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False):
sys.exit("Installation aborted")
try:
if not options.sssd:
configure_nsswitch(fstore, options)
configure_nfs(fstore, statestore)
if options.sssd:
configure_autofs_sssd(fstore, statestore, autodiscover, options)
else:
configure_xml(fstore)
configure_autofs(fstore, statestore, autodiscover, server, options)
configure_autofs_common(fstore, statestore, options)
except Exception as e:
logger.debug('Raised exception %s', e)
print("Installation failed. Rolling back changes.")
uninstall(fstore, statestore)
return 1
return 0
try:
if not os.geteuid()==0:
sys.exit("\nMust be run as root\n")
sys.exit(main())
except SystemExit as e:
sys.exit(e)
except RuntimeError as e:
sys.exit(e)
except (KeyboardInterrupt, EOFError):
sys.exit(1)

2
client/ipa-client-install.in
View File

@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
# Authors: Simo Sorce <ssorce@redhat.com>
# Karl MacMillan <kmacmillan@mentalrootkit.com>
#

21
client/ipa-client-samba.in
View File

@ -1,21 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
# Configure the Samba suite to operate as domain member in IPA domain
import os
import sys
from ipaclient.install import ipa_client_samba
try:
if not os.geteuid() == 0:
sys.exit("\nMust be run as root\n")
sys.exit(ipa_client_samba.run())
except SystemExit as e:
sys.exit(e)
except RuntimeError as e:
sys.exit(e)
except (KeyboardInterrupt, EOFError):
sys.exit(1)

25
client/ipa-epn.in
View File

@ -1,25 +0,0 @@
#!/usr/bin/python3
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""This tool prepares then sends email notifications to users
whose passwords are expiring in the near future.
"""
from ipaclient.install.ipa_epn import EPN
EPN.run_cli()

143
client/ipa-getkeytab.c
View File

@ -177,6 +177,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
const char *mech, const char *ca_cert_file,
LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
LDAP *ld;
int ret;
@ -204,7 +205,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
ipa_ldap_error(ld, ret, _("Simple bind failed\n"));
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
@ -218,7 +219,11 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
}
if (ret != LDAP_SUCCESS) {
ipa_ldap_error(ld, ret, _("SASL Bind failed\n"));
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
@ -507,7 +512,6 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
if (enctypes) {
ret = ipa_string_to_enctypes(enctypes, &es, &num_es, err_msg);
if (ret || num_es == 0) {
free(es);
return LDAP_OPERATIONS_ERROR;
}
}
@ -555,57 +559,33 @@ done:
return ret;
}
/* Prompt for either a password.
* This can be either asking for a new or existing password.
*
* To set a new password provide values for both prompt1 and prompt2 and
* set match=true to enforce that the two entered passwords match.
*
* To prompt for an existing password provide prompt1 and set match=false.
*
* Implementation details:
* krb5_prompter_posix() does not differentiate between too long entry or
* an entry exactly the size of a buffer. Thus, allocate a bigger buffer
* and do the check for a too long password afterwards.
*/
static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
bool match)
static char *ask_password(krb5_context krbctx)
{
krb5_prompt ap_prompts[2];
krb5_data k5d_pw0;
krb5_data k5d_pw1;
#define MAX(a,b) (((a)>(b))?(a):(b))
#define PWD_BUFFER_SIZE MAX((IPAPWD_PASSWORD_MAX_LEN + 2), 1024)
char pw0[PWD_BUFFER_SIZE];
char pw1[PWD_BUFFER_SIZE];
char pw0[256];
char pw1[256];
char *password;
int num_prompts = match ? 2:1;
k5d_pw0.length = sizeof(pw0);
k5d_pw0.data = pw0;
ap_prompts[0].prompt = prompt1;
ap_prompts[0].prompt = _("New Principal Password");
ap_prompts[0].hidden = 1;
ap_prompts[0].reply = &k5d_pw0;
if (match) {
k5d_pw1.length = sizeof(pw1);
k5d_pw1.data = pw1;
ap_prompts[1].prompt = prompt2;
ap_prompts[1].hidden = 1;
ap_prompts[1].reply = &k5d_pw1;
}
k5d_pw1.length = sizeof(pw1);
k5d_pw1.data = pw1;
ap_prompts[1].prompt = _("Verify Principal Password");
ap_prompts[1].hidden = 1;
ap_prompts[1].reply = &k5d_pw1;
krb5_prompter_posix(krbctx, NULL,
NULL, NULL,
num_prompts, ap_prompts);
2, ap_prompts);
if (match && (strcmp(pw0, pw1))) {
fprintf(stderr, _("Passwords do not match!\n"));
return NULL;
}
if (k5d_pw0.length > IPAPWD_PASSWORD_MAX_LEN) {
fprintf(stderr, "%s\n", ipapwd_password_max_len_errmsg);
if (strcmp(pw0, pw1)) {
fprintf(stderr, _("Passwords do not match!"));
return NULL;
}
@ -692,56 +672,6 @@ int read_ipa_config(struct ipa_config **ipacfg)
return 0;
}
static int resolve_ktname(const char *keytab, char **ktname, char **err_msg)
{
char keytab_resolved[PATH_MAX + 1];
struct stat st;
struct stat lst;
int ret;
*err_msg = NULL;
/* Resolve keytab symlink to support dangling symlinks, see
* https://pagure.io/freeipa/issue/4607. To prevent symlink attacks,
* the symlink is only resolved owned by the current user or by
* root. For simplicity, only one level if indirection is resolved.
*/
if ((stat(keytab, &st) == -1) &&
(errno == ENOENT) &&
(lstat(keytab, &lst) == 0) &&
(S_ISLNK(lst.st_mode))) {
/* keytab is a dangling symlink. */
if (((lst.st_uid == 0) && (lst.st_gid == 0)) ||
((lst.st_uid == geteuid()) && (lst.st_gid == getegid()))) {
/* Either root or current user owns symlink, resolve symlink and
* return the resolved symlink. */
ret = readlink(keytab, keytab_resolved, PATH_MAX + 1);
if ((ret == -1) || (ret > PATH_MAX)) {
*err_msg = _("Failed to resolve symlink to keytab.\n");
return ENOENT;
}
keytab_resolved[ret] = '\0';
ret = asprintf(ktname, "WRFILE:%s", keytab_resolved);
if (ret == -1) {
*err_msg = strerror(errno);
return ENOMEM;
}
return 0;
} else {
*err_msg = _("keytab is a dangling symlink and owned by another "
"user.\n");
return EINVAL;
}
} else {
ret = asprintf(ktname, "WRFILE:%s", keytab);
if (ret == -1) {
*err_msg = strerror(errno);
return ENOMEM;
}
return 0;
}
}
int main(int argc, const char *argv[])
{
static const char *server = NULL;
@ -755,7 +685,6 @@ int main(int argc, const char *argv[])
static const char *ca_cert_file = NULL;
int quiet = 0;
int askpass = 0;
int askbindpw = 0;
int permitted_enctypes = 0;
int retrieve = 0;
struct poptOption options[] = {
@ -783,8 +712,6 @@ int main(int argc, const char *argv[])
_("LDAP DN"), _("DN to bind as if not using kerberos") },
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
_("LDAP password"), _("password to use if not using kerberos") },
{ NULL, 'W', POPT_ARG_NONE, &askbindpw, 0,
_("Prompt for LDAP password"), NULL },
{ "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0,
_("Path to the IPA CA certificate"), _("IPA CA certificate")},
{ "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0,
@ -856,24 +783,9 @@ int main(int argc, const char *argv[])
exit(2);
}
if (askbindpw && bindpw != NULL) {
fprintf(stderr, _("Bind password already provided (-w).\n"));
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
exit(2);
}
if (askbindpw) {
bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false);
if (!bindpw) {
exit(2);
}
}
if (NULL!=binddn && NULL==bindpw) {
fprintf(stderr,
_("Bind password required when using a bind DN (-w or -W).\n"));
_("Bind password required when using a bind DN.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(10);
@ -937,8 +849,7 @@ int main(int argc, const char *argv[])
}
if (askpass) {
password = ask_password(krbctx, _("New Principal Password"),
_("Verify Principal Password"), true);
password = ask_password(krbctx);
if (!password) {
exit(2);
}
@ -949,6 +860,11 @@ int main(int argc, const char *argv[])
}
}
ret = asprintf(&ktname, "WRFILE:%s", keytab);
if (ret == -1) {
exit(3);
}
krberr = krb5_parse_name(krbctx, principal, &sprinc);
if (krberr) {
fprintf(stderr, _("Invalid Service Principal Name\n"));
@ -973,12 +889,6 @@ int main(int argc, const char *argv[])
}
}
ret = resolve_ktname(keytab, &ktname, &err_msg);
if (krberr) {
fprintf(stderr, "%s", err_msg);
exit(ret);
}
krberr = krb5_kt_resolve(krbctx, ktname, &kt);
if (krberr) {
fprintf(stderr, _("Failed to open Keytab\n"));
@ -1010,7 +920,6 @@ int main(int argc, const char *argv[])
}
fprintf(stderr, _("Failed to create key material\n"));
free_keys_contents(krbctx, &keys);
exit(8);
}

2
client/ipa-join.c
View File

@ -240,7 +240,7 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
NULL, NULL, NULL);
if (*ret != LDAP_SUCCESS) {
ipa_ldap_error(ld, *ret, _("SASL Bind failed\n"));
fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
goto fail;
}

5
client/man/Makefile.am
View File

@ -7,12 +7,9 @@ dist_man1_MANS = \
ipa-rmkeytab.1 \
ipa-client-install.1 \
ipa-client-automount.1 \
ipa-client-samba.1 \
ipa-certupdate.1 \
ipa-join.1 \
ipa-epn.1 \
ipa.1
dist_man5_MANS = \
default.conf.5 \
epn.conf.5
default.conf.5

18
client/man/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -219,8 +219,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -263,10 +261,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -287,6 +286,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -374,9 +375,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -393,15 +392,12 @@ dist_man1_MANS = \
ipa-rmkeytab.1 \
ipa-client-install.1 \
ipa-client-automount.1 \
ipa-client-samba.1 \
ipa-certupdate.1 \
ipa-join.1 \
ipa-epn.1 \
ipa.1
dist_man5_MANS = \
default.conf.5 \
epn.conf.5
default.conf.5
all: all-am

15
client/man/default.conf.5
View File

@ -47,14 +47,14 @@ Valid lines consist of an option name, an equals sign and a value. Spaces surrou
Values should not be quoted, the quotes will not be stripped.
.RS L
.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
.RE
.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
@ -77,9 +77,6 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t
.B ca_port <port>
Specifies the insecure CA end user port. The default is 8080.
.TP
.B certmonger_wait_timeout <seconds>
The time to wait for a certmonger request to complete during installation. The default value is 300 seconds.
.TP
.B context <context>
Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
.TP
@ -101,9 +98,6 @@ Specifies whether an IPA client should attempt to fall back and try other servic
.B host <hostname>
Specifies the local system hostname.
.TP
.B http_timeout <seconds>
Timeout for HTTP blocking requests (e.g. connection). The default value is 30 seconds.
.TP
.B in_server <boolean>
Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
.TP
@ -152,7 +146,7 @@ will usually need to escape the dot in the logger names by
preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdeveloper\fR. When running in production mode some self\-tests are skipped to improve performance.
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
.TP
.B mount_ipa <URI>
Specifies the mount point that the development server will register. The default is /ipa/
@ -166,9 +160,6 @@ Specifies the name of the CA back end to use. The current options are \fBdogtag\
.B realm <realm>
Specifies the Kerberos realm.
.TP
.B replication_wait_timeout <seconds>
The time to wait for a new entry to be replicated during replica installation. The default value is 300 seconds.
.TP
.B server <hostname>
Specifies the IPA Server hostname.
.TP

93
client/man/epn.conf.5
View File

@ -1,93 +0,0 @@
.\" A man page for epn.conf
.\" Copyright (C) 2020 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
epn.conf \- Expiring Password Notification configuration file
.SH "SYNOPSIS"
/etc/ipa/epn.conf
.SH "DESCRIPTION"
The \fIepn.conf \fRconfiguration file is used to set the options for the ipa-epn tool to notify users of upcoming password expiration.
.SH "SYNTAX"
The configuration options are not case sensitive. The values may be case sensitive, depending on the option.
Blank lines are ignored.
Lines beginning with # are comments and are ignored.
Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.
Values should not be quoted, the quotes will not be stripped.
.RS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
.RE
Options must appear in the section named [global]. There are no other sections defined or used currently.
Options may be defined that are not used by IPA. Be careful of misspellings, they will not be rejected.
.SH "OPTIONS"
.TP
.B smtp_server\fR <fqdn>
Specifies the SMTP server to use. The default is localhost.
.TP
.B smtp_port <port>
Specifies the SMTP port. The default is 25.
.TP
.B smtp_user <user>
Specifies the id of the user to authenticate with the SMTP server. Default None.
.TP
.B smtp_password <password>
Specifies the password for the authorized user. Default None.
.TP
.B smtp_timeout <seconds>
Specifies the number of seconds to wait for SMTP to respond. Default 60.
.TP
.B smtp_security <security>
Specifies the type of secure connection to make. Options are: none, starttls and ssl. The default is none.
.TP
.B smtp_admin <address>
Specifies the From e-mail address value in the e-mails sent. The default is
root@localhost. Bounces will be sent here.
.TP
.B smtp_delay <milliseconds>
Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
.TP
.B mail_from <address>
Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
.I ipa config-show
.TP
.B notify_ttls <list of days>
This is the list of days before a password expiration when ipa-epn should notify a user that their password will soon require a reset. If this value is not specified then the default list will be used: 28, 14, 7, 3, 1.
.TP
.B msg_charset <type>
Set the character set of the message. The default is utf8. This will result in he body of the message being base64-encoded.
.TP
.B msg_subtype <type>
Set the message's MIME sub-content type. The default is plain.
.SH "FILES"
.TP
.I /etc/ipa/epn.conf
Configuration file
.SH "SEE ALSO"
.BR ipa-epn (1)

15
client/man/ipa-client-automount.1
View File

@ -49,25 +49,22 @@ The nsswitch automount service is configured to use either sss or ldap and files
NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
.SH "OPTIONS"
\fB\-\-server\fR=\fISERVER\fR
Set the FQDN of the IPA server to connect to.
Set the FQDN of the IPA server to connect to
.TP
\fB\-\-location\fR=\fILOCATION\fR
Automount location.
Automount location
.TP
\fB\-S\fR, \fB\-\-no\-sssd\fR
Do not configure the client to use SSSD for automount.
.TP
\fB\-S\fR, \fB\-\-idmap\-domain\fR=\fIIDMAP_DOMAIN\fR
NFS domain for idmapd.conf. If unset, defaults to the IPA domain. If set to DNS, let idmapd or nfsidmap determine the domain from DNS (see idmapd(8) or nfsidmap(5) for details). If set to anything else, set idmapd.conf's Domain entry to that value.
Do not configure the client to use SSSD for automount
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information to stdout.
Print debugging information to stdout
.TP
\fB\-U\fR, \fB\-\-unattended\fR
Unattended installation. The user will not be prompted.
Unattended installation. The user will not be prompted
.TP
\fB\-\-uninstall\fR
Restore the automount configuration files.
Restore the automount configuration files
.SH "FILES"
.TP

16
client/man/ipa-client-install.1
View File

@ -168,8 +168,6 @@ authoritative and will be installed without checking to see if it's
valid for the IPA domain.
.TP
\fB\-\-request\-cert\fR
\fBDEPRECATED:\fR The option is deprecated and will be removed in a future release.
Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
Using this option requires that D-Bus is properly configured or not configured
@ -271,20 +269,6 @@ Files updated, existing content is maintained:
/etc/krb5.keytab
.br
/etc/sysconfig/network
.TP
File updated, existing content is maintained if ssh is configured (default):
/etc/ssh/ssh_config
.TP
File updated, existing content is maintained if sshd is configured (default):
/etc/ssh/sshd_config
.SH "DEPRECATED OPTIONS"
.TP
\fB\-\-request\-cert\fR
.SH "EXIT STATUS"
0 if the installation was successful

88
client/man/ipa-client-samba.1
View File

@ -1,88 +0,0 @@
.\" A man page for ipa-client-samba
.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-client-samba" "1" "Jun 10 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-client\-samba \- Configure Samba file server on an IPA client
.SH "SYNOPSIS"
ipa\-client\-samba [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures a Samba file server on the client machine to use IPA domain controller for authentication and identity services.
The tool configures Samba file server to be a domain member of IPA domain. Samba file server will use SSSD to resolve information about users and groups, and will use IPA master it is enrolled against as its domain controller.
It is not possible to reconciliate original Samba environment if that was pre-existing on the client with new configuration. Samba databases will be updated to follow IPA domain details and \fBsmb.conf\fR configuration will will be overwritten. It is recommended to enable Samba suite on a freshly deployed IPA client.
.TP
During the configuration process, the tool will perform following steps:
1. Discover details of IPA domain: realm, domain SID, domain ID range
2. Discover details of trusted Actvide Directory domains: domain name, domain SID, domain ID range
3. Create Samba configuration file using the details discovered above.
4. Create Samba Kerberos service using host credentials and fetch its keytab into /etc/samba/samba.keytab. The Kerberos service key is pre-set to a randomly generated value that is shared with Samba.
5. Populate Samba databases by setting the domain details and the randomly generated machine account password from the previous step.
6. Create a default [homes] share to allow users to log in to their home directories unless \-\-no\-homes option was specified.
.TP
The tool does not start nor does it enable Samba file services after the configuration. In order to enable and start Samba file services, one needs to enable both \fBsmb.service\fR and \fBwinbind.service\fR system services. Please check that \fB/etc/samba/smb.conf\fR contains all settings for your use case as starting Samba service will make identity mapping details written into the Samba databases. To enable and start Samba file services at the same time one can use \fBsystemctl enable \-\-now\fR command:
systemctl enable --now smb winbind
.SS "Assumptions"
The ipa\-client\-samba script assumes that the machine has alreaby been enrolled into IPA.
.SS "IPA Master Requirements"
At least one IPA master must hold a \fBTrust Controller\fR role. This can be achieved by running ipa\-adtrust\-install on the IPA master. The utility will configure IPA master to be a domain controller for IPA domain.
IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with FreeIPA 4.8.0 or later release.
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
\fB\-\-server\fR=\fISERVER\fR
Set the FQDN of the IPA server to connect to. Under normal circumstances, this option is not needed as the server to use is discovered automatically.
.TP
\fB\-\-no\-homes\fR
Do not configure a \fB[homes]\fR share by default to allow users to access their home directories.
.TP
\fB\-\-no\-nfs\fR
Do not enable SELinux booleans to allow Samba to re-share NFS shares.
.TP
\fB\-\-netbios-name\fR=\fINETBIOS_NAME\fR
NetBIOS name of this machine. If not provided then this is determined based on the leading component of the hostname.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information to stdout
.TP
\fB\-U\fR, \fB\-\-unattended\fR
Unattended installation. The user will not be prompted.
.TP
\fB\-\-uninstall\fR
Revert Samba suite configuration changes and remove SMB service principal. It is not possible to preserve original Samba configuration: while \fBsmb.conf\fR configuration file will be restored, various Samba databases would not be restored. In general, it is not possible to restore full original Samba environment.
.TP
\fB\-\-force\fR
Force through the installation steps even if they were done before
.SH "FILES"
.TP
Files that will be replaced if Samba is configured:
/etc/samba/smb.conf
.br
/etc/samba/samba.keytab
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred
.SH "SEE ALSO"
.BR smb.conf(5),
.BR krb5.conf(5),
.BR sssd.conf(5),
.BR systemctl(1)

137
client/man/ipa-epn.1
View File

@ -1,137 +0,0 @@
.\" A man page for ipa-epn
.\" Copyright (C) 2020 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\"
.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-epn \- Send expiring password nofications
.SH "SYNOPSIS"
ipa\-epn \fR[options\fR]
.SH "DESCRIPTION"
ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
It can also be launched daily by its systemd timer.
In this case it will parse its configuration file epn.conf(5) and send an email to users whose passwords are expiring within the defined future date ranges.
See the OPTIONS section below and the epn.conf(5) man page on how to configure the tool.
.SH "OPTIONS"
.TP
\fB\-\-to-nbdays\fR \fI<number of days>\fR
The \-\-to\-nbdays CLI option can be used to determine the number of notifications that would be sent in a given timeframe.
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
The \fB\-\-to\-nbdays\fR CLI option implies \fB\-\-dry\-run\fR.
.TP
\fB\-\-from\-nbdays\fR \fI<number of days>\fR
See \fB\-\-to\-nbdays\fR for an explanation. This option must be used in conjonction with \fB\-\-to\-nbdays\fR.
.TP
\fB\-\-dry\-run\fR
The \fB\-\-dry\-run\fR CLI option is intented to test ipa\-epn's configuration.
For instance, if notify_ttls is set to 21, 14, 3, \fB\-\-dry-run\fR would display the list of users whose passwords would expire in 21, 14, and 3 days in the future.
.TP
\fB\-\-mail\-test\fR
The \fB\-\-mail\-test\fR CLI option will send an e-mail to the configured
smtp_admin value in /etc/ipa/epn.conf. Generic values for the substitution
variables are set so this is also useful for testing and configuring the
mail template.
.SH "TEMPLATE"
The template for the e\-mail message is contained in /etc/ipa/epn/expire_msg.template. The following template variables are available.
.TP
User ID: uid
.TP
Full name: fullname
.TP
First name: first
.TP
Last name: Last
.TP
Password expiration date: expiration
.SH "EXAMPLES"
.nf
# date
Sun 12 Apr 2020 06:23:08 AM CEST
# ipa\-epn \-\-dry\-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020\-04\-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA\-EPN command was successful
# ipa\-epn \-\-to\-nbdays 6 \-\-dry-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020\-04\-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA\-EPN command was successful
# ipa\-epn \-\-from-nbdays 2 \-\-to-nbdays 6 \-\-dry\-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020\-04\-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA\-EPN command was successful
# ipa\-epn \-\-from\-nbdays 8 \-\-to\-nbdays 12 \-\-dry\-run
[
{
"uid": "user3",
"cn": "user 5",
"krbpasswordexpiration": "2020\-04\-21 00:00:08",
"mail": "['user3@ipa.test']"
}
]
The IPA\-EPN command was successful
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
.SH "SEE ALSO"
RFE: https://pagure.io/freeipa/issue/3687
Design document: https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
.SH "KNOWN BUGS"
None yet.
.SH "REPORTING BUGS AND ENHANCEMENT IDEAS"
.nf
Please make sure first the issue is not already reported by searching at https://pagure.io/freeipa/issues. If it is not, file a new issue at https://pagure.io/freeipa/new_issue.

29
client/man/ipa-getkeytab.1
View File

@ -21,7 +21,7 @@
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
.SH "DESCRIPTION"
Retrieves a Kerberos \fIkeytab\fR.
@ -44,7 +44,7 @@ provided, so the principal name is just the service
name and hostname (ldap/foo.example.com from the
example above).
ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password.
ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
@ -69,11 +69,11 @@ Valid values depend on the Kerberos library version and configuration.
Common values are:
aes256\-cts
aes128\-cts
aes256\-sha2
aes128\-sha2
camellia256\-cts\-cmac
camellia128\-cts\-cmac
des3\-hmac\-sha1
arcfour\-hmac
des\-hmac\-sha1
des\-cbc\-md5
des\-cbc\-crc
.TP
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN). If this option is not
@ -88,22 +88,21 @@ This options returns a description of the permitted encryption types, like this:
Supported encryption types:
AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
DES cbc mode with CRC\-32
DES cbc mode with RSA\-MD5
DES cbc mode with RSA\-MD4
.TP
\fB\-P, \-\-password\fR
Use this password for the key instead of one randomly generated. The length of the password is limited by 1024 characters. Note that MIT Kerberos also limits passwords entered through kpasswd and kadmin commands to the same length.
Use this password for the key instead of one randomly generated.
.TP
\fB\-D, \-\-binddn\fR
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options.
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
.TP
\fB\-w, \-\-bindpw\fR
The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR.
.TP
\fB\-W\fR
Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR
.TP
\fB\-\-cacert\fR
The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.
Defaults to /etc/ipa/ca.crt
@ -122,10 +121,10 @@ against a FreeIPA server more recent than version 3.3. The user requesting the
keytab must have access to the keys for this operation to succeed.
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the aes256\-sha2 key.
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
.nf
# ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e aes\-sha2
# ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
.fi
Add and retrieve a keytab for the ldap service principal on

11
client/share/Makefile.am
View File

@ -3,15 +3,4 @@ NULL =
appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
sshd_ipa.conf.template \
$(NULL)
epnconfdir = $(IPA_SYSCONF_DIR)
dist_epnconf_DATA = \
epn.conf \
$(NULL)
epntemplatedir = $(IPA_SYSCONF_DIR)/epn
dist_epntemplate_DATA = \
expire_msg.template \
$(NULL)

94
client/share/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -102,7 +102,6 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_app_DATA) \
$(dist_epnconf_DATA) $(dist_epntemplate_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
@ -154,9 +153,8 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(epnconfdir)" \
"$(DESTDIR)$(epntemplatedir)"
DATA = $(dist_app_DATA) $(dist_epnconf_DATA) $(dist_epntemplate_DATA)
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(dist_app_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@ -217,8 +215,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -261,10 +257,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -285,6 +282,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -372,9 +371,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -389,17 +386,6 @@ NULL =
appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
sshd_ipa.conf.template \
$(NULL)
epnconfdir = $(IPA_SYSCONF_DIR)
dist_epnconf_DATA = \
epn.conf \
$(NULL)
epntemplatedir = $(IPA_SYSCONF_DIR)/epn
dist_epntemplate_DATA = \
expire_msg.template \
$(NULL)
all: all-am
@ -461,48 +447,6 @@ uninstall-dist_appDATA:
@list='$(dist_app_DATA)'; test -n "$(appdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
install-dist_epnconfDATA: $(dist_epnconf_DATA)
@$(NORMAL_INSTALL)
@list='$(dist_epnconf_DATA)'; test -n "$(epnconfdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(epnconfdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(epnconfdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(epnconfdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(epnconfdir)" || exit $$?; \
done
uninstall-dist_epnconfDATA:
@$(NORMAL_UNINSTALL)
@list='$(dist_epnconf_DATA)'; test -n "$(epnconfdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(epnconfdir)'; $(am__uninstall_files_from_dir)
install-dist_epntemplateDATA: $(dist_epntemplate_DATA)
@$(NORMAL_INSTALL)
@list='$(dist_epntemplate_DATA)'; test -n "$(epntemplatedir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(epntemplatedir)'"; \
$(MKDIR_P) "$(DESTDIR)$(epntemplatedir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(epntemplatedir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(epntemplatedir)" || exit $$?; \
done
uninstall-dist_epntemplateDATA:
@$(NORMAL_UNINSTALL)
@list='$(dist_epntemplate_DATA)'; test -n "$(epntemplatedir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(epntemplatedir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
@ -547,7 +491,7 @@ check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(epnconfdir)" "$(DESTDIR)$(epntemplatedir)"; do \
for dir in "$(DESTDIR)$(appdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@ -600,8 +544,7 @@ info: info-am
info-am:
install-data-am: install-dist_appDATA install-dist_epnconfDATA \
install-dist_epntemplateDATA
install-data-am: install-dist_appDATA
install-dvi: install-dvi-am
@ -645,8 +588,7 @@ ps: ps-am
ps-am:
uninstall-am: uninstall-dist_appDATA uninstall-dist_epnconfDATA \
uninstall-dist_epntemplateDATA
uninstall-am: uninstall-dist_appDATA
.MAKE: install-am install-strip
@ -654,16 +596,14 @@ uninstall-am: uninstall-dist_appDATA uninstall-dist_epnconfDATA \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-dist_appDATA install-dist_epnconfDATA \
install-dist_epntemplateDATA install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
install-dist_appDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-dist_appDATA uninstall-dist_epnconfDATA \
uninstall-dist_epntemplateDATA
uninstall-am uninstall-dist_appDATA
.PRECIOUS: Makefile

54
client/share/epn.conf
View File

@ -1,54 +0,0 @@
# Global IPA-EPN [0] configuration file.
# For a complete explanation of each parameter, see the epn.conf(5)
# manual page.
# For best results, change no more than a single parameter at a time,
# and test if ipa-epn(1) still works as intended, using --dry-run when
# it makes sense.
#
# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
[global]
# Specifies the SMTP server to use.
smtp_server = localhost
# Specifies the SMTP port.
smtp_port = 25
# Specifies the id of the user to authenticate with the SMTP server.
# Default None (empty value).
# smtp_user =
# Specifies the password for the authorized user.
# Default None (empty value).
# smtp_password =
# Specifies the number of seconds to wait for SMTP to respond.
smtp_timeout = 60
# Specifies the type of secure connection to make. Options are: none,
# starttls and ssl.
smtp_security = none
# Specifies the From e-mail address value in the e-mails sent. Bounces will
# be sent here.
smtp_admin = root@localhost
# Time to wait, in milliseconds, between each e-mail sent to try to avoid
# overloading the mail queue.
smtp_delay = 0
# Specifies the From: e-mail address value in the e-mails sent.
# The default when unset is noreply@ipadefaultemaildomain.
# This value can be found by running ipa config-show.
# mail_from =
# The list of days before a password expiration when ipa-epn should notify
# a user that their password will soon require a reset.
notify_ttls = 28, 14, 7, 3, 1
# Set the character set of the message.
msg_charset = utf8
# Set the message's MIME sub-content type.
msg_subtype = plain

5
client/share/expire_msg.template
View File

@ -1,5 +0,0 @@
Hi {{ fullname }},
Your password will expire on {{ expiration }}.
Please change it as soon as possible.

8
client/share/sshd_ipa.conf.template
View File

@ -1,8 +0,0 @@
# IPA-related configuration changes to sshd_config
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
$SSSD_SSHD_OPTIONS

8
client/sysconfig/Makefile.am
View File

@ -1,8 +0,0 @@
# This file will be processed with automake-1.7 to create Makefile.in
#
AUTOMAKE_OPTIONS = 1.7
dist_sysconfenv_DATA = \
certmonger
CLEANFILES = $(nodist_sysconfenv_DATA)

617
client/sysconfig/Makefile.in
View File

@ -1,617 +0,0 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = client/sysconfig
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_sysconfenv_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(sysconfenvdir)"
DATA = $(dist_sysconfenv_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
# This file will be processed with automake-1.7 to create Makefile.in
#
AUTOMAKE_OPTIONS = 1.7
dist_sysconfenv_DATA = \
certmonger
CLEANFILES = $(nodist_sysconfenv_DATA)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign client/sysconfig/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign client/sysconfig/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-dist_sysconfenvDATA: $(dist_sysconfenv_DATA)
@$(NORMAL_INSTALL)
@list='$(dist_sysconfenv_DATA)'; test -n "$(sysconfenvdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(sysconfenvdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(sysconfenvdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sysconfenvdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(sysconfenvdir)" || exit $$?; \
done
uninstall-dist_sysconfenvDATA:
@$(NORMAL_UNINSTALL)
@list='$(dist_sysconfenv_DATA)'; test -n "$(sysconfenvdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(sysconfenvdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(sysconfenvdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-dist_sysconfenvDATA
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-dist_sysconfenvDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-dist_sysconfenvDATA install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-dist_sysconfenvDATA
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

1
client/sysconfig/certmonger
View File

@ -1 +0,0 @@
OPTS=-d2

27
client/systemd/Makefile.am
View File

@ -1,27 +0,0 @@
# This file will be processed with automake-1.7 to create Makefile.in
#
AUTOMAKE_OPTIONS = 1.7
NULL =
dist_noinst_DATA = \
ipa-epn.service.in \
ipa-epn.timer.in \
$(NULL)
systemdsystemunit_DATA = \
ipa-epn.service \
ipa-epn.timer \
$(NULL)
CLEANFILES = $(systemdsystemunit_DATA)
%: %.in Makefile
sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
'$(srcdir)/$@.in' >$@

635
client/systemd/Makefile.in
View File

@ -1,635 +0,0 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = client/systemd
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
DATA = $(dist_noinst_DATA) $(systemdsystemunit_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
# This file will be processed with automake-1.7 to create Makefile.in
#
AUTOMAKE_OPTIONS = 1.7
NULL =
dist_noinst_DATA = \
ipa-epn.service.in \
ipa-epn.timer.in \
$(NULL)
systemdsystemunit_DATA = \
ipa-epn.service \
ipa-epn.timer \
$(NULL)
CLEANFILES = $(systemdsystemunit_DATA)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign client/systemd/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign client/systemd/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-systemdsystemunitDATA: $(systemdsystemunit_DATA)
@$(NORMAL_INSTALL)
@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdsystemunitdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(systemdsystemunitdir)" || exit $$?; \
done
uninstall-systemdsystemunitDATA:
@$(NORMAL_UNINSTALL)
@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(systemdsystemunitdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-systemdsystemunitDATA
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-systemdsystemunitDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip install-systemdsystemunitDATA installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-systemdsystemunitDATA
.PRECIOUS: Makefile
%: %.in Makefile
sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
'$(srcdir)/$@.in' >$@
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

9
client/systemd/ipa-epn.service.in
View File

@ -1,9 +0,0 @@
[Unit]
Description=Execute IPA Expiring Password Notification (EPN)
[Service]
Type=simple
ExecStart=@sbindir@/ipa-epn
[Install]
WantedBy=multi-user.target

9
client/systemd/ipa-epn.timer.in
View File

@ -1,9 +0,0 @@
[Unit]
Description=Execute IPA Expiring Password Notification (EPN) every day at 1AM
[Timer]
OnCalendar=*-*-* 01:00:00
Unit=ipa-epn.service
[Install]
WantedBy=multi-user.target

6
compile
View File

@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@ -53,7 +53,7 @@ func_file_conv ()
MINGW*)
file_conv=mingw
;;
CYGWIN* | MSYS*)
CYGWIN*)
file_conv=cygwin
;;
*)
@ -67,7 +67,7 @@ func_file_conv ()
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/* | msys/*)
cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)

120
config.guess vendored
View File

@ -2,7 +2,7 @@
# Attempt to guess a canonical system name.
# Copyright 1992-2018 Free Software Foundation, Inc.
timestamp='2018-08-29'
timestamp='2018-03-08'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -84,6 +84,8 @@ if test $# != 0; then
exit 1
fi
trap 'exit 1' 1 2 15
# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
# compiler to aid in system detection is discouraged as it requires
# temporary files to be created and, as you can see below, it is a
@ -94,39 +96,34 @@ fi
# Portable tmp directory creation inspired by the Autoconf team.
tmp=
# shellcheck disable=SC2172
trap 'test -z "$tmp" || rm -fr "$tmp"' 1 2 13 15
trap 'exitcode=$?; test -z "$tmp" || rm -fr "$tmp"; exit $exitcode' 0
set_cc_for_build() {
: "${TMPDIR=/tmp}"
# shellcheck disable=SC2039
{ tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
{ test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } ||
{ tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } ||
{ echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; }
dummy=$tmp/dummy
case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in
,,) echo "int x;" > "$dummy.c"
for driver in cc gcc c89 c99 ; do
if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then
CC_FOR_BUILD="$driver"
break
fi
done
if test x"$CC_FOR_BUILD" = x ; then
CC_FOR_BUILD=no_compiler_found
fi
;;
,,*) CC_FOR_BUILD=$CC ;;
,*,*) CC_FOR_BUILD=$HOST_CC ;;
esac
}
set_cc_for_build='
trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
: ${TMPDIR=/tmp} ;
{ tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
{ test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
{ tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
{ echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
dummy=$tmp/dummy ;
tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
case $CC_FOR_BUILD,$HOST_CC,$CC in
,,) echo "int x;" > "$dummy.c" ;
for c in cc gcc c89 c99 ; do
if ($c -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then
CC_FOR_BUILD="$c"; break ;
fi ;
done ;
if test x"$CC_FOR_BUILD" = x ; then
CC_FOR_BUILD=no_compiler_found ;
fi
;;
,,*) CC_FOR_BUILD=$CC ;;
,*,*) CC_FOR_BUILD=$HOST_CC ;;
esac ; set_cc_for_build= ;'
# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
# (ghazi@noc.rutgers.edu 1994-08-24)
if test -f /.attbin/uname ; then
if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
PATH=$PATH:/.attbin ; export PATH
fi
@ -141,7 +138,7 @@ Linux|GNU|GNU/*)
# We could probably try harder.
LIBC=gnu
set_cc_for_build
eval "$set_cc_for_build"
cat <<-EOF > "$dummy.c"
#include <features.h>
#if defined(__UCLIBC__)
@ -202,7 +199,7 @@ case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
os=netbsdelf
;;
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
set_cc_for_build
eval "$set_cc_for_build"
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ELF__
then
@ -240,7 +237,7 @@ case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
# contains redundant information, the shorter form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "$machine-${os}${release}${abi-}"
echo "$machine-${os}${release}${abi}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
@ -392,15 +389,20 @@ case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
echo i386-pc-auroraux"$UNAME_RELEASE"
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
UNAME_REL="`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`"
case `isainfo -b` in
32)
echo i386-pc-solaris2"$UNAME_REL"
;;
64)
echo x86_64-pc-solaris2"$UNAME_REL"
;;
esac
eval "$set_cc_for_build"
SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
SUN_ARCH=x86_64
fi
fi
echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`"
exit ;;
sun4*:SunOS:6*:*)
# According to config.sub, this is the proper way to canonicalize
@ -480,7 +482,7 @@ case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
echo clipper-intergraph-clix"$UNAME_RELEASE"
exit ;;
mips:*:*:UMIPS | mips:*:*:RISCos)
set_cc_for_build
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
#ifdef __cplusplus
#include <stdio.h> /* for printf() prototype */
@ -577,7 +579,7 @@ EOF
exit ;;
*:AIX:2:3)
if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
set_cc_for_build
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
#include <sys/systemcfg.h>
@ -658,7 +660,7 @@ EOF
esac
fi
if [ "$HP_ARCH" = "" ]; then
set_cc_for_build
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
#define _HPUX_SOURCE
@ -698,7 +700,7 @@ EOF
esac
if [ "$HP_ARCH" = hppa2.0w ]
then
set_cc_for_build
eval "$set_cc_for_build"
# hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
# 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler
@ -724,7 +726,7 @@ EOF
echo ia64-hp-hpux"$HPUX_REV"
exit ;;
3050*:HI-UX:*:*)
set_cc_for_build
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
#include <unistd.h>
int
@ -838,17 +840,6 @@ EOF
*:BSD/OS:*:*)
echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE"
exit ;;
arm:FreeBSD:*:*)
UNAME_PROCESSOR=`uname -p`
set_cc_for_build
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabi
else
echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabihf
fi
exit ;;
*:FreeBSD:*:*)
UNAME_PROCESSOR=`/usr/bin/uname -p`
case "$UNAME_PROCESSOR" in
@ -903,8 +894,8 @@ EOF
# other systems with GNU libc and userland
echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC"
exit ;;
*:Minix:*:*)
echo "$UNAME_MACHINE"-unknown-minix
i*86:Minix:*:*)
echo "$UNAME_MACHINE"-pc-minix
exit ;;
aarch64:Linux:*:*)
echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
@ -931,7 +922,7 @@ EOF
echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
exit ;;
arm*:Linux:*:*)
set_cc_for_build
eval "$set_cc_for_build"
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_EABI__
then
@ -980,7 +971,7 @@ EOF
echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
set_cc_for_build
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
#undef CPU
#undef ${UNAME_MACHINE}
@ -1294,7 +1285,7 @@ EOF
exit ;;
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
set_cc_for_build
eval "$set_cc_for_build"
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
@ -1367,7 +1358,6 @@ EOF
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
# shellcheck disable=SC2154
if test "$cputype" = 386; then
UNAME_MACHINE=i386
else

2597
config.sub vendored
View File

File diff suppressed because it is too large Load Diff

984
configure vendored
View File

File diff suppressed because it is too large Load Diff

109
configure.ac
View File

@ -18,21 +18,15 @@ AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([foreign 1.9 tar-pax])
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
dnl enable C11 extensions for features like memset_s()
CFLAGS="$CFLAGS -D__STDC_WANT_LIB_EXT1__=1"
dnl enable features like htole16()
CFLAGS="$CFLAGS -D_DEFAULT_SOURCE=1"
dnl Enable features like strndup()
CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200809L"
dnl fail hard when includes statements are missing
CFLAGS="$CFLAGS -Werror=implicit-function-declaration"
AC_PROG_CC_C99
AC_DISABLE_STATIC
LT_INIT
AC_HEADER_STDC
dnl fail hard when includes statements are missing
CFLAGS+=" -Werror=implicit-function-declaration"
PKG_PROG_PKG_CONFIG
AC_ARG_ENABLE([server],
@ -54,17 +48,16 @@ AM_CONDITIONAL([WITH_IPATESTS], [test x"$with_ipatests" = xyes])
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
dnl ---------------------------------------------------------------------------
dnl - Check for POPT
dnl - Check for NSPR/NSS
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([POPT], [popt])
PKG_CHECK_MODULES([NSPR], [nspr])
PKG_CHECK_MODULES([NSS], [nss])
dnl ---------------------------------------------------------------------------
dnl - Check for KRB5
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([KRB5], [krb5])
PKG_CHECK_MODULES([KRB5_GSSAPI], [krb5-gssapi])
AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
AC_CHECK_MEMBER(
@ -106,8 +99,9 @@ dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([CRYPTO], [libcrypto])
dnl ---------------------------------------------------------------------------
dnl - Check for Python 3
dnl - Check for Python
dnl - Check for platform Python interpreter
dnl - Check for Python 2/3 for devcheck
dnl ---------------------------------------------------------------------------
AS_IF([test "x${PYTHON}" != "x"], [
@ -116,15 +110,34 @@ AS_IF([test "x${PYTHON}" != "x"], [
AC_MSG_NOTICE([Checking for platform Python])
AC_PATH_PROG(PLATFORM_PYTHON, platform-python, [], [/usr/libexec$PATH_SEPARATOR$PATH])
AC_MSG_NOTICE([Checking for Python 3])
AC_PATH_PROGS(PYTHON3, python3)
dnl Only use platform-python when there is no override
if test \( "x${PLATFORM_PYTHON}" != "x" -a "x${PYTHON}" = "x" \); then
dnl platform-python executable detected (it's always Python 3)
AC_MSG_NOTICE([Using platform Python as default Python 3 interpreter])
PYTHON3=${PLATFORM_PYTHON}
PYTHON=${PLATFORM_PYTHON}
fi
AM_PATH_PYTHON(3.6)
AC_SUBST([PYTHON3])
AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
AC_MSG_NOTICE([Checking for Python 2])
AC_PATH_PROG(PYTHON2, python2)
AC_SUBST([PYTHON2])
AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
if test \( "x${PYTHON3}" = "x" -o "x${PYTHON}" != "x" \); then
dnl Python 3 is not available *or* user has set PYTHON variable.
dnl Accept Python >= 2.7 as default Python. We also accept any Python 3
dnl version from PYTHON environment variable.
AM_PATH_PYTHON(2.7)
elif test "x${PYTHON3}" != "x"; then
dnl Found Python 3, but no user override. Use Python >= 3.6 as default.
AM_PATH_PYTHON(3.6)
fi
dnl ---------------------------------------------------------------------------
@ -209,36 +222,6 @@ AC_ARG_WITH([sysconfenvdir],
[sysconfenvdir="${sysconfdir}/sysconfig"])
AC_SUBST([sysconfenvdir])
dnl ---------------------------------------------------------------------------
dnl - Get /run directory path
dnl - available in autoconf 2.70+
dnl ---------------------------------------------------------------------------
AC_ARG_WITH([runstatedir],
AS_HELP_STRING([--with-runstatedir=DIR],
[Runtime data directory]),
[runstatedir=$with_runstatedir],
[runstatedir="/run"])
AC_SUBST([runstatedir])
dnl ---------------------------------------------------------------------------
dnl - Check for systemd directories
dnl ---------------------------------------------------------------------------
PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
AC_ARG_WITH([systemdsystemunitdir],
AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
[Directory for systemd service files]),
[systemdsystemunitdir=$with_systemdsystemunitdir],
[systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
AC_SUBST([systemdsystemunitdir])
AC_ARG_WITH([systemdtmpfilesdir],
AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
[Directory for systemd-tmpfiles configuration files]),
[systemdtmpfilesdir=$with_systemdtmpfilesdir],
[systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
AC_SUBST([systemdtmpfilesdir])
dnl ---------------------------------------------------------------------------
dnl - Server-only configuration
dnl ---------------------------------------------------------------------------
@ -262,9 +245,6 @@ AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN], [
[AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
])
AM_CONDITIONAL([BUILD_IPA_KDCPOLICY_PLUGIN],
[test x$have_kdcpolicy_plugin = xyes])
dnl ---------------------------------------------------------------------------
dnl - Check for program paths
dnl ---------------------------------------------------------------------------
@ -349,14 +329,12 @@ if test "x${IPAPLATFORM}" == "xdebian"; then
KRB5KDC_SERVICE="krb5-kdc.service"
NAMED_GROUP="bind"
ODS_USER="opendnssec"
ODS_GROUP="opendnssec"
# see https://www.debian.org/doc/packaging-manuals/python-policy/ap-packaging_tools.html
PYTHON_INSTALL_EXTRA_OPTIONS="--install-layout=deb"
else
KRB5KDC_SERVICE="krb5kdc.service"
NAMED_GROUP="named"
ODS_USER="ods"
ODS_GROUP="ods"
PYTHON_INSTALL_EXTRA_OPTIONS=""
fi
@ -370,10 +348,6 @@ AC_MSG_CHECKING([ODS_USER])
AC_SUBST([ODS_USER])
AC_MSG_RESULT([${ODS_USER}])
AC_MSG_CHECKING([ODS_GROUP])
AC_SUBST([ODS_GROUP])
AC_MSG_RESULT([${ODS_GROUP}])
AC_MSG_CHECKING([python setup.py install extra options])
AC_SUBST([PYTHON_INSTALL_EXTRA_OPTIONS])
if test "x${PYTHON_INSTALL_EXTRA_OPTIONS}" == "x"; then
@ -418,19 +392,6 @@ AC_SUBST([MK_ELSE], [else])
AC_SUBST([MK_ENDIF], [endif])
AC_SUBST([MK_ASSIGN], [=])
dnl ---------------------------------------------------------------------------
dnl - Check for SELinux policy devel
dnl ---------------------------------------------------------------------------
selinux_makefile=/usr/share/selinux/devel/Makefile
AC_SUBST([selinux_makefile])
AC_CHECK_FILE([$selinux_makefile],
[build_selinux=yes],
[build_selinux=no])
AM_CONDITIONAL(BUILD_SELINUX_POLICY, test x$build_selinux = xyes)
dnl ---------------------------------------------------------------------------
dnl Finish
dnl ---------------------------------------------------------------------------
@ -546,8 +507,6 @@ AS_CASE([$JSLINT],
AC_SUBST([JSLINT])
AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"])
AM_CONDITIONAL([HAVE_UNSHARE],
[test "x${ac_cv_func_unshare}" = "xyes" -a "x${ac_cv_func_chroot}" = "xyes"])
# Flags
@ -564,8 +523,6 @@ AC_CONFIG_FILES([
client/Makefile
client/share/Makefile
client/man/Makefile
client/sysconfig/Makefile
client/systemd/Makefile
contrib/completion/Makefile
contrib/Makefile
daemons/dnssec/Makefile
@ -595,7 +552,6 @@ AC_CONFIG_FILES([
init/Makefile
install/Makefile
install/certmonger/Makefile
install/custodia/Makefile
install/html/Makefile
install/migration/Makefile
install/share/Makefile
@ -631,7 +587,6 @@ AC_CONFIG_FILES([
pypi/ipatests/Makefile
po/Makefile.in
po/Makefile.hack
selinux/Makefile
util/Makefile
])
@ -654,18 +609,20 @@ echo "
source code location: ${srcdir}
compiler: ${CC}
cflags: ${CFLAGS}
Python: ${PYTHON} (${PYTHON_VERSION})
Default Python: ${PYTHON} (${PYTHON_VERSION})
Python 2: ${PYTHON2}
Python 3: ${PYTHON3}
pylint: ${PYLINT}
jslint: ${JSLINT}
LDAP libs: ${LDAP_LIBS}
OpenSSL crypto libs: ${CRYPTO_LIBS}
KRB5 libs: ${KRB5_LIBS}
systemdsystemunitdir: ${systemdsystemunitdir}"
KRB5 libs: ${KRB5_LIBS}"
AM_COND_IF([ENABLE_SERVER], [
echo "\
KRAD libs: ${KRAD_LIBS}
krb5rundir: ${krb5rundir}
systemdsystemunitdir: ${systemdsystemunitdir}
systemdtmpfilesdir: ${systemdtmpfilesdir}
build mode: server & client"
], [

61
contrib/Makefile
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# contrib/Makefile. Generated from Makefile.in by configure.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -187,23 +187,23 @@ am__relativize = \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
ACLOCAL = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing aclocal-1.16
ACLOCAL = ${SHELL} /home/abokovoy/src/freeipa/missing aclocal-1.16
AMTAR = $${TAR-tar}
AM_DEFAULT_VERBOSITY = 1
API_VERSION = 2.239
API_VERSION = 2.230
AR = ar
AUTOCONF = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing autoconf
AUTOHEADER = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing autoheader
AUTOMAKE = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing automake-1.16
AUTOCONF = ${SHELL} /home/abokovoy/src/freeipa/missing autoconf
AUTOHEADER = ${SHELL} /home/abokovoy/src/freeipa/missing autoheader
AUTOMAKE = ${SHELL} /home/abokovoy/src/freeipa/missing automake-1.16
AWK = gawk
CC = gcc
CCDEPMODE = depmode=gcc3
CFLAGS = -D__STDC_WANT_LIB_EXT1__=1 -D_DEFAULT_SOURCE=1 -D_POSIX_C_SOURCE=200809L -Werror=implicit-function-declaration
CFLAGS = -g -O2 -Werror=implicit-function-declaration
CMOCKA_CFLAGS =
CMOCKA_LIBS = -lcmocka
CONFIG_STATUS = ./config.status
CPP = gcc -E
CPPFLAGS =
CPPFLAGS = -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4
CRYPTO_CFLAGS =
CRYPTO_LIBS = -lcrypto
CYGPATH_W = echo
@ -223,7 +223,7 @@ EXEEXT =
FGREP = /usr/bin/grep -F
GETTEXT_DOMAIN = ipa
GETTEXT_MACRO_VERSION = 0.18
GIT_BRANCH = ipa-4-8
GIT_BRANCH = ipa-4-7
GIT_VERSION =
GMSGFMT = /usr/bin/msgfmt
GMSGFMT_015 = /usr/bin/msgfmt
@ -244,8 +244,6 @@ JSLINT = /usr/bin/jsl
KRAD_LIBS = -lkrad
KRB5KDC_SERVICE = krb5kdc.service
KRB5_CFLAGS =
KRB5_GSSAPI_CFLAGS =
KRB5_GSSAPI_LIBS = -lgssapi_krb5
KRB5_LIBS = -lkrb5 -lk5crypto -lcom_err
LD = /usr/bin/ld -m elf_x86_64
LDAP_CFLAGS =
@ -266,7 +264,7 @@ LTLIBICONV = -liconv
LTLIBINTL =
LTLIBOBJS =
LT_SYS_LIBRARY_PATH =
MAKEINFO = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing makeinfo
MAKEINFO = ${SHELL} /home/abokovoy/src/freeipa/missing makeinfo
MANIFEST_TOOL = :
MKDIR_P = /usr/bin/mkdir -p
MK_ASSIGN = =
@ -288,20 +286,21 @@ NM = /usr/bin/nm -B
NMEDIT =
NSPR_CFLAGS = -I/usr/include/nspr4
NSPR_LIBS = -lplds4 -lplc4 -lnspr4 -lpthread -ldl
NUM_VERSION = 40810
NSS_CFLAGS = -I/usr/include/nss3 -I/usr/include/nspr4
NSS_LIBS = -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
NUM_VERSION = 40702
OBJDUMP = objdump
OBJEXT = o
ODS_GROUP = ods
ODS_USER = ods
OTOOL =
OTOOL64 =
PACKAGE = freeipa
PACKAGE_BUGREPORT = https://hosted.fedoraproject.org/projects/freeipa/newticket
PACKAGE_NAME = freeipa
PACKAGE_STRING = freeipa 4.8.10
PACKAGE_STRING = freeipa 4.7.2
PACKAGE_TARNAME = freeipa
PACKAGE_URL =
PACKAGE_VERSION = 4.8.10
PACKAGE_VERSION = 4.7.2
PATH_SEPARATOR = :
PKG_CONFIG = /usr/bin/pkg-config
PKG_CONFIG_LIBDIR =
@ -311,12 +310,14 @@ POPT_CFLAGS =
POPT_LIBS = -lpopt
POSUB = po
PYLINT = yes
PYTHON = /usr/bin/python
PYTHON = /usr/bin/python3
PYTHON2 = /usr/bin/python2
PYTHON3 = /usr/bin/python3
PYTHON_EXEC_PREFIX = ${exec_prefix}
PYTHON_INSTALL_EXTRA_OPTIONS =
PYTHON_PLATFORM = linux
PYTHON_PREFIX = ${prefix}
PYTHON_VERSION = 3.9
PYTHON_VERSION = 3.7
RANLIB = ranlib
SAMBA40EXTRA_LIBPATH = -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba
SAMBAUTIL_CFLAGS = -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1
@ -343,16 +344,16 @@ USE_NLS = yes
UUID_CFLAGS = -I/usr/include/uuid
UUID_LIBS = -luuid
VENDOR_SUFFIX =
VERSION = 4.8.10
VERSION = 4.7.2
XGETTEXT = /usr/bin/xgettext
XGETTEXT_015 = /usr/bin/xgettext
XGETTEXT_EXTRA_OPTIONS =
XMLRPC_CFLAGS =
XMLRPC_LIBS = -lxmlrpc -lxmlrpc_client -lxmlrpc_util
abs_builddir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10/contrib
abs_srcdir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10/contrib
abs_top_builddir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10
abs_top_srcdir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10
abs_builddir = /home/abokovoy/src/freeipa/contrib
abs_srcdir = /home/abokovoy/src/freeipa/contrib
abs_top_builddir = /home/abokovoy/src/freeipa
abs_top_srcdir = /home/abokovoy/src/freeipa
ac_ct_AR = ar
ac_ct_CC = gcc
ac_ct_DUMPBIN =
@ -382,8 +383,8 @@ htmldir = ${docdir}
i18ntests =
includedir = ${prefix}/include
infodir = ${datarootdir}/info
install_sh = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/install-sh
krb5rundir = /run/krb5kdc
install_sh = ${SHELL} /home/abokovoy/src/freeipa/install-sh
krb5rundir = ${prefix}/var/run/krb5kdc
libdir = ${exec_prefix}/lib
libexecdir = ${exec_prefix}/libexec
localedir = ${datarootdir}/locale
@ -397,17 +398,15 @@ pkgpythondir = ${pythondir}/freeipa
prefix = /usr/local
program_transform_name = s,x,x,
psdir = ${docdir}
pyexecdir = ${exec_prefix}/lib64/python3.9/site-packages
pythondir = ${prefix}/lib/python3.9/site-packages
runstatedir = /run
pyexecdir = ${exec_prefix}/lib64/python3.7/site-packages
pythondir = ${prefix}/lib/python3.7/site-packages
sbindir = ${exec_prefix}/sbin
selinux_makefile = /usr/share/selinux/devel/Makefile
sharedstatedir = ${prefix}/com
srcdir = .
sysconfdir = ${prefix}/etc
sysconfenvdir = ${prefix}/etc/sysconfig
systemdsystemunitdir = /usr/lib/systemd/system
systemdtmpfilesdir = ${prefix}/lib/tmpfiles.d
systemdtmpfilesdir = /usr/lib/tmpfiles.d
target_alias =
top_build_prefix = ../
top_builddir = ..

13
contrib/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -244,8 +244,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -288,10 +286,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -312,6 +311,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -399,9 +400,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

61
contrib/completion/Makefile
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# contrib/completion/Makefile. Generated from Makefile.in by configure.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -157,23 +157,23 @@ am__can_run_installinfo = \
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing aclocal-1.16
ACLOCAL = ${SHELL} /home/abokovoy/src/freeipa/missing aclocal-1.16
AMTAR = $${TAR-tar}
AM_DEFAULT_VERBOSITY = 1
API_VERSION = 2.239
API_VERSION = 2.230
AR = ar
AUTOCONF = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing autoconf
AUTOHEADER = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing autoheader
AUTOMAKE = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing automake-1.16
AUTOCONF = ${SHELL} /home/abokovoy/src/freeipa/missing autoconf
AUTOHEADER = ${SHELL} /home/abokovoy/src/freeipa/missing autoheader
AUTOMAKE = ${SHELL} /home/abokovoy/src/freeipa/missing automake-1.16
AWK = gawk
CC = gcc
CCDEPMODE = depmode=gcc3
CFLAGS = -D__STDC_WANT_LIB_EXT1__=1 -D_DEFAULT_SOURCE=1 -D_POSIX_C_SOURCE=200809L -Werror=implicit-function-declaration
CFLAGS = -g -O2 -Werror=implicit-function-declaration
CMOCKA_CFLAGS =
CMOCKA_LIBS = -lcmocka
CONFIG_STATUS = ./config.status
CPP = gcc -E
CPPFLAGS =
CPPFLAGS = -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4
CRYPTO_CFLAGS =
CRYPTO_LIBS = -lcrypto
CYGPATH_W = echo
@ -193,7 +193,7 @@ EXEEXT =
FGREP = /usr/bin/grep -F
GETTEXT_DOMAIN = ipa
GETTEXT_MACRO_VERSION = 0.18
GIT_BRANCH = ipa-4-8
GIT_BRANCH = ipa-4-7
GIT_VERSION =
GMSGFMT = /usr/bin/msgfmt
GMSGFMT_015 = /usr/bin/msgfmt
@ -214,8 +214,6 @@ JSLINT = /usr/bin/jsl
KRAD_LIBS = -lkrad
KRB5KDC_SERVICE = krb5kdc.service
KRB5_CFLAGS =
KRB5_GSSAPI_CFLAGS =
KRB5_GSSAPI_LIBS = -lgssapi_krb5
KRB5_LIBS = -lkrb5 -lk5crypto -lcom_err
LD = /usr/bin/ld -m elf_x86_64
LDAP_CFLAGS =
@ -236,7 +234,7 @@ LTLIBICONV = -liconv
LTLIBINTL =
LTLIBOBJS =
LT_SYS_LIBRARY_PATH =
MAKEINFO = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/missing makeinfo
MAKEINFO = ${SHELL} /home/abokovoy/src/freeipa/missing makeinfo
MANIFEST_TOOL = :
MKDIR_P = /usr/bin/mkdir -p
MK_ASSIGN = =
@ -258,20 +256,21 @@ NM = /usr/bin/nm -B
NMEDIT =
NSPR_CFLAGS = -I/usr/include/nspr4
NSPR_LIBS = -lplds4 -lplc4 -lnspr4 -lpthread -ldl
NUM_VERSION = 40810
NSS_CFLAGS = -I/usr/include/nss3 -I/usr/include/nspr4
NSS_LIBS = -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
NUM_VERSION = 40702
OBJDUMP = objdump
OBJEXT = o
ODS_GROUP = ods
ODS_USER = ods
OTOOL =
OTOOL64 =
PACKAGE = freeipa
PACKAGE_BUGREPORT = https://hosted.fedoraproject.org/projects/freeipa/newticket
PACKAGE_NAME = freeipa
PACKAGE_STRING = freeipa 4.8.10
PACKAGE_STRING = freeipa 4.7.2
PACKAGE_TARNAME = freeipa
PACKAGE_URL =
PACKAGE_VERSION = 4.8.10
PACKAGE_VERSION = 4.7.2
PATH_SEPARATOR = :
PKG_CONFIG = /usr/bin/pkg-config
PKG_CONFIG_LIBDIR =
@ -281,12 +280,14 @@ POPT_CFLAGS =
POPT_LIBS = -lpopt
POSUB = po
PYLINT = yes
PYTHON = /usr/bin/python
PYTHON = /usr/bin/python3
PYTHON2 = /usr/bin/python2
PYTHON3 = /usr/bin/python3
PYTHON_EXEC_PREFIX = ${exec_prefix}
PYTHON_INSTALL_EXTRA_OPTIONS =
PYTHON_PLATFORM = linux
PYTHON_PREFIX = ${prefix}
PYTHON_VERSION = 3.9
PYTHON_VERSION = 3.7
RANLIB = ranlib
SAMBA40EXTRA_LIBPATH = -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba
SAMBAUTIL_CFLAGS = -I/usr/include/samba-4.0 -DHAVE_IMMEDIATE_STRUCTURES=1
@ -313,16 +314,16 @@ USE_NLS = yes
UUID_CFLAGS = -I/usr/include/uuid
UUID_LIBS = -luuid
VENDOR_SUFFIX =
VERSION = 4.8.10
VERSION = 4.7.2
XGETTEXT = /usr/bin/xgettext
XGETTEXT_015 = /usr/bin/xgettext
XGETTEXT_EXTRA_OPTIONS =
XMLRPC_CFLAGS =
XMLRPC_LIBS = -lxmlrpc -lxmlrpc_client -lxmlrpc_util
abs_builddir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10/contrib/completion
abs_srcdir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10/contrib/completion
abs_top_builddir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10
abs_top_srcdir = /home/abokovoy/src/freeipa-build/freeipa-4-8-10
abs_builddir = /home/abokovoy/src/freeipa/contrib/completion
abs_srcdir = /home/abokovoy/src/freeipa/contrib/completion
abs_top_builddir = /home/abokovoy/src/freeipa
abs_top_srcdir = /home/abokovoy/src/freeipa
ac_ct_AR = ar
ac_ct_CC = gcc
ac_ct_DUMPBIN =
@ -352,8 +353,8 @@ htmldir = ${docdir}
i18ntests =
includedir = ${prefix}/include
infodir = ${datarootdir}/info
install_sh = ${SHELL} /home/abokovoy/src/freeipa-build/freeipa-4-8-10/install-sh
krb5rundir = /run/krb5kdc
install_sh = ${SHELL} /home/abokovoy/src/freeipa/install-sh
krb5rundir = ${prefix}/var/run/krb5kdc
libdir = ${exec_prefix}/lib
libexecdir = ${exec_prefix}/libexec
localedir = ${datarootdir}/locale
@ -367,17 +368,15 @@ pkgpythondir = ${pythondir}/freeipa
prefix = /usr/local
program_transform_name = s,x,x,
psdir = ${docdir}
pyexecdir = ${exec_prefix}/lib64/python3.9/site-packages
pythondir = ${prefix}/lib/python3.9/site-packages
runstatedir = /run
pyexecdir = ${exec_prefix}/lib64/python3.7/site-packages
pythondir = ${prefix}/lib/python3.7/site-packages
sbindir = ${exec_prefix}/sbin
selinux_makefile = /usr/share/selinux/devel/Makefile
sharedstatedir = ${prefix}/com
srcdir = .
sysconfdir = ${prefix}/etc
sysconfenvdir = ${prefix}/etc/sysconfig
systemdsystemunitdir = /usr/lib/systemd/system
systemdtmpfilesdir = ${prefix}/lib/tmpfiles.d
systemdtmpfilesdir = /usr/lib/tmpfiles.d
target_alias =
top_build_prefix = ../../
top_builddir = ../..

13
contrib/completion/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -214,8 +214,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -258,10 +256,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -282,6 +281,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -369,9 +370,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

79
contrib/copy-schema-to-ca-RHEL6.py
View File

@ -31,12 +31,6 @@ from ipaserver.install.dsinstance import DS_USER
from ipaserver.install.cainstance import PKI_USER
from ipapython import services
# for mod_nss
from ipaserver.install.httpinstance import NSS_CONF
from ipaserver.install.httpinstance import HTTPInstance
from ipaserver.install import installutils
from ipapython import sysrestore
SERVERID = "PKI-IPA"
SCHEMA_FILENAMES = (
"60kerberos.ldif",
@ -106,77 +100,6 @@ def restart_pki_ds():
services.service('dirsrv').restart(SERVERID)
# The ipa-3-0 set_directive() has very loose comparision of directive
# which would cause multiple NSSCipherSuite to be added so provide
# a custom function for it.
def set_directive(filename, directive, value, quotes=True, separator=' '):
"""Set a name/value pair directive in a configuration file.
A value of None means to drop the directive.
This has only been tested with nss.conf
"""
valueset = False
st = os.stat(filename)
fd = open(filename)
newfile = []
for line in fd:
if line.lstrip().startswith(directive):
valueset = True
if value is not None:
if quotes:
newfile.append('%s%s"%s"\n' %
(directive, separator, value))
else:
newfile.append('%s%s%s\n' % (directive, separator, value))
else:
newfile.append(line)
fd.close()
if not valueset:
if value is not None:
if quotes:
newfile.append('%s%s"%s"\n' % (directive, separator, value))
else:
newfile.append('%s%s%s\n' % (directive, separator, value))
fd = open(filename, "w")
fd.write("".join(newfile))
fd.close()
os.chown(filename, st.st_uid, st.st_gid) # reset perms
def update_mod_nss_cipher_suite():
add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
# Run through once to see if any of the new ciphers are there but
# disabled. If they are then enable them.
lciphers = ciphers.split(',')
new_ciphers = []
for cipher in lciphers:
for add in add_ciphers:
if cipher.endswith(add):
if cipher.startswith('-'):
cipher = '+%s' % add
new_ciphers.append(cipher)
# Run through again and add remaining ciphers as enabled.
for add in add_ciphers:
if add not in ciphers:
new_ciphers.append('+%s' % add)
ciphers = ','.join(new_ciphers)
set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
root_logger.info('Updated Apache cipher list')
def restart_http():
root_logger.info('Restarting HTTP')
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
http = HTTPInstance(fstore)
http.restart()
def main():
if os.getegid() != 0:
sys.exit("Must be root to run this script")
@ -187,8 +110,6 @@ def main():
add_ca_schema()
restart_pki_ds()
update_mod_nss_cipher_suite()
restart_http()
root_logger.info('Schema updated successfully')

36
contrib/lgtm_container.py
View File

@ -1,36 +0,0 @@
#!/usr/bin/python3
"""Helper script to test LGTM config
$ contrib/lgtm_container.py > Dockerfile
$ docker build -t lgtm .
"""
import os
import yaml
LGTM_YML = os.path.join(os.path.dirname(__file__), '..', '.lgtm.yml')
def main():
with open(LGTM_YML) as f:
cfg = yaml.safe_load(f)
python = cfg['extraction']['python']
print("""\
FROM ubuntu:bionic
RUN apt-get update && \
apt-get install -y {dpkg} python3-venv && \
apt-get clean
RUN python3 -m venv /venv
RUN /venv/bin/pip install wheel
RUN /venv/bin/pip install {pypkg}
ADD . /freeipa
RUN cd /freeipa && ./autogen.sh --with-ipaplatform=debian
""".format(
dpkg=' '.join(python['prepare']['packages']),
pypkg=' '.join(python['python_setup']['requirements'])
))
if __name__ == '__main__':
main()

15
contrib/lite-server.py
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3
#!/usr/bin/env python
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
@ -35,7 +35,8 @@ You may also have to enable a development COPR.
$ sudo dnf install -y dnf-plugins-core
$ sudo dnf builddep --spec freeipa.spec.in
$ sudo dnf install -y python3-werkzeug python3-watchdog
$ sudo dnf install -y python-werkzeug python2-watchdog \
python3-werkzeug python3-watchdog
$ ./autogen.sh
For more information see
@ -60,7 +61,6 @@ from ipalib.errors import NetworkError
from ipalib.krb_utils import krb5_parse_ccache
from ipalib.krb_utils import krb5_unparse_ccache
import gssapi
# pylint: disable=import-error
from werkzeug.contrib.profiler import ProfilerMiddleware
from werkzeug.exceptions import NotFound
@ -106,20 +106,15 @@ def get_ccname():
return krb5_unparse_ccache(scheme, location)
class KRBCheater:
"""Add KRB5CCNAME and GSS_NAME to WSGI environ
class KRBCheater(object):
"""Add KRB5CCNAME to WSGI environ
"""
def __init__(self, app, ccname):
self.app = app
self.ccname = ccname
self.creds = gssapi.Credentials(
usage='initiate',
store={'ccache': ccname}
)
def __call__(self, environ, start_response):
environ['KRB5CCNAME'] = self.ccname
environ['GSS_NAME'] = self.creds.name
return self.app(environ, start_response)

13
daemons/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -251,8 +251,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -295,10 +293,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -319,6 +318,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -406,9 +407,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

2
daemons/dnssec/Makefile.am
View File

@ -29,9 +29,7 @@ CLEANFILES = $(systemdsystemunit_DATA) $(nodist_app_SCRIPTS)
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-e 's|@runstatedir[@]|$(runstatedir)|g' \
-e 's|@ODS_USER[@]|$(ODS_USER)|g' \
-e 's|@ODS_GROUP[@]|$(ODS_GROUP)|g' \
-e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
'$(srcdir)/$@.in' >$@

20
daemons/dnssec/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -219,8 +219,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -263,10 +261,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -287,6 +286,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -374,9 +375,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -683,9 +682,7 @@ uninstall-am: uninstall-nodist_appSCRIPTS \
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-e 's|@runstatedir[@]|$(runstatedir)|g' \
-e 's|@ODS_USER[@]|$(ODS_USER)|g' \
-e 's|@ODS_GROUP[@]|$(ODS_GROUP)|g' \
-e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
'$(srcdir)/$@.in' >$@
install-data-hook:
@ -693,12 +690,9 @@ install-data-hook:
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

48
daemons/dnssec/ipa-dnskeysync-replica.in
View File

@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
@ -14,7 +14,6 @@ import os
import sys
import ipalib
from ipalib import errors
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
@ -58,7 +57,6 @@ def find_unwrapping_key(localhsm, wrapping_key_uri):
unwrap_keys = localhsm.find_keys(id=key_id, cka_unwrap=True)
if len(unwrap_keys) > 0:
return unwrap_keys.popitem()[1]
return None
def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
## LDAP -> replica master key synchronization
@ -164,33 +162,23 @@ except GSSError as e:
os.environ['KRB5CCNAME'] = ccache_filename
logger.debug('Got TGT')
keys_dn = DN(
('cn', 'keys'), ('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn
)
# LDAP initialization
ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
logger.debug('Connecting to LDAP')
ldap.gssapi_bind()
logger.debug('Connected')
with open(paths.DNSSEC_SOFTHSM_PIN) as f:
localhsm = LocalHSM(
paths.LIBSOFTHSM2_SO,
SOFTHSM_DNSSEC_TOKEN_LABEL,
f.read()
)
try:
# LDAP initialization
ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
logger.debug('Connecting to LDAP')
ldap.gssapi_bind()
logger.debug('Connected')
### DNSSEC master: key synchronization
ldapkeydb = LdapKeyDB(ldap, DN(('cn', 'keys'),
('cn', 'sec'),
ipalib.api.env.container_dns,
ipalib.api.env.basedn))
### DNSSEC master: key synchronization
ldapkeydb = LdapKeyDB(ldap, keys_dn)
ldap2replica_master_keys_sync(ldapkeydb, localhsm)
ldap2replica_zone_keys_sync(ldapkeydb, localhsm)
except (errors.NetworkError, errors.DatabaseError) as e:
# SERVER_DOWN, CONNECT_ERROR
logger.error("LDAP server is down: %s", e)
sys.exit(1)
else:
sys.exit(0)
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
ldap2replica_master_keys_sync(ldapkeydb, localhsm)
ldap2replica_zone_keys_sync(ldapkeydb, localhsm)
sys.exit(0)

6
daemons/dnssec/ipa-dnskeysyncd.in
View File

@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
@ -97,7 +97,7 @@ while watcher_running:
except ldap.INVALID_CREDENTIALS as e:
logger.exception('Login to LDAP server failed: %s', e)
sys.exit(1)
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
except ldap.SERVER_DOWN as e:
logger.exception('LDAP server is down, going to retry: %s', e)
time.sleep(5)
continue
@ -116,5 +116,5 @@ while watcher_running:
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
pass
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
logger.error('syncrepl_poll: LDAP error (%s)', e)
logger.exception('syncrepl_poll: LDAP error (%s)', e)
sys.exit(1)

52
daemons/dnssec/ipa-ods-exporter.in
View File

@ -1,4 +1,4 @@
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
@ -22,6 +22,7 @@ import os
import socket
import select
import sys
import sqlite3
import traceback
import dateutil.tz
@ -41,8 +42,6 @@ from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
from ipaserver.dnssec.localhsm import LocalHSM
from ipaserver.dnssec import opendnssec
logger = logging.getLogger(os.path.basename(__file__))
DAEMONNAME = 'ipa-ods-exporter'
@ -234,19 +233,26 @@ def get_ldap_keys(ldap, zone_dn):
def get_ods_keys(zone_name):
# get zone ID
rows = db.get_zone_id(zone_name)
cur = db.execute("SELECT id FROM zones WHERE LOWER(name)=LOWER(?)",
(zone_name,))
rows = cur.fetchall()
if len(rows) != 1:
raise ValueError("exactly one DNS zone should exist in ODS DB")
zone_id = rows[0]
zone_id = rows[0][0]
# get relevant keys for given zone ID:
# ignore keys which were generated but not used yet
# key state check is using constants from
# OpenDNSSEC's enforcer/ksm/include/ksm/ksm.h
# WARNING! OpenDNSSEC version 1 and 2 are using different constants!
rows = db.get_keys_for_zone(zone_id)
cur = db.execute("SELECT kp.HSMkey_id, kp.generate, kp.algorithm, "
"dnsk.publish, dnsk.active, dnsk.retire, dnsk.dead, "
"dnsk.keytype, dnsk.state "
"FROM keypairs AS kp "
"JOIN dnsseckeys AS dnsk ON kp.id = dnsk.keypair_id "
"WHERE dnsk.zone_id = ?", (zone_id,))
keys = {}
for row in rows:
for row in cur:
key_data = sql2ldap_flags(row['keytype'])
if key_data.get('idnsSecKeyZONE') != 'TRUE':
raise ValueError("unexpected key type 0x%x" % row['keytype'])
@ -477,13 +483,11 @@ def receive_systemd_command():
sys.exit(1)
logger.debug('accepting new connection')
conn_tmp, _addr = sck.accept()
conn = opendnssec.ODSSignerConn(conn_tmp)
conn, _addr = sck.accept()
logger.debug('accepted new connection %s', repr(conn))
# this implements cmdhandler_handle_cmd() logic
cmd = conn.read_cmd()
cmd = conn.recv(ODS_SE_MAXLINE).strip()
# ODS uses an ASCII protocol, the rest of the code expects str
if six.PY3:
cmd = cmd.decode('ascii')
@ -544,7 +548,9 @@ def send_systemd_reply(conn, reply):
# This is necessary to let Enforcer to unlock the ODS DB.
if six.PY3:
reply = reply.encode('ascii')
conn.send_reply_and_close(reply)
conn.send(reply + b'\n')
conn.shutdown(socket.SHUT_RDWR)
conn.close()
def cmd2ods_zone_name(cmd):
# ODS stores zone name without trailing period
@ -560,11 +566,7 @@ def sync_zone(ldap, dns_dn, zone_name):
Key material has to be synchronized elsewhere.
Keep in mind that keys could be shared among multiple zones!"""
logger.debug('%s: synchronizing zone "%s"', zone_name, zone_name)
try:
ods_keys = get_ods_keys(zone_name)
except ValueError as e:
logger.error(str(e))
return
ods_keys = get_ods_keys(zone_name)
ods_keys_id = set(ods_keys.keys())
ldap_zone = get_ldap_zone(ldap, dns_dn, zone_name)
@ -722,14 +724,6 @@ except KeyError as e:
cmd = sys.argv[1]
exitcode, msg, zone_name, cmd = parse_command(cmd)
if exitcode:
logger.debug("parse_command returned exitcode: %d", exitcode)
if msg:
logger.debug("parse_command returned msg: %s", msg)
if zone_name:
logger.debug("parse_command returned zone_name: %s", zone_name)
if cmd:
logger.debug("parse_command returned cmd: %s", cmd)
if exitcode is not None:
if conn:
@ -753,7 +747,9 @@ try:
# Beware: Reply can be sent back only after DB is unlocked and closed
# otherwise ods-enforcerd will fail.
db = opendnssec.ODSDBConnection()
db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB)
db.row_factory = sqlite3.Row
db.execute('BEGIN')
if zone_name is not None:
# only one zone should be processed
@ -763,8 +759,8 @@ try:
cleanup_ldap_zone(ldap, dns_dn, zone_name)
else:
# process all zones
for zone_name in db.get_zones():
sync_zone(ldap, dns_dn, zone_name)
for zone_row in db.execute("SELECT name FROM zones"):
sync_zone(ldap, dns_dn, zone_row['name'])
### DNSSEC master: DNSSEC key material purging
# references to old key material were removed above in sync_zone()

1
daemons/dnssec/ipa-ods-exporter.service.in
View File

@ -7,7 +7,6 @@ After=ipa-ods-exporter.socket
EnvironmentFile=@sysconfenvdir@/ipa-ods-exporter
ExecStart=@libexecdir@/ipa/ipa-ods-exporter
User=@ODS_USER@
Group=@ODS_GROUP@
PrivateTmp=yes
Restart=on-failure
RestartSec=60s

4
daemons/dnssec/ipa-ods-exporter.socket.in
View File

@ -1,7 +1,5 @@
[Socket]
ListenStream=@runstatedir@/opendnssec/engine.sock
SocketUser=@ODS_USER@
SocketGroup=@ODS_GROUP@
ListenStream=@localstatedir@/run/opendnssec/engine.sock
[Install]
WantedBy=sockets.target

42
daemons/ipa-kdb/Makefile.am
View File

@ -11,12 +11,13 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
@ -45,10 +46,6 @@ if BUILD_IPA_CERTAUTH_PLUGIN
ipadb_la_SOURCES += ipa_kdb_certauth.c
endif
if BUILD_IPA_KDCPOLICY_PLUGIN
ipadb_la_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipadb_la_LDFLAGS = \
-avoid-version \
-module \
@ -59,6 +56,7 @@ ipadb_la_LIBADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
@ -87,10 +85,6 @@ if BUILD_IPA_CERTAUTH_PLUGIN
ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
endif
if BUILD_IPA_KDCPOLICY_PLUGIN
ipa_kdb_tests_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
@ -98,41 +92,13 @@ ipa_kdb_tests_LDADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
appdir = $(libexecdir)/ipa
app_PROGRAMS = ipa-print-pac
ipa_print_pac_SOURCES = ipa-print-pac.c \
$(NULL)
ipa_print_pac_CFLAGS = \
-I$(srcdir) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\"\
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
$(AM_CFLAGS) \
$(POPT_CFLAGS) \
$(KRB5_CFLAGS) \
$(KRB5_GSSAPI_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NULL)
ipa_print_pac_LDADD = \
$(KRB5_GSSAPI_LIBS) \
$(KRB5_LIBS) \
$(NDRPAC_LIBS) \
$(POPT_LIBS) \
$(NULL)
clean-local:
rm -f tests/.dirstamp

218
daemons/ipa-kdb/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -15,7 +15,6 @@
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
@ -91,12 +90,9 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_1 = ipa_kdb_certauth.c
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__append_2 = ipa_kdb_kdcpolicy.c
@HAVE_CMOCKA_TRUE@TESTS = ipa_kdb_tests$(EXEEXT)
@HAVE_CMOCKA_TRUE@check_PROGRAMS = ipa_kdb_tests$(EXEEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_3 = ipa_kdb_certauth.c
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__append_4 = ipa_kdb_kdcpolicy.c
app_PROGRAMS = ipa-print-pac$(EXEEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__append_2 = ipa_kdb_certauth.c
subdir = daemons/ipa-kdb
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
@ -116,8 +112,6 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(plugindir)"
PROGRAMS = $(app_PROGRAMS)
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -145,25 +139,23 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(plugin_LTLIBRARIES)
am__DEPENDENCIES_1 =
ipadb_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(top_builddir)/util/libutil.la \
$(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
am__ipadb_la_SOURCES_DIST = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c \
ipa_kdb_mkey.c ipa_kdb_passwords.c ipa_kdb_principals.c \
ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c ipa_kdb_mspac_private.h \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c \
ipa_kdb_kdcpolicy.c
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__objects_1 =
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_2 = ipa_kdb_certauth.lo
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__objects_3 = ipa_kdb_kdcpolicy.lo
am_ipadb_la_OBJECTS = ipa_kdb.lo ipa_kdb_common.lo ipa_kdb_mkey.lo \
ipa_kdb_passwords.lo ipa_kdb_principals.lo \
ipa_kdb_pwdpolicy.lo ipa_kdb_mspac.lo ipa_kdb_delegation.lo \
ipa_kdb_audit_as.lo $(am__objects_1) $(am__objects_2) \
$(am__objects_3)
ipa_kdb_audit_as.lo $(am__objects_1) $(am__objects_2)
ipadb_la_OBJECTS = $(am_ipadb_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@ -172,23 +164,12 @@ am__v_lt_1 =
ipadb_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(ipadb_la_LDFLAGS) $(LDFLAGS) -o $@
am_ipa_print_pac_OBJECTS = ipa_print_pac-ipa-print-pac.$(OBJEXT) \
$(am__objects_1)
ipa_print_pac_OBJECTS = $(am_ipa_print_pac_OBJECTS)
ipa_print_pac_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
ipa_print_pac_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipa_print_pac_CFLAGS) \
$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
am__ipa_kdb_tests_SOURCES_DIST = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c \
ipa_kdb_kdcpolicy.c
ipa_kdb_delegation.c ipa_kdb_audit_as.c ipa_kdb_certauth.c
am__dirstamp = $(am__leading_dot)dirstamp
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_4 = ipa_kdb_tests-ipa_kdb_certauth.$(OBJEXT)
@BUILD_IPA_KDCPOLICY_PLUGIN_TRUE@am__objects_5 = ipa_kdb_tests-ipa_kdb_kdcpolicy.$(OBJEXT)
@BUILD_IPA_CERTAUTH_PLUGIN_TRUE@am__objects_3 = ipa_kdb_tests-ipa_kdb_certauth.$(OBJEXT)
am_ipa_kdb_tests_OBJECTS = \
tests/ipa_kdb_tests-ipa_kdb_tests.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb.$(OBJEXT) \
@ -200,7 +181,7 @@ am_ipa_kdb_tests_OBJECTS = \
ipa_kdb_tests-ipa_kdb_mspac.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_delegation.$(OBJEXT) \
ipa_kdb_tests-ipa_kdb_audit_as.$(OBJEXT) $(am__objects_1) \
$(am__objects_4) $(am__objects_5)
$(am__objects_3)
am__dist_ipa_kdb_tests_SOURCES_DIST = tests/test_setup.sh
dist_ipa_kdb_tests_OBJECTS =
ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS) \
@ -208,8 +189,8 @@ ipa_kdb_tests_OBJECTS = $(am_ipa_kdb_tests_OBJECTS) \
ipa_kdb_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(top_builddir)/util/libutil.la \
$(am__DEPENDENCIES_1)
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(top_builddir)/util/libutil.la $(am__DEPENDENCIES_1)
ipa_kdb_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipa_kdb_tests_CFLAGS) \
$(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
@ -233,8 +214,7 @@ am__depfiles_remade = ./$(DEPDIR)/ipa_kdb.Plo \
./$(DEPDIR)/ipa_kdb_certauth.Plo \
./$(DEPDIR)/ipa_kdb_common.Plo \
./$(DEPDIR)/ipa_kdb_delegation.Plo \
./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo ./$(DEPDIR)/ipa_kdb_mkey.Plo \
./$(DEPDIR)/ipa_kdb_mspac.Plo \
./$(DEPDIR)/ipa_kdb_mkey.Plo ./$(DEPDIR)/ipa_kdb_mspac.Plo \
./$(DEPDIR)/ipa_kdb_passwords.Plo \
./$(DEPDIR)/ipa_kdb_principals.Plo \
./$(DEPDIR)/ipa_kdb_pwdpolicy.Plo \
@ -243,13 +223,11 @@ am__depfiles_remade = ./$(DEPDIR)/ipa_kdb.Plo \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po \
./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po \
./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po \
tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
@ -270,9 +248,9 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(ipadb_la_SOURCES) $(ipa_print_pac_SOURCES) \
$(ipa_kdb_tests_SOURCES) $(dist_ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(am__ipadb_la_SOURCES_DIST) $(ipa_print_pac_SOURCES) \
SOURCES = $(ipadb_la_SOURCES) $(ipa_kdb_tests_SOURCES) \
$(dist_ipa_kdb_tests_SOURCES)
DIST_SOURCES = $(am__ipadb_la_SOURCES_DIST) \
$(am__ipa_kdb_tests_SOURCES_DIST) \
$(am__dist_ipa_kdb_tests_SOURCES_DIST)
am__can_run_installinfo = \
@ -537,8 +515,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -581,10 +557,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -605,6 +582,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -692,9 +671,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -715,12 +692,13 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
$(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NSS_CFLAGS) \
$(SSSCERTMAP_CFLAGS) \
$(NULL)
@ -732,7 +710,7 @@ plugin_LTLIBRARIES = \
ipadb_la_SOURCES = ipa_kdb.c ipa_kdb.h ipa_kdb_common.c ipa_kdb_mkey.c \
ipa_kdb_passwords.c ipa_kdb_principals.c ipa_kdb_pwdpolicy.c \
ipa_kdb_mspac.c ipa_kdb_mspac_private.h ipa_kdb_delegation.c \
ipa_kdb_audit_as.c $(NULL) $(am__append_1) $(am__append_2)
ipa_kdb_audit_as.c $(NULL) $(am__append_1)
dist_noinst_DATA = ipa_kdb.exports
ipadb_la_LDFLAGS = \
-avoid-version \
@ -744,6 +722,7 @@ ipadb_la_LIBADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
$(NULL)
@ -754,7 +733,7 @@ ipa_kdb_tests_SOURCES = tests/ipa_kdb_tests.c ipa_kdb.c \
ipa_kdb_common.c ipa_kdb_mkey.c ipa_kdb_passwords.c \
ipa_kdb_principals.c ipa_kdb_pwdpolicy.c ipa_kdb_mspac.c \
ipa_kdb_delegation.c ipa_kdb_audit_as.c $(NULL) \
$(am__append_3) $(am__append_4)
$(am__append_2)
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
@ -762,40 +741,13 @@ ipa_kdb_tests_LDADD = \
$(LDAP_LIBS) \
$(NDRPAC_LIBS) \
$(UNISTRING_LIBS) \
$(NSS_LIBS) \
$(SSSCERTMAP_LIBS) \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
$(NULL)
appdir = $(libexecdir)/ipa
ipa_print_pac_SOURCES = ipa-print-pac.c \
$(NULL)
ipa_print_pac_CFLAGS = \
-I$(srcdir) \
-I$(top_srcdir)/util \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\"\
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
$(AM_CFLAGS) \
$(POPT_CFLAGS) \
$(KRB5_CFLAGS) \
$(KRB5_GSSAPI_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRPAC_CFLAGS) \
$(NULL)
ipa_print_pac_LDADD = \
$(KRB5_GSSAPI_LIBS) \
$(KRB5_LIBS) \
$(NDRPAC_LIBS) \
$(POPT_LIBS) \
$(NULL)
EXTRA_DIST = \
README \
README.s4u2proxy.txt \
@ -834,55 +786,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-appPROGRAMS: $(app_PROGRAMS)
@$(NORMAL_INSTALL)
@list='$(app_PROGRAMS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p \
|| test -f $$p1 \
; then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' \
-e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-appPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(app_PROGRAMS)'; test -n "$(appdir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' \
`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(appdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(appdir)" && rm -f $$files
clean-appPROGRAMS:
@list='$(app_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
clean-checkPROGRAMS:
@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
@ -930,10 +833,6 @@ clean-pluginLTLIBRARIES:
ipadb.la: $(ipadb_la_OBJECTS) $(ipadb_la_DEPENDENCIES) $(EXTRA_ipadb_la_DEPENDENCIES)
$(AM_V_CCLD)$(ipadb_la_LINK) -rpath $(plugindir) $(ipadb_la_OBJECTS) $(ipadb_la_LIBADD) $(LIBS)
ipa-print-pac$(EXEEXT): $(ipa_print_pac_OBJECTS) $(ipa_print_pac_DEPENDENCIES) $(EXTRA_ipa_print_pac_DEPENDENCIES)
@rm -f ipa-print-pac$(EXEEXT)
$(AM_V_CCLD)$(ipa_print_pac_LINK) $(ipa_print_pac_OBJECTS) $(ipa_print_pac_LDADD) $(LIBS)
tests/$(am__dirstamp):
@$(MKDIR_P) tests
@: > tests/$(am__dirstamp)
@ -959,7 +858,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_certauth.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_common.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_delegation.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mkey.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_mspac.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_passwords.Plo@am__quote@ # am--include-marker
@ -970,13 +868,11 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@ -1009,20 +905,6 @@ am--depfiles: $(am__depfiles_remade)
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
ipa_print_pac-ipa-print-pac.o: ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -MT ipa_print_pac-ipa-print-pac.o -MD -MP -MF $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo -c -o ipa_print_pac-ipa-print-pac.o `test -f 'ipa-print-pac.c' || echo '$(srcdir)/'`ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo $(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa-print-pac.c' object='ipa_print_pac-ipa-print-pac.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -c -o ipa_print_pac-ipa-print-pac.o `test -f 'ipa-print-pac.c' || echo '$(srcdir)/'`ipa-print-pac.c
ipa_print_pac-ipa-print-pac.obj: ipa-print-pac.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -MT ipa_print_pac-ipa-print-pac.obj -MD -MP -MF $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo -c -o ipa_print_pac-ipa-print-pac.obj `if test -f 'ipa-print-pac.c'; then $(CYGPATH_W) 'ipa-print-pac.c'; else $(CYGPATH_W) '$(srcdir)/ipa-print-pac.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_print_pac-ipa-print-pac.Tpo $(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa-print-pac.c' object='ipa_print_pac-ipa-print-pac.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_print_pac_CFLAGS) $(CFLAGS) -c -o ipa_print_pac-ipa-print-pac.obj `if test -f 'ipa-print-pac.c'; then $(CYGPATH_W) 'ipa-print-pac.c'; else $(CYGPATH_W) '$(srcdir)/ipa-print-pac.c'; fi`
tests/ipa_kdb_tests-ipa_kdb_tests.o: tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT tests/ipa_kdb_tests-ipa_kdb_tests.o -MD -MP -MF tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo -c -o tests/ipa_kdb_tests-ipa_kdb_tests.o `test -f 'tests/ipa_kdb_tests.c' || echo '$(srcdir)/'`tests/ipa_kdb_tests.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Tpo tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
@ -1177,20 +1059,6 @@ ipa_kdb_tests-ipa_kdb_certauth.obj: ipa_kdb_certauth.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_certauth.obj `if test -f 'ipa_kdb_certauth.c'; then $(CYGPATH_W) 'ipa_kdb_certauth.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_certauth.c'; fi`
ipa_kdb_tests-ipa_kdb_kdcpolicy.o: ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_kdcpolicy.o -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.o `test -f 'ipa_kdb_kdcpolicy.c' || echo '$(srcdir)/'`ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_kdcpolicy.c' object='ipa_kdb_tests-ipa_kdb_kdcpolicy.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.o `test -f 'ipa_kdb_kdcpolicy.c' || echo '$(srcdir)/'`ipa_kdb_kdcpolicy.c
ipa_kdb_tests-ipa_kdb_kdcpolicy.obj: ipa_kdb_kdcpolicy.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -MT ipa_kdb_tests-ipa_kdb_kdcpolicy.obj -MD -MP -MF $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.obj `if test -f 'ipa_kdb_kdcpolicy.c'; then $(CYGPATH_W) 'ipa_kdb_kdcpolicy.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_kdcpolicy.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Tpo $(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipa_kdb_kdcpolicy.c' object='ipa_kdb_tests-ipa_kdb_kdcpolicy.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_kdb_tests_CFLAGS) $(CFLAGS) -c -o ipa_kdb_tests-ipa_kdb_kdcpolicy.obj `if test -f 'ipa_kdb_kdcpolicy.c'; then $(CYGPATH_W) 'ipa_kdb_kdcpolicy.c'; else $(CYGPATH_W) '$(srcdir)/ipa_kdb_kdcpolicy.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
@ -1449,9 +1317,9 @@ check-am: all-am
$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
$(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(DATA)
all-am: Makefile $(LTLIBRARIES) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(plugindir)"; do \
for dir in "$(DESTDIR)$(plugindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@ -1491,9 +1359,8 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-appPROGRAMS clean-checkPROGRAMS clean-generic \
clean-libtool clean-local clean-pluginLTLIBRARIES \
mostlyclean-am
clean-am: clean-checkPROGRAMS clean-generic clean-libtool clean-local \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb.Plo
@ -1501,7 +1368,6 @@ distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
@ -1512,13 +1378,11 @@ distclean: distclean-am
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f ./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
@ -1536,7 +1400,7 @@ info: info-am
info-am:
install-data-am: install-appPROGRAMS install-pluginLTLIBRARIES
install-data-am: install-pluginLTLIBRARIES
install-dvi: install-dvi-am
@ -1570,7 +1434,6 @@ maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/ipa_kdb_certauth.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_common.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_delegation.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_kdcpolicy.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mkey.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_mspac.Plo
-rm -f ./$(DEPDIR)/ipa_kdb_passwords.Plo
@ -1581,13 +1444,11 @@ maintainer-clean: maintainer-clean-am
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_certauth.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_common.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_delegation.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_kdcpolicy.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mkey.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_mspac.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_passwords.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_principals.Po
-rm -f ./$(DEPDIR)/ipa_kdb_tests-ipa_kdb_pwdpolicy.Po
-rm -f ./$(DEPDIR)/ipa_print_pac-ipa-print-pac.Po
-rm -f tests/$(DEPDIR)/ipa_kdb_tests-ipa_kdb_tests.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@ -1605,17 +1466,16 @@ ps: ps-am
ps-am:
uninstall-am: uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
uninstall-am: uninstall-pluginLTLIBRARIES
.MAKE: check-am install-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
check-am clean clean-appPROGRAMS clean-checkPROGRAMS \
clean-generic clean-libtool clean-local \
clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \
distclean-compile distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-appPROGRAMS install-data \
check-am clean clean-checkPROGRAMS clean-generic clean-libtool \
clean-local clean-pluginLTLIBRARIES cscopelist-am ctags \
ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
@ -1624,7 +1484,7 @@ uninstall-am: uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am recheck tags tags-am uninstall \
uninstall-am uninstall-appPROGRAMS uninstall-pluginLTLIBRARIES
uninstall-am uninstall-pluginLTLIBRARIES
.PRECIOUS: Makefile

18
daemons/ipa-kdb/README
View File

@ -1,19 +1 @@
This is the ipa krb5kdc database backend.
As the KDB interfaces heavily with krb5, we inherit its code style as well.
However, note the following changes:
- no modelines (and different file preamble)
- return types don't require their own line
- single-statement blocks may optionally be braced
- /* and */ do not ever get their own line
- C99 for-loops are permitted (and encouraged)
- a restricted set of other C99 features are permitted
In particular, variable-length arrays, flexible array members, compound
literals, universal character names, and //-style comments are not permitted.
Use of regular malloc/free is preferred over talloc for new code.
By and large, existing code mostly conforms to these requirements. New code
must conform to them.

723
daemons/ipa-kdb/ipa-print-pac.c
View File

@ -1,723 +0,0 @@
/*
* Copyright (C) 2020 FreeIPA Contributors see COPYING for license
*/
#include <gen_ndr/ndr_krb5pac.h>
#include <gssapi/gssapi_ext.h>
#include <gssapi/gssapi_krb5.h>
#include <ndr.h>
#include <popt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <strings.h>
#define IPAPWD_PASSWORD_MAX_LEN 1024
typedef enum {
OP_SERVICE_TICKET,
OP_IMPERSONATE
} pac_operation_t;
pac_operation_t operation = OP_SERVICE_TICKET;
char *keytab_path = NULL;
char *ccache_path = NULL;
bool init_tgt = true;
const gss_OID *import_name_oid = &GSS_C_NT_USER_NAME;
TALLOC_CTX *frame = NULL;
gss_OID_desc mech_krb5 = {9, "\052\206\110\206\367\022\001\002\002"};
/* NDR printing interface passes flags but the actual public print function
* does not accept flags. Generated ndr helpers actually have a small wrapper
* but since it is a static to the generated C code unit, we have to reimplement
* it here.
*/
static void
print_flags_PAC_DATA(struct ndr_print *ndr,
const char *name,
int unused,
const struct PAC_DATA *r)
{
ndr_print_PAC_DATA(ndr, name, r);
}
/*
* Print content of a PAC buffer, annotated by the libndr helpers
*/
static void
print_pac(gss_buffer_desc *pac, gss_buffer_desc *display)
{
struct ndr_print *ndr = NULL;
DATA_BLOB blob;
struct ndr_pull *ndr_pull = NULL;
void *st = NULL;
int flags = NDR_SCALARS | NDR_BUFFERS;
enum ndr_err_code ndr_err;
struct ndr_interface_call ndr_call = {
.name = "PAC_DATA",
.struct_size = sizeof(struct PAC_DATA),
.ndr_push = (ndr_push_flags_fn_t)ndr_push_PAC_DATA,
.ndr_pull = (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA,
.ndr_print = (ndr_print_function_t)print_flags_PAC_DATA,
};
ndr = talloc_zero(frame, struct ndr_print);
ndr->print = ndr_print_string_helper;
ndr->depth = 0;
blob = data_blob_const(pac->value, pac->length);
ndr_pull = ndr_pull_init_blob(&blob, ndr);
ndr_pull->flags = LIBNDR_FLAG_REF_ALLOC;
st = talloc_zero_size(ndr, ndr_call.struct_size);
ndr_err = ndr_call.ndr_pull(ndr_pull, flags, st);
if (ndr_err) {
fprintf(stderr,
"Error parsing buffer '%.*s': %s\n",
(int)display->length,
(char *)display->value,
ndr_map_error2string(ndr_err));
return;
}
ndr_call.ndr_print(ndr, ndr_call.name, flags, st);
printf("%s\n", (char *)ndr->private_data);
talloc_free(ndr);
}
static void
display_error(int type, OM_uint32 code)
{
OM_uint32 min, ctx = 0;
gss_buffer_desc status;
do {
(void)gss_display_status(&min, code, type, GSS_C_NO_OID, &ctx, &status);
fprintf(stderr, "%.*s\n", (int)status.length, (char *)status.value);
gss_release_buffer(&min, &status);
} while (ctx != 0);
}
static void
log_error(const char *fn, uint32_t maj, uint32_t min)
{
fprintf(stderr, "%s: ", fn);
display_error(GSS_C_GSS_CODE, maj);
display_error(GSS_C_MECH_CODE, min);
}
static gss_name_t
import_name(const char *name)
{
OM_uint32 maj, min;
gss_name_t gss_name;
gss_name = GSS_C_NO_NAME;
gss_buffer_desc buff = GSS_C_EMPTY_BUFFER;
buff.value = (void *)name;
buff.length = strlen(name);
maj = gss_import_name(&min, &buff, *import_name_oid, &gss_name);
if (GSS_ERROR(maj)) {
log_error("gss_import_name()", maj, min);
return GSS_C_NO_NAME;
}
return gss_name;
}
static bool
store_creds_into_cache(gss_cred_id_t creds, const char *cache)
{
OM_uint32 maj, min;
gss_key_value_element_desc store_elm = {"ccache", cache};
gss_key_value_set_desc store = {1, &store_elm};
maj = gss_store_cred_into(
&min, creds, GSS_C_INITIATE, GSS_C_NO_OID, 1, 1, &store, NULL, NULL);
if (maj != GSS_S_COMPLETE) {
log_error("gss_store_cred_into()", maj, min);
return false;
}
return true;
}
static void
dump_attribute(gss_name_t name, gss_buffer_t attribute)
{
OM_uint32 major, minor;
gss_buffer_desc value;
gss_buffer_desc display_value;
int authenticated = 0;
int complete = 0;
int more = -1;
int whole_pac = 0;
whole_pac = attribute->length == strlen("urn:mspac:");
while (more != 0) {
value.value = NULL;
display_value.value = NULL;
major = gss_get_name_attribute(&minor,
name,
attribute,
&authenticated,
&complete,
&value,
&display_value,
&more);
if (GSS_ERROR(major)) {
log_error("gss_get_name_attribute()", major, minor);
return;
}
if (whole_pac) {
print_pac(&value, attribute);
}
(void)gss_release_buffer(&minor, &value);
(void)gss_release_buffer(&minor, &display_value);
}
}
static void
enumerate_attributes(gss_name_t name)
{
OM_uint32 major, minor;
int is_mechname;
gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
size_t i;
major = gss_inquire_name(&minor, name, &is_mechname, NULL, &attrs);
if (GSS_ERROR(major)) {
log_error("gss_inquire_name()", major, minor);
return;
}
if (GSS_ERROR(major)) {
printf("gss_inquire_name: (%d, %d)\n", major, minor);
return;
}
if (attrs != GSS_C_NO_BUFFER_SET) {
for (i = 0; i < attrs->count; i++)
dump_attribute(name, &attrs->elements[i]);
}
(void)gss_release_buffer_set(&minor, &attrs);
}
static bool
establish_contexts(gss_OID imech,
gss_cred_id_t icred,
gss_cred_id_t acred,
gss_name_t tname,
OM_uint32 flags,
gss_ctx_id_t *ictx,
gss_ctx_id_t *actx,
gss_name_t *src_name,
gss_OID *amech,
gss_cred_id_t *deleg_cred)
{
OM_uint32 minor, imaj, amaj;
gss_buffer_desc itok, atok;
*ictx = *actx = GSS_C_NO_CONTEXT;
imaj = amaj = GSS_S_CONTINUE_NEEDED;
itok.value = atok.value = NULL;
itok.length = atok.length = 0;
for (;;) {
(void)gss_release_buffer(&minor, &itok);
imaj = gss_init_sec_context(&minor,
icred,
ictx,
tname,
imech,
flags,
GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS,
&atok,
NULL,
&itok,
NULL,
NULL);
if (GSS_ERROR(imaj)) {
log_error("gss_init_sec_context()", imaj, minor);
return false;
}
if (amaj == GSS_S_COMPLETE)
break;
(void)gss_release_buffer(&minor, &atok);
amaj = gss_accept_sec_context(&minor,
actx,
acred,
&itok,
GSS_C_NO_CHANNEL_BINDINGS,
src_name,
amech,
&atok,
NULL,
NULL,
deleg_cred);
if (GSS_ERROR(amaj)) {
log_error("gss_accept_sec_context()", amaj, minor);
return false;
}
(void)gss_release_buffer(&minor, &itok);
if (imaj == GSS_S_COMPLETE) {
break;
}
}
if (imaj != GSS_S_COMPLETE || amaj != GSS_S_COMPLETE) {
printf("One side wants to continue after the other is done");
return false;
}
(void)gss_release_buffer(&minor, &itok);
(void)gss_release_buffer(&minor, &atok);
return true;
}
static bool
init_accept_sec_context(gss_cred_id_t claimant_cred_handle,
gss_cred_id_t verifier_cred_handle,
gss_cred_id_t *deleg_cred_handle)
{
OM_uint32 maj, min, flags;
gss_name_t source_name = GSS_C_NO_NAME, target_name = GSS_C_NO_NAME;
gss_ctx_id_t initiator_context, acceptor_context;
gss_OID mech = &mech_krb5;
bool success = false;
maj = gss_inquire_cred(
&min, verifier_cred_handle, &target_name, NULL, NULL, NULL);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred()", maj, min);
goto done;
}
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
success = establish_contexts(mech,
claimant_cred_handle,
verifier_cred_handle,
target_name,
flags,
&initiator_context,
&acceptor_context,
&source_name,
&mech,
deleg_cred_handle);
if (success)
enumerate_attributes(source_name);
done:
if (source_name != GSS_C_NO_NAME)
(void)gss_release_name(&min, &source_name);
if (target_name != GSS_C_NO_NAME)
(void)gss_release_name(&min, &target_name);
if (initiator_context != NULL)
(void)gss_delete_sec_context(&min, &initiator_context, NULL);
if (acceptor_context != NULL)
(void)gss_delete_sec_context(&min, &acceptor_context, NULL);
return success;
}
static bool
init_creds(gss_cred_id_t *service_creds, gss_cred_usage_t intent)
{
OM_uint32 maj, min;
gss_key_value_element_desc keytab_elm = {"keytab", keytab_path};
gss_key_value_set_desc store = {1, &keytab_elm};
maj = gss_acquire_cred_from(&min,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
intent,
(keytab_path != NULL) ? &store : NULL,
service_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred", maj, min);
return false;
}
return true;
}
static bool
impersonate(const char *name)
{
OM_uint32 maj, min;
gss_name_t desired_principal = GSS_C_NO_NAME;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t service_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t delegated_creds = GSS_C_NO_CREDENTIAL;
bool success = false;
if (!init_creds(&service_creds, GSS_C_BOTH)) {
goto done;
}
desired_principal = import_name(name);
if (desired_principal == GSS_C_NO_NAME) {
goto done;
}
maj = gss_acquire_cred_impersonate_name(&min,
service_creds,
desired_principal,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred_impersonate_name()", maj, min);
goto done;
}
if (ccache_path != NULL) {
if (!store_creds_into_cache(client_creds, ccache_path)) {
fprintf(stderr, "Failed to store credentials in cache\n");
goto done;
}
}
fprintf(stderr, "Acquired credentials for %s\n", name);
init_accept_sec_context(client_creds, service_creds, &delegated_creds);
if (delegated_creds != GSS_C_NO_CREDENTIAL) {
gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
/* Inquire impersonator status. */
maj = gss_inquire_cred_by_oid(
&min, client_creds, GSS_KRB5_GET_CRED_IMPERSONATOR, &bufset);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred_by_oid()", maj, min);
goto done;
}
if (bufset->count == 0) {
log_error("gss_inquire_cred_by_oid(user) returned NO impersonator", 0, 0);
goto done;
}
(void)gss_release_buffer_set(&min, &bufset);
maj = gss_inquire_cred_by_oid(
&min, service_creds, GSS_KRB5_GET_CRED_IMPERSONATOR, &bufset);
if (GSS_ERROR(maj)) {
log_error("gss_inquire_cred_by_oid()", maj, min);
goto done;
}
if (bufset->count != 0) {
log_error("gss_inquire_cred_by_oid(svc) returned an impersonator", 0, 0);
goto done;
}
(void)gss_release_buffer_set(&min, &bufset);
success = true;
}
done:
if (desired_principal != GSS_C_NO_NAME)
gss_release_name(&min, &desired_principal);
if (client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (service_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &service_creds);
if (delegated_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &delegated_creds);
return success;
}
static bool
init_with_password(const char *name, const char *password)
{
OM_uint32 maj, min;
gss_name_t desired_principal = GSS_C_NO_NAME;
gss_cred_id_t client_creds = GSS_C_NO_CREDENTIAL;
gss_cred_id_t service_creds = GSS_C_NO_CREDENTIAL;
gss_buffer_desc pwd_buf;
bool success = false;
if (!init_creds(&service_creds, GSS_C_ACCEPT)) {
goto done;
}
desired_principal = import_name(name);
if (desired_principal == GSS_C_NO_NAME) {
goto done;
}
if (init_tgt && password != NULL) {
pwd_buf.value = (void *)password;
pwd_buf.length = strlen(password);
maj = gss_acquire_cred_with_password(&min,
desired_principal,
&pwd_buf,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_INITIATE,
&client_creds,
NULL,
NULL);
if (GSS_ERROR(maj)) {
log_error("gss_acquire_cred_with_password()", maj, min);
goto done;
}
}
if ((ccache_path != NULL) && (client_creds != GSS_C_NO_CREDENTIAL)) {
if (!store_creds_into_cache(client_creds, ccache_path)) {
fprintf(stderr, "Failed to store credentials in cache\n");
goto done;
}
}
if (client_creds != GSS_C_NO_CREDENTIAL)
fprintf(stderr, "Acquired credentials for %s\n", name);
success = init_accept_sec_context(client_creds, service_creds, NULL);
done:
if (service_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min, &client_creds);
if (desired_principal != GSS_C_NO_NAME)
gss_release_name(&min, &desired_principal);
return success;
}
struct poptOption popt_options[] = {
{
.longName = "enterprise",
.shortName = 'E',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'E',
.descrip = "Treat the user principal as an enterprise name",
},
{
.longName = "ccache",
.shortName = 'c',
.argInfo = POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL,
.val = 'c',
.descrip = "Credentials cache file to save acquired tickets to. "
"Tickets aren't saved by default",
.argDescrip = "CCACHE-PATH",
},
{
.longName = "keytab",
.shortName = 'k',
.argInfo = POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL,
.val = 'k',
.descrip = "Keytab for a service key to acquire service ticket for. "
"Default keytab is used if omitted",
.argDescrip = "KEYTAB-PATH",
},
{
.longName = "reuse",
.shortName = 'r',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'r',
.descrip = "Re-use user principal's TGT from a default ccache",
},
{
.longName = "help",
.shortName = 'h',
.argInfo = POPT_ARG_NONE | POPT_ARGFLAG_OPTIONAL,
.val = 'h',
.descrip = "Show this help message",
},
POPT_TABLEEND};
static void
print_help(poptContext pc, const char *name)
{
const char *help = ""
"Usage: %s [options] {impersonate|ticket} user@realm\n\n"
"Print MS-PAC structure from a service ticket.\n\n"
"Operation 'impersonate':\n"
"\tExpects a TGT for a service in the default ccache and attempts to "
"obtain a service\n"
"\tticket to itself by performing a protocol transition for the specified "
"user (S4U2Self).\n\n"
"Operation 'ticket':\n"
"\tExpects a user password to be provided, acquires ticket granting ticket "
"and attempts to \n"
"\tobtain a service ticket to the specified service.\n\n"
"Resulting service ticket can be stored in the credential cache file "
"specified by '-c file' option.\n\n"
"Defaults to the host principal service name and the host keytab.\n\n";
fprintf(stderr, help, name);
poptPrintHelp(pc, stderr, 0);
}
static char *
ask_password(TALLOC_CTX *context, char *prompt1, char *prompt2, bool match)
{
krb5_prompt ap_prompts[2];
krb5_data k5d_pw0;
krb5_data k5d_pw1;
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
#define PWD_BUFFER_SIZE MAX((IPAPWD_PASSWORD_MAX_LEN + 2), 1024)
char pw0[PWD_BUFFER_SIZE];
char pw1[PWD_BUFFER_SIZE];
char *password;
int num_prompts = match ? 2 : 1;
k5d_pw0.length = sizeof(pw0);
k5d_pw0.data = pw0;
ap_prompts[0].prompt = prompt1;
ap_prompts[0].hidden = 1;
ap_prompts[0].reply = &k5d_pw0;
if (match) {
k5d_pw1.length = sizeof(pw1);
k5d_pw1.data = pw1;
ap_prompts[1].prompt = prompt2;
ap_prompts[1].hidden = 1;
ap_prompts[1].reply = &k5d_pw1;
}
/* krb5_prompter_posix does not use krb5_context internally */
krb5_prompter_posix(NULL, NULL, NULL, NULL, num_prompts, ap_prompts);
if (match && (strcmp(pw0, pw1))) {
fprintf(stderr, "Passwords do not match!\n");
return NULL;
}
if (k5d_pw0.length > IPAPWD_PASSWORD_MAX_LEN) {
fprintf(stderr, "%s\n", "Password is too long!\n");
return NULL;
}
password = talloc_strndup(context, pw0, k5d_pw0.length);
if (!password)
return NULL;
return password;
}
int main(int argc, char *argv[])
{
int ret = 0, c = 0;
const char **argv_const = discard_const_p(const char *, argv);
const char **args = NULL;
char *password = NULL;
poptContext pc;
frame = talloc_init("printpac");
pc = poptGetContext(
"printpac", argc, argv_const, popt_options, POPT_CONTEXT_KEEP_FIRST);
while ((c = poptGetNextOpt(pc)) >= 0) {
switch (c) {
case 'c':
ccache_path = talloc_strdup(frame, poptGetOptArg(pc));
break;
case 'E':
import_name_oid = &GSS_KRB5_NT_ENTERPRISE_NAME;
break;
case 'k':
keytab_path = talloc_strdup(frame, poptGetOptArg(pc));
break;
case 'r':
init_tgt = false;
break;
case 'h':
print_help(pc, argv[0]);
ret = 0;
goto done;
}
}
if (c < -1) {
fprintf(stderr,
"%s: %s\n",
poptBadOption(pc, POPT_BADOPTION_NOALIAS),
poptStrerror(c));
ret = 1;
goto done;
}
args = poptGetArgs(pc);
for (c = 0; args && args[c]; c++)
;
if (c < 3) {
print_help(pc, args[0]);
ret = 1;
goto done;
}
c -= 2;
if (strncasecmp("ticket", args[1], strlen("ticket")) == 0) {
operation = OP_SERVICE_TICKET;
if (init_tgt) {
switch (c) {
case 1:
password = ask_password(frame, "Password", NULL, false);
break;
case 2:
password = talloc_strdup(frame, args[3]);
break;
default:
fprintf(stderr,
"Service ticket needs user principal and password\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
break;
}
} else {
if (c != 1) {
fprintf(stderr, "Service ticket needs user principal and password\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
}
}
} else if (strncasecmp("impersonate", args[1], strlen("impersonate")) == 0) {
operation = OP_IMPERSONATE;
if (c != 1) {
fprintf(stderr, "Impersonation ticket needs user principal\n\n");
print_help(pc, args[0]);
ret = 1;
goto done;
}
} else {
fprintf(stderr, "Wrong request type: %s\n\n", args[1]);
print_help(pc, args[0]);
ret = 1;
goto done;
}
switch (operation) {
case OP_IMPERSONATE:
ret = impersonate(args[2]) != true;
break;
case OP_SERVICE_TICKET:
ret = init_with_password(args[2], password) != true;
break;
}
done:
poptFreeContext(pc);
talloc_free(frame);
return ret;
}

152
daemons/ipa-kdb/ipa_kdb.c
View File

@ -24,7 +24,6 @@
#include <sys/utsname.h>
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
@ -60,7 +59,6 @@ static void ipadb_context_free(krb5_context kcontext,
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
ipadb_mspac_struct_free(&(*ctx)->mspac);
krb5_free_principal(kcontext, (*ctx)->local_tgs);
krb5_free_default_realm(kcontext, (*ctx)->realm);
cfg = &(*ctx)->config;
@ -195,8 +193,6 @@ static const struct {
{ "password", IPADB_USER_AUTH_PASSWORD },
{ "radius", IPADB_USER_AUTH_RADIUS },
{ "otp", IPADB_USER_AUTH_OTP },
{ "pkinit", IPADB_USER_AUTH_PKINIT },
{ "hardened", IPADB_USER_AUTH_HARDENED },
{ }
};
@ -496,27 +492,6 @@ done:
return 0;
}
static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
struct ipadb_context *ipactx)
{
krb5_principal tgtp;
unsigned int length = strlen(ipactx->realm);
krb5_error_code kerr = 0;
kerr = krb5_build_principal_ext(kcontext, &tgtp,
length,
ipactx->realm,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME,
length,
ipactx->realm, 0);
if (kerr != 0) {
return NULL;
}
return tgtp;
}
/* INTERFACE */
static krb5_error_code ipadb_init_library(void)
@ -578,12 +553,6 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
goto fail;
}
ipactx->local_tgs = ipadb_create_local_tgs(kcontext, ipactx);
if (!ipactx->local_tgs) {
ret = ENOMEM;
goto fail;
}
ipactx->base = ipadb_get_base_from_realm(kcontext);
if (!ipactx->base) {
ret = ENOMEM;
@ -617,9 +586,8 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
ret = ipadb_get_connection(ipactx);
if (ret != 0) {
/* Not a fatal failure, as the LDAP server may be temporarily down. */
krb5_klog_syslog(LOG_INFO,
"Didn't connect to LDAP on startup: %d", ret);
/* not a fatal failure, as the LDAP server may be temporarily down */
/* TODO: spam syslog with this error */
}
kerr = krb5_db_set_context(kcontext, ipactx);
@ -663,11 +631,57 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
{
return realloc(ptr, size);
}
static void ipadb_free(krb5_context context, void *ptr)
{
free(ptr);
}
#endif
/* KDB Virtual Table */
/* We explicitly want to keep different ABI tables below separate. */
/* Do not merge them together. Older ABI does not need to be updated */
#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.free_principal = ipadb_free_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.free_policy = ipadb_free_pwd_policy,
.alloc = ipadb_alloc,
.free = ipadb_free,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = ipadb_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@ -733,72 +747,8 @@ kdb_vftabl kdb_function_table = {
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
/* Version 8 adds several arguments here. However, if we want to actually use
* them in mspac, we really ought to drop support for older DAL versions. */
static inline krb5_error_code
stub_sign_authdata(krb5_context context, unsigned int flags,
krb5_const_principal client_princ,
krb5_const_principal server_princ, krb5_db_entry *client,
krb5_db_entry *server, krb5_db_entry *header_server,
krb5_db_entry *local_tgt, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
void *ad_info, krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
{
krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
client = header_server;
krbtgt = local_tgt;
krbtgt_key = local_tgt_key;
}
return ipadb_sign_authdata(context, flags, client_princ, client, server,
krbtgt, client_key, server_key, krbtgt_key,
session_key, authtime, tgt_auth_data,
signed_auth_data);
}
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = 0,
.init_library = ipadb_init_library,
.fini_library = ipadb_fini_library,
.init_module = ipadb_init_module,
.fini_module = ipadb_fini_module,
.create = ipadb_create,
.get_age = ipadb_get_age,
.get_principal = ipadb_get_principal,
.put_principal = ipadb_put_principal,
.delete_principal = ipadb_delete_principal,
.iterate = ipadb_iterate,
.create_policy = ipadb_create_pwd_policy,
.get_policy = ipadb_get_pwd_policy,
.put_policy = ipadb_put_pwd_policy,
.iter_policy = ipadb_iterate_pwd_policy,
.delete_policy = ipadb_delete_pwd_policy,
.fetch_master_key = ipadb_fetch_master_key,
.store_master_key_list = ipadb_store_master_key_list,
.change_pwd = ipadb_change_pwd,
.sign_authdata = stub_sign_authdata,
.check_transited_realms = ipadb_check_transited_realms,
.check_policy_as = ipadb_check_policy_as,
.audit_as_req = ipadb_audit_as_req,
.check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
.free_principal_e_data = ipadb_free_principal_e_data,
.get_s4u_x509_principal = NULL,
.allowed_to_delegate_from = NULL,
.get_authdata_info = NULL,
.free_authdata_info = NULL,
};
#endif
#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 8)
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7)
#error unsupported DAL major version
#endif

1
daemons/ipa-kdb/ipa_kdb.exports
View File

@ -4,7 +4,6 @@ EXPORTED {
global:
kdb_function_table;
certauth_ipakdb_initvt;
kdcpolicy_ipakdb_initvt;
# everything else is local
local:

21
daemons/ipa-kdb/ipa_kdb.h
View File

@ -90,16 +90,6 @@ enum ipadb_user_auth {
IPADB_USER_AUTH_PASSWORD = 1 << 1,
IPADB_USER_AUTH_RADIUS = 1 << 2,
IPADB_USER_AUTH_OTP = 1 << 3,
IPADB_USER_AUTH_PKINIT = 1 << 4,
IPADB_USER_AUTH_HARDENED = 1 << 5,
};
enum ipadb_user_auth_idx {
IPADB_USER_AUTH_IDX_OTP = 0,
IPADB_USER_AUTH_IDX_RADIUS,
IPADB_USER_AUTH_IDX_PKINIT,
IPADB_USER_AUTH_IDX_HARDENED,
IPADB_USER_AUTH_IDX_MAX,
};
struct ipadb_global_config {
@ -134,13 +124,6 @@ struct ipadb_context {
/* Don't access this directly, use ipadb_get_global_config(). */
struct ipadb_global_config config;
krb5_principal local_tgs;
};
struct ipadb_e_pol_limits {
krb5_deltat max_life;
krb5_deltat max_renewable_life;
};
#define IPA_E_DATA_MAGIC 0x0eda7a
@ -156,8 +139,6 @@ struct ipadb_e_data {
time_t last_admin_unlock;
char **authz_data;
bool has_tktpolaux;
enum ipadb_user_auth user_auth;
struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX];
};
struct ipadb_context *ipadb_get_context(krb5_context kcontext);
@ -347,7 +328,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif

3
daemons/ipa-kdb/ipa_kdb_audit_as.c
View File

@ -20,12 +20,13 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <syslog.h>
#include "ipa_kdb.h"
#include "ipa_pwd.h"
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif

22
daemons/ipa-kdb/ipa_kdb_certauth.c
View File

@ -39,6 +39,7 @@
#include <errno.h>
//#include <krb5/certauth_plugin.h>
#include <syslog.h>
#include <sss_certmap.h>
#include "ipa_krb5.h"
@ -261,18 +262,16 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
const krb5_db_entry *db_entry,
char ***authinds_out)
{
char *cert_filter = NULL, **domains = NULL;
int ret, flags = 0;
char *cert_filter = NULL;
char **domains = NULL;
int ret;
size_t c;
char *principal = NULL, **auth_inds = NULL;
char *principal = NULL;
char **auth_inds = NULL;
LDAPMessage *res = NULL;
krb5_error_code kerr;
LDAPMessage *lentry;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
if (moddata == NULL) {
return KRB5_PLUGIN_NO_HANDLE;
}
@ -329,8 +328,10 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
}
}
kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
principal, cert_filter,
kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
KRB5_KDB_FLAG_ALIAS_OK,
principal,
cert_filter,
&res);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
@ -338,7 +339,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
goto done;
}
kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
&principal, &lentry);
if (kerr == KRB5_KDB_NOENTRY) {
krb5_klog_syslog(LOG_INFO, "No matching entry found");
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;

154
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
View File

@ -1,154 +0,0 @@
/*
* Copyright (C) 2018 FreeIPA Contributors see COPYING for license
*/
#include <errno.h>
#include <syslog.h>
#include <krb5/kdcpolicy_plugin.h>
#include "ipa_krb5.h"
#include "ipa_kdb.h"
static krb5_error_code
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
const krb5_db_entry *client,
const krb5_db_entry *server,
const char *const *auth_indicators,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
krb5_error_code kerr;
enum ipadb_user_auth ua;
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
int valid_auth_indicators = 0, flags = 0;
krb5_db_entry *client_actual = NULL;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
ied = (struct ipadb_e_data *)client->e_data;
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
kerr = ipadb_get_principal(context, request->client, flags,
&client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
return EINVAL;
}
}
ua = ied->user_auth;
/* If no mechanisms are set, allow every auth method */
if (ua == IPADB_USER_AUTH_NONE) {
return 0;
}
/* For each auth indicator, see if it is allowed for that user */
for (int i = 0; auth_indicators[i] != NULL; i++) {
const char *auth_indicator = auth_indicators[i];
if (strcmp(auth_indicator, "otp") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_OTP)) {
*status = "OTP pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_OTP]);
} else if (strcmp(auth_indicator, "radius") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_RADIUS)) {
*status = "OTP pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
} else if (strcmp(auth_indicator, "pkinit") == 0) {
valid_auth_indicators++;
if (!(ua & IPADB_USER_AUTH_PKINIT)) {
*status = "PKINIT pre-authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;
/* Allow hardened even if only password pre-auth is allowed */
if (!(ua & (IPADB_USER_AUTH_HARDENED | IPADB_USER_AUTH_PASSWORD))) {
*status = "Password pre-authentication not not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_HARDENED]);
}
}
/* There is no auth indicator assigned for non-hardened password authentication
* so we assume password is used when no supported indicator exists */
if (!valid_auth_indicators) {
if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
*status = "Non-hardened password authentication not allowed for this user.";
return KRB5KDC_ERR_POLICY;
}
}
/* If there were policy limits associated with the authentication indicators,
* apply them */
if (pol_limits != NULL) {
if (pol_limits->max_life != 0) {
*lifetime_out = pol_limits->max_life;
}
if (pol_limits->max_renewable_life != 0) {
*renew_lifetime_out = pol_limits->max_renewable_life;
}
}
return 0;
}
static krb5_error_code
ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
const krb5_db_entry *server,
const krb5_ticket *ticket,
const char *const *auth_indicators,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
return 0;
}
krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
int maj_ver, int min_ver,
krb5_plugin_vtable vtable)
{
krb5_kdcpolicy_vtable vt;
if (maj_ver != 1)
return KRB5_PLUGIN_VER_NOTSUPP;
vt = (krb5_kdcpolicy_vtable)vtable;
vt->name = "ipakdb";
vt->init = NULL;
vt->fini = NULL;
vt->check_as = ipa_kdcpolicy_check_as;
vt->check_tgs = ipa_kdcpolicy_check_tgs;
return 0;
}

220
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@ -25,6 +25,7 @@
#include "ipa_kdb.h"
#include "ipa_mspac.h"
#include <talloc.h>
#include <syslog.h>
#include <unicase.h>
#include "util/time.h"
#include "gen_ndr/ndr_krb5pac.h"
@ -70,6 +71,17 @@ static char *memberof_pac_attrs[] = {
NULL
};
static struct {
char *service;
int length;
} supported_services[] = {
{"cifs", sizeof("cifs")},
{"HTTP", sizeof("HTTP")},
{NULL, 0}
};
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
#define MAX(a,b) (((a)>(b))?(a):(b))
@ -347,46 +359,6 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid)
return 0;
}
/* Add Asserted Identity SID */
static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
struct netr_SidAttr *arr = NULL;
uint32_t sidcount = info3->sidcount;
krb5_error_code ret = 0;
arr = talloc_realloc(memctx,
info3->sids,
struct netr_SidAttr,
sidcount + 1);
if (!arr) {
return ENOMEM;
}
arr[sidcount].sid = talloc_zero(arr, struct dom_sid2);
if (!arr[sidcount].sid) {
return ENOMEM;
}
/* For S4U2Self, add Service Asserted Identity SID
* otherwise, add Authentication Authority Asserted Identity SID */
ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
"S-1-18-2" : "S-1-18-1",
arr[sidcount].sid);
if (ret) {
return ret;
}
arr[sidcount].attributes = SE_GROUP_MANDATORY |
SE_GROUP_ENABLED |
SE_GROUP_ENABLED_BY_DEFAULT;
info3->sids = arr;
info3->sidcount = sidcount + 1;
info3->base.user_flags |= NETLOGON_EXTRA_SIDS;
return 0;
}
static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
{
int ret;
@ -412,7 +384,6 @@ static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
LDAPMessage *lentry,
unsigned int flags,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
@ -424,14 +395,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
char *strres;
int intres;
int ret;
int i;
char **objectclasses = NULL;
size_t c;
bool is_host = false;
bool is_user = false;
bool is_service = false;
bool is_ipauser = false;
bool is_idobject = false;
krb5_principal princ;
krb5_data *data;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
&objectclasses);
@ -446,24 +417,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (strcasecmp(objectclasses[c], "ipaNTUserAttrs") == 0) {
is_user = true;
}
if (strcasecmp(objectclasses[c], "ipaIDObject") == 0) {
is_idobject = true;
}
if (strcasecmp(objectclasses[c], "ipaUser") == 0) {
is_ipauser = true;
}
free(objectclasses[c]);
}
}
free(objectclasses);
/* SMB service on IPA domain member will have both ipaIDOjbect and ipaUser
* object classes. Such service will have to be treated as a user in order
* to issue MS-PAC record for it. */
if (is_idobject && is_ipauser) {
is_user = true;
}
if (!is_host && !is_user && !is_service) {
/* We only handle users and hosts, and services */
return ENOENT;
@ -475,10 +433,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
/* fqdn is mandatory for hosts */
return ret;
}
/* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in
* ipa_server_mode to access the AD LDAP server */
if (!is_master_host(ipactx, strres)) {
free(strres);
return ENOENT;
}
} else if (is_service) {
ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
/* krbPrincipalName is mandatory for services */
return ret;
}
@ -489,10 +454,39 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
ret = krb5_unparse_name_flags(ipactx->kcontext,
princ, KRB5_PRINCIPAL_UNPARSE_SHORT,
&strres);
if (ret) {
if (krb5_princ_size(ipactx->kcontext, princ) != 2) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
data = krb5_princ_component(ipactx->context, princ, 0);
for (i = 0; supported_services[i].service; i++) {
if (0 == memcmp(data->data, supported_services[i].service,
MIN(supported_services[i].length, data->length))) {
break;
}
}
if (supported_services[i].service == NULL) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
data = krb5_princ_component(ipactx->context, princ, 1);
strres = malloc(data->length+1);
if (strres == NULL) {
krb5_free_principal(ipactx->kcontext, princ);
return ENOENT;
}
memcpy(strres, data->data, data->length);
strres[data->length] = '\0';
krb5_free_principal(ipactx->kcontext, princ);
/* Only add PAC to TGT to services on IPA masters to allow querying
* AD LDAP server */
if (!is_master_host(ipactx, strres)) {
free(strres);
return ENOENT;
}
} else {
@ -629,19 +623,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.logon_count = 0; /* we do not have this info yet */
info3->base.bad_password_count = 0; /* we do not have this info yet */
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
bool is_master = is_master_host(
ipactx,
sep ? sep + 1 : info3->base.account_name.string);
if (is_master) {
/* Well know RID of domain controllers group */
info3->base.rid = 516;
} else {
/* Well know RID of domain computers group */
info3->base.rid = 515;
}
if (is_host || is_service) {
/* Well know RID of domain controllers group */
info3->base.rid = 516;
} else {
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
@ -707,6 +691,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (tgid == prigid) {
info3->base.primary_gid = trid;
continue;
}
info3->base.groups.rids[count].rid = trid;
info3->base.groups.rids[count].attributes =
@ -789,13 +774,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.failed_logon_count = 0; /* We do not have it */
info3->base.reserved = 0; /* Reserved */
ret = ipadb_add_asserted_identity(ipactx, flags, memctx, info3);
return ret;
return 0;
}
static krb5_error_code ipadb_get_pac(krb5_context kcontext,
krb5_db_entry *client,
unsigned int flags,
krb5_pac *pac)
{
TALLOC_CTX *tmpctx;
@ -808,8 +791,6 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
union PAC_INFO pac_info;
krb5_error_code kerr;
enum ndr_err_code ndr_err;
union PAC_INFO pac_upn;
char *principal = NULL;
/* When no client entry is there, we cannot generate MS-PAC */
if (!client) {
@ -858,7 +839,7 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
}
/* == Fill Info3 == */
kerr = ipadb_fill_info3(ipactx, lentry, flags, tmpctx,
kerr = ipadb_fill_info3(ipactx, lentry, tmpctx,
&pac_info.logon_info.info->info3);
if (kerr) {
goto done;
@ -884,46 +865,6 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_LOGON_INFO, &data);
/* == Package UPN_DNS_LOGON_INFO == */
memset(&pac_upn, 0, sizeof(pac_upn));
kerr = krb5_unparse_name(kcontext, client->princ, &principal);
if (kerr) {
goto done;
}
pac_upn.upn_dns_info.upn_name = talloc_strdup(tmpctx, principal);
krb5_free_unparsed_name(kcontext, principal);
if (pac_upn.upn_dns_info.upn_name == NULL) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
pac_upn.upn_dns_info.dns_domain_name = talloc_strdup(tmpctx, ipactx->realm);
if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
/* IPA user principals are all constructed */
if ((pac_info.logon_info.info->info3.base.rid != 515) ||
(pac_info.logon_info.info->info3.base.rid != 516)) {
pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
}
ndr_err = ndr_push_union_blob(&pac_data, tmpctx, &pac_upn,
PAC_TYPE_UPN_DNS_INFO,
(ndr_push_flags_fn_t)ndr_push_PAC_INFO);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
data.magic = KV5M_DATA;
data.data = (char *)pac_data.data;
data.length = pac_data.length;
kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_UPN_DNS_INFO, &data);
done:
ldap_msgfree(results);
talloc_free(tmpctx);
@ -1843,12 +1784,8 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
priv_key = krbtgt_key;
}
/* only pass with_realm TRUE when it is cross-realm ticket and S4U
* extension (S4U2Self or S4U2Proxy (RBCD)) was requested */
kerr = krb5_pac_verify_ext(context, old_pac, authtime,
client_princ, srv_key, priv_key,
(is_cross_realm &&
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)));
kerr = krb5_pac_verify(context, old_pac, authtime,
client_princ, srv_key, priv_key);
if (kerr) {
goto done;
}
@ -1882,8 +1819,7 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
for (i = 0; i < num_buffers; i++) {
if (types[i] == KRB5_PAC_SERVER_CHECKSUM ||
types[i] == KRB5_PAC_PRIVSVR_CHECKSUM ||
types[i] == KRB5_PAC_CLIENT_INFO) {
types[i] == KRB5_PAC_PRIVSVR_CHECKSUM) {
continue;
}
@ -1941,7 +1877,6 @@ done:
}
static krb5_error_code ipadb_sign_pac(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@ -1957,7 +1892,6 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
krb5_principal krbtgt_princ = NULL;
krb5_error_code kerr;
char *princ = NULL;
bool is_issuing_referral = false;
int ret;
/* for cross realm trusts cases we need to sign with the right key.
@ -2016,17 +1950,8 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
right_krbtgt_signing_key = krbtgt_key;
}
#ifdef KRB5_KDB_FLAG_ISSUING_REFERRAL
is_issuing_referral = (flags & KRB5_KDB_FLAG_ISSUING_REFERRAL) != 0;
#endif
/* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
* was requested */
kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
right_krbtgt_signing_key,
(is_issuing_referral &&
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
pac_data);
kerr = krb5_pac_sign(context, pac, authtime, client_princ,
server_key, right_krbtgt_signing_key, pac_data);
done:
free(princ);
@ -2243,10 +2168,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
}
/* we need to create a PAC if we are requested one and this is an AS REQ,
* or we are doing protocol transition (S4USelf) but not over cross-realm
*/
* or we are doing protocol transition (s4u2self) */
if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && (client != NULL))) {
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
make_ad = true;
}
@ -2275,7 +2199,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
(void)ipadb_reinit_mspac(ipactx, force_reinit_mspac);
kerr = ipadb_get_pac(context, client, flags, &pac);
kerr = ipadb_get_pac(context, client, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@ -2289,7 +2213,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
/* check or generate pac data */
if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
kerr = ipadb_get_pac(context, client_entry, flags, &pac);
kerr = ipadb_get_pac(context, client_entry, &pac);
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
@ -2316,7 +2240,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
goto done;
}
kerr = ipadb_sign_pac(context, flags, ks_client_princ, server, krbtgt,
kerr = ipadb_sign_pac(context, ks_client_princ, server, krbtgt,
server_key, krbtgt_key, authtime, pac, &pac_data);
if (kerr != 0) {
goto done;

6
daemons/ipa-kdb/ipa_kdb_passwords.c
View File

@ -80,12 +80,6 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context,
return EINVAL;
}
if (strlen(passwd) > IPAPWD_PASSWORD_MAX_LEN) {
krb5_set_error_message(context, E2BIG, "%s",
ipapwd_password_max_len_errmsg);
return E2BIG;
}
ied->passwd = strdup(passwd);
if (!ied->passwd) {
return ENOMEM;

651
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@ -21,7 +21,6 @@
*/
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#include <unicase.h>
/*
@ -79,8 +78,6 @@ static char *std_principal_attrs[] = {
IPA_KRB_AUTHZ_DATA_ATTR,
IPA_USER_AUTH_TYPE,
"ipatokenRadiusConfigLink",
"krbAuthIndMaxTicketLife",
"krbAuthIndMaxRenewableAge",
"objectClass",
NULL
@ -90,8 +87,6 @@ static char *std_tktpolicy_attrs[] = {
"krbmaxticketlife",
"krbmaxrenewableage",
"krbticketflags",
"krbauthindmaxticketlife",
"krbauthindmaxrenewableage",
NULL
};
@ -323,6 +318,15 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
ldap_value_free_len(vals);
}
static void ipadb_validate_password(struct ipadb_context *ipactx,
LDAPMessage *lentry,
enum ipadb_user_auth *ua)
{
/* If no mechanisms are set, use password. */
if (*ua == IPADB_USER_AUTH_NONE)
*ua |= IPADB_USER_AUTH_PASSWORD;
}
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
LDAPMessage *lentry)
{
@ -350,6 +354,7 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
/* Perform flag validation. */
ipadb_validate_otp(ipactx, lentry, &ua);
ipadb_validate_radius(ipactx, lentry, &ua);
ipadb_validate_password(ipactx, lentry, &ua);
return ua;
}
@ -510,66 +515,6 @@ cleanup:
return ret;
}
static void ipadb_parse_authind_policies(krb5_context kcontext,
LDAP *lcontext,
LDAPMessage *lentry,
krb5_db_entry *entry,
enum ipadb_user_auth ua)
{
int result;
int ret;
struct ipadb_e_data *ied;
const struct {
char *attribute;
enum ipadb_user_auth flag;
enum ipadb_user_auth_idx idx;
} life_authind_map[] = {
{"krbAuthIndMaxTicketLife;otp",
IPADB_USER_AUTH_OTP, IPADB_USER_AUTH_IDX_OTP},
{"krbAuthIndMaxTicketLife;radius",
IPADB_USER_AUTH_RADIUS, IPADB_USER_AUTH_IDX_RADIUS},
{"krbAuthIndMaxTicketLife;pkinit",
IPADB_USER_AUTH_PKINIT, IPADB_USER_AUTH_IDX_PKINIT},
{"krbAuthIndMaxTicketLife;hardened",
IPADB_USER_AUTH_HARDENED, IPADB_USER_AUTH_IDX_HARDENED},
{NULL, IPADB_USER_AUTH_NONE, IPADB_USER_AUTH_IDX_MAX},
}, age_authind_map[] = {
{"krbAuthIndMaxRenewableAge;otp",
IPADB_USER_AUTH_OTP, IPADB_USER_AUTH_IDX_OTP},
{"krbAuthIndMaxRenewableAge;radius",
IPADB_USER_AUTH_RADIUS, IPADB_USER_AUTH_IDX_RADIUS},
{"krbAuthIndMaxRenewableAge;pkinit",
IPADB_USER_AUTH_PKINIT, IPADB_USER_AUTH_IDX_PKINIT},
{"krbAuthIndMaxRenewableAge;hardened",
IPADB_USER_AUTH_HARDENED, IPADB_USER_AUTH_IDX_HARDENED},
{NULL, IPADB_USER_AUTH_NONE, IPADB_USER_AUTH_IDX_MAX},
};
ied = (struct ipadb_e_data *)entry->e_data;
if (ied == NULL) {
return;
}
for (size_t i = 0; life_authind_map[i].attribute != NULL; i++) {
if (ua & life_authind_map[i].flag) {
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
life_authind_map[i].attribute,
&result);
if (ret == 0) {
ied->pol_limits[life_authind_map[i].idx].max_life = result;
}
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
age_authind_map[i].attribute,
&result);
if (ret == 0) {
ied->pol_limits[age_authind_map[i].idx].max_renewable_life = result;
}
}
}
}
static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
char *principal,
LDAPMessage *lentry,
@ -609,17 +554,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
return KRB5_KDB_DBNOTINITED;
}
lcontext = ipactx->lcontext;
if (!lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
if (ret != 0) {
krb5_klog_syslog(LOG_ERR,
"No LDAP connection on retry in ipadb_parse_ldap_entry()!\n");
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
}
entry->magic = KRB5_KDB_MAGIC_NUMBER;
entry->len = KRB5_KDB_V1_BASE_LENGTH;
@ -774,17 +708,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
&res_key_data, &result, &mkvno);
switch (ret) {
case 0:
/* Only set a principal's key if password auth can be used. Otherwise
* the KDC would add pre-authentication methods to the NEEDED_PREAUTH
* reply for AS-REQs which indicate the password authentication is
* available. This might confuse applications like e.g. SSSD which try
* to determine suitable authentication methods and corresponding
* prompts with the help of MIT Kerberos' responder interface which
* acts on the returned pre-authentication methods. A typical example
* is enforced OTP authentication where of course keys are available
* for the first factor but password authentication should not be
* advertised by the KDC. */
if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
/* Only set a principal's key if password auth should be used. */
if (!(ua & IPADB_USER_AUTH_PASSWORD)) {
/* This is the same behavior as ENOENT below. */
ipa_krb5_free_key_data(res_key_data, result);
break;
@ -926,8 +851,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
ied->authz_data = authz_data_list;
}
ied->user_auth = ua;
/* If enabled, set the otp user string, enabling otp. */
if (ua & IPADB_USER_AUTH_OTP) {
kerr = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
@ -941,10 +864,6 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
goto done;
}
if (ua & ~IPADB_USER_AUTH_NONE) {
ipadb_parse_authind_policies(kcontext, lcontext, lentry, entry, ua);
}
kerr = 0;
done:
@ -964,9 +883,9 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
LDAPMessage **result)
{
krb5_error_code kerr;
char *src_filter = NULL, *esc_original_princ = NULL;
char *src_filter = NULL;
char *esc_original_princ = NULL;
int ret;
int len = 0;
if (!ipactx->lcontext) {
ret = ipadb_get_connection(ipactx);
@ -976,48 +895,29 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
}
}
/* Escape filter but do not touch '*' as this function accepts
* wildcards in names. */
/* escape filter but do not touch '*' as this function accepts
* wildcards in names */
esc_original_princ = ipadb_filter_escape(principal, false);
if (!esc_original_princ) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
len = strlen(esc_original_princ);
/* Starting in DAL 8.0, aliases are always okay. */
#ifdef KRB5_KDB_FLAG_ALIAS_OK
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
esc_original_princ);
if (filter == NULL) {
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
}
} else {
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter);
} else {
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
esc_original_princ, filter);
}
} else
#endif
{
/* In case we've got a principal name as '*' we have to
* follow RFC 4515 section 3 and reencode it using
* <valueencoding> rule from RFC 4511 section 4.1.6 but
* only to the part of the filter that does use assertion
* value. */
const char *asterisk = "%x2A";
char *assertion_value = esc_original_princ;
if ((len == 1) && (esc_original_princ[0] == '*')) {
assertion_value = asterisk;
}
if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, assertion_value);
} else {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, assertion_value, filter);
}
}
if (ret == -1) {
@ -1025,8 +925,11 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done;
}
kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
src_filter, std_principal_attrs, result);
kerr = ipadb_simple_search(ipactx,
ipactx->base, LDAP_SCOPE_SUBTREE,
src_filter, std_principal_attrs,
result);
done:
free(src_filter);
free(esc_original_princ);
@ -1051,109 +954,100 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
struct ipadb_context *ipactx;
bool found = false;
LDAPMessage *le = NULL;
struct berval **vals = NULL;
int result;
krb5_error_code ret;
size_t princ_len = 0;
struct berval **vals;
int i, result;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
ret = KRB5_KDB_DBNOTINITED;
goto done;
return KRB5_KDB_DBNOTINITED;
}
princ_len = strlen(*principal);
for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL;
le = ldap_next_entry(ipactx->lcontext, le)) {
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
if (vals == NULL)
continue;
while (!found) {
/* We need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries. */
for (int i = 0; vals[i]; i++) {
#ifdef KRB5_KDB_FLAG_ALIAS_OK
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = ((vals[i]->bv_len == princ_len) &&
strncmp(vals[i]->bv_val, *principal, vals[i]->bv_len) == 0);
if (found)
break;
continue;
}
#endif
/* The KDC will accept aliases when doing TGT lookup
* (ref_tgt_again in do_tgs_req.c), so use case-insensitive
* comparison. */
if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal,
princ_len, NULL, NULL, &result) != 0) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
if (result != 0)
continue;
/* Fix case on the incoming principal to ensure that a valid
* name/alias is returned even if krbCanonicalName is not
* present. */
free(*principal);
*principal = strndup(vals[i]->bv_val, vals[i]->bv_len);
if (!*principal) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
princ_len = strlen(*principal);
found = true;
if (!le) {
le = ldap_first_entry(ipactx->lcontext, res);
} else {
le = ldap_next_entry(ipactx->lcontext, le);
}
if (!le) {
break;
}
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
if (vals == NULL) {
continue;
}
/* we need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries */
for (i = 0; vals[i]; i++) {
/* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
/* Use case-insensitive comparison in such cases */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
(*principal), strlen(*principal),
NULL, NULL, &result) != 0)
return KRB5_KDB_INTERNAL_ERROR;
found = (result == 0);
if (found) {
/* replace the incoming principal with the value having
* the correct case. This ensures that valid name/alias
* is returned even if krbCanonicalName is not present
*/
free(*principal);
*principal = strdup(vals[i]->bv_val);
if (!(*principal)) {
return KRB5_KDB_INTERNAL_ERROR;
}
}
} else {
found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
}
if (found) {
break;
}
}
ldap_value_free_len(vals);
vals = NULL;
if (!found) {
continue;
}
/* We need to check if this is the canonical name. */
/* we need to check if this is the canonical name */
vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
if (vals == NULL)
break;
#ifdef KRB5_KDB_FLAG_ALIAS_OK
/* If aliases aren't accepted by the KDC, use case-sensitive
* comparison. */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = ((vals[0]->bv_len == strlen(*principal)) &&
strncmp(vals[0]->bv_val, *principal, vals[0]->bv_len) == 0);
if (!found) {
ldap_value_free_len(vals);
vals = NULL;
continue;
}
if (vals == NULL) {
continue;
}
/* Again, if aliases are accepted by KDC, use case-insensitive comparison */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
found = true;
} else {
found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
}
if (!found) {
/* search does not allow aliases */
ldap_value_free_len(vals);
continue;
}
#endif
free(*principal);
*principal = strndup(vals[0]->bv_val, vals[0]->bv_len);
if (!*principal) {
ret = KRB5_KDB_INTERNAL_ERROR;
goto done;
*principal = strdup(vals[0]->bv_val);
if (!(*principal)) {
return KRB5_KDB_INTERNAL_ERROR;
}
break;
ldap_value_free_len(vals);
}
if (!found || !le) {
ret = KRB5_KDB_NOENTRY;
goto done;
return KRB5_KDB_NOENTRY;
}
ret = 0;
*entry = le;
done:
if (vals)
ldap_value_free_len(vals);
return ret;
return 0;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
@ -1163,7 +1057,7 @@ static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
struct ipadb_e_data *ied;
config = ipadb_get_global_config(ipactx);
if (config && config->disable_preauth_for_spns) {
if (config->disable_preauth_for_spns) {
ied = (struct ipadb_e_data *)entry->e_data;
if (ied && ied->ipa_user != true) {
/* not a user, assume SPN */
@ -1273,67 +1167,32 @@ done:
return kerr;
}
static krb5_boolean is_request_for_us(krb5_context kcontext,
krb5_principal local_tgs,
krb5_const_principal search_for)
{
krb5_boolean for_us;
/* TODO: handle case where main object and krbprincipal data are not
* the same object but linked objects ?
* (by way of krbprincipalaux being in a separate object from krbprincipal).
* Currently we only support objcts with both objectclasses present at the
* same time. */
for_us = krb5_realm_compare(kcontext, local_tgs, search_for) ||
krb5_principal_compare_any_realm(kcontext,
local_tgs, search_for);
return for_us;
}
static krb5_error_code dbget_princ(krb5_context kcontext,
struct ipadb_context *ipactx,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
krb5_error_code ipadb_get_principal(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
struct ipadb_context *ipactx;
krb5_error_code kerr;
char *principal = NULL;
char *trusted_realm = NULL;
LDAPMessage *res = NULL;
LDAPMessage *lentry;
krb5_db_entry *kentry = NULL;
uint32_t pol;
if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0 &&
(flags & KRB5_KDB_FLAG_CANONICALIZE) != 0) {
/* AS_REQ with canonicalization*/
krb5_principal norm_princ = NULL;
/* unparse the Kerberos principal without (our) outer realm. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal);
if (kerr != 0) {
goto done;
}
/* Re-parse the principal to normalize it. Innner realm becomes
* the realm if present. If no inner realm, our default realm
* will be used instead (as it was before). */
kerr = krb5_parse_name(kcontext, principal, &norm_princ);
if (kerr != 0) {
goto done;
}
/* Unparse without escaping '@' and '/' because we are going to use them
* in LDAP filters where escaping character '\' will be escaped and the
* result will never match. */
kerr = krb5_unparse_name_flags(kcontext, norm_princ,
KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal);
krb5_free_principal(kcontext, norm_princ);
} else {
/* Unparse without escaping '@' and '/' because we are going to use them
* in LDAP filters where escaping character '\' will be escaped and the
* result will never match. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_DISPLAY, &principal);
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
return KRB5_KDB_DBNOTINITED;
}
kerr = krb5_unparse_name(kcontext, search_for, &principal);
if (kerr != 0) {
goto done;
}
@ -1345,7 +1204,95 @@ static krb5_error_code dbget_princ(krb5_context kcontext,
kerr = ipadb_find_principal(kcontext, flags, res, &principal, &lentry);
if (kerr != 0) {
goto done;
if ((kerr == KRB5_KDB_NOENTRY) &&
((flags & (KRB5_KDB_FLAG_CANONICALIZE |
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) != 0)) {
/* First check if we got enterprise principal which looks like
* username\@enterprise_realm@REALM */
char *realm;
krb5_data *upn;
upn = krb5_princ_component(kcontext, search_for,
krb5_princ_size(kcontext, search_for) - 1);
if (upn == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
realm = memrchr(upn->data, '@', upn->length);
if (realm == NULL) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* skip '@' and use part after '@' as an enterprise realm for comparison */
realm++;
/* check for our realm */
if (strncasecmp(ipactx->realm, realm,
upn->length - (realm - upn->data)) == 0) {
/* it looks like it is ok to use malloc'ed strings as principal */
krb5_free_unparsed_name(kcontext, principal);
principal = strndup((const char *) upn->data, upn->length);
if (principal == NULL) {
kerr = ENOMEM;
goto done;
}
ldap_msgfree(res);
res = NULL;
kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
if (kerr != 0) {
goto done;
}
kerr = ipadb_find_principal(kcontext, flags, res, &principal,
&lentry);
if (kerr != 0) {
goto done;
}
} else {
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm,
upn->length - (realm - upn->data),
&trusted_realm);
if (kerr == KRB5_KDB_NOENTRY) {
/* try to refresh trusted domain data and try again */
kerr = ipadb_reinit_mspac(ipactx, false);
if (kerr != 0) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
kerr = ipadb_is_princ_from_trusted_realm(kcontext, realm,
upn->length - (realm - upn->data),
&trusted_realm);
}
if (kerr == 0) {
kentry = calloc(1, sizeof(krb5_db_entry));
if (!kentry) {
kerr = ENOMEM;
goto done;
}
kerr = krb5_parse_name(kcontext, principal,
&kentry->princ);
if (kerr != 0) {
goto done;
}
kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
if (kerr != 0) {
goto done;
}
*entry = kentry;
}
goto done;
}
} else {
goto done;
}
}
kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);
@ -1361,187 +1308,15 @@ static krb5_error_code dbget_princ(krb5_context kcontext,
}
done:
free(trusted_realm);
if ((kerr != 0) && (kentry != NULL)) {
ipadb_free_principal(kcontext, kentry);
}
ldap_msgfree(res);
krb5_free_unparsed_name(kcontext, principal);
return kerr;
}
static krb5_error_code dbget_alias(krb5_context kcontext,
struct ipadb_context *ipactx,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
krb5_error_code kerr = 0;
char *principal = NULL;
krb5_principal norm_princ = NULL;
char *trusted_realm = NULL;
krb5_db_entry *kentry = NULL;
krb5_data *realm;
/* TODO: also support hostbased aliases */
/* Enterprise principal name type is for potential aliases or principals
* from trusted realms. The logic below only applies to this type */
if (krb5_princ_type(kcontext, search_for) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
return KRB5_KDB_NOENTRY;
}
/* enterprise principal can only have single component in the name
* according to RFC6806 section 5. */
if (krb5_princ_size(kcontext, search_for) != 1) {
return KRB5_KDB_NOENTRY;
}
/* unparse the Kerberos principal without (our) outer realm. */
kerr = krb5_unparse_name_flags(kcontext, search_for,
KRB5_PRINCIPAL_UNPARSE_NO_REALM |
KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&principal);
if (kerr != 0) {
goto done;
}
/* Re-parse the principal to normalize it. Innner realm becomes
* the realm if present. If no inner realm, our default realm
* will be used instead (as it was before). */
kerr = krb5_parse_name(kcontext, principal, &norm_princ);
if (kerr != 0) {
goto done;
}
if (krb5_realm_compare(kcontext, ipactx->local_tgs, norm_princ)) {
/* In realm alias, try to retrieve it and let the caller handle it. */
kerr = dbget_princ(kcontext, ipactx, norm_princ, flags, entry);
goto done;
}
/* The request is out of realm starting from here */
/*
* Per RFC6806 section 7 and 8, the canonicalize flag is required for
* both client and server referrals. But it is more useful to ignore it
* like Windows KDC does for client referrals.
*/
if (((flags & KRB5_KDB_FLAG_CANONICALIZE) == 0) &&
((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0)) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* Determine the trusted realm to refer to. We don't need the principal
* itself, only its realm */
realm = krb5_princ_realm(kcontext, norm_princ);
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm->data,
realm->length,
&trusted_realm);
if (kerr == KRB5_KDB_NOENTRY) {
/* If no trusted realm found, refresh trusted domain data and try again
* because it might be a freshly added trust to AD */
kerr = ipadb_reinit_mspac(ipactx, false);
if (kerr != 0) {
kerr = KRB5_KDB_NOENTRY;
goto done;
}
kerr = ipadb_is_princ_from_trusted_realm(kcontext,
realm->data,
realm->length,
&trusted_realm);
}
if (kerr != 0) {
goto done;
}
/* This is a known trusted realm. Issue a referral depending on whether this
* is client or server referral request */
if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
/* client referral out of realm, set next realm. */
kerr = krb5_set_principal_realm(kcontext, norm_princ, trusted_realm);
if (kerr != 0) {
goto done;
}
kentry = calloc(1, sizeof(krb5_db_entry));
if (!kentry) {
kerr = ENOMEM;
goto done;
}
kentry->princ = norm_princ;
norm_princ = NULL;
*entry = kentry;
goto done;
}
if (flags & KRB5_KDB_FLAG_INCLUDE_PAC) {
/* TGS request where KDC wants to generate PAC
* but the principal is out of our realm */
kerr = KRB5_KDB_NOENTRY;
goto done;
}
/* server referrals: lookup krbtgt/next_realm@our_realm */
krb5_free_principal(kcontext, norm_princ);
norm_princ = NULL;
kerr = krb5_build_principal_ext(kcontext, &norm_princ,
strlen(ipactx->realm),
ipactx->realm,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME,
strlen(trusted_realm),
trusted_realm, 0);
if (kerr != 0) {
goto done;
}
kerr = dbget_princ(kcontext, ipactx, norm_princ, flags, entry);
done:
free(trusted_realm);
krb5_free_principal(kcontext, norm_princ);
krb5_free_unparsed_name(kcontext, principal);
return kerr;
}
/* TODO: handle case where main object and krbprincipal data are not
* the same object but linked objects ?
* (by way of krbprincipalaux being in a separate object from krbprincipal).
* Currently we only support objcts with both objectclasses present at the
* same time. */
krb5_error_code ipadb_get_principal(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
krb5_db_entry **entry)
{
struct ipadb_context *ipactx;
krb5_error_code kerr;
*entry = NULL;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
return KRB5_KDB_DBNOTINITED;
}
if (!is_request_for_us(kcontext, ipactx->local_tgs, search_for)) {
return KRB5_KDB_NOENTRY;
}
/* Lookup local names and aliases first. */
kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
if (kerr != KRB5_KDB_NOENTRY) {
return kerr;
}
return dbget_alias(kcontext, ipactx, search_for, flags, entry);
}
void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
{
struct ipadb_e_data *ied;
@ -2722,7 +2497,7 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
char *canonicalized = NULL;
LDAPMessage *res = NULL;
LDAPMessage *lentry;
unsigned int flags = 0;
unsigned int flags;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
@ -2749,9 +2524,7 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
goto done;
}
#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
#endif
kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
if (kerr != 0) {
goto done;

2
daemons/ipa-otpd/Makefile.am
View File

@ -1,4 +1,4 @@
AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@ @NSPR_CFLAGS@
AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@
AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ @KRB5_LIBS@
noinst_HEADERS = internal.h

15
daemons/ipa-otpd/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -467,8 +467,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -511,10 +509,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -535,6 +534,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -622,9 +623,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -635,7 +634,7 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@ @NSPR_CFLAGS@
AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@
AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ @KRB5_LIBS@
noinst_HEADERS = internal.h
appdir = $(libexecdir)/ipa/

3
daemons/ipa-otpd/test.py
View File

@ -19,11 +19,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from io import StringIO
import struct
import subprocess
import sys
from six import StringIO
try:
from pyrad import packet
from pyrad.dictionary import Dictionary

2
daemons/ipa-sam/Makefile.am
View File

@ -15,7 +15,7 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
-DHAVE_LDAP \
-I$(top_srcdir)/util \
$(CRYPTO_CFLAGS) \

15
daemons/ipa-sam/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -273,8 +273,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -317,10 +315,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -341,6 +340,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -428,9 +429,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@ -457,7 +456,7 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
-DHAVE_LDAP \
-I$(top_srcdir)/util \
$(CRYPTO_CFLAGS) \

462
daemons/ipa-sam/ipa_sam.c
View File

@ -19,6 +19,7 @@
#include <util/data_blob.h>
#include <util/time.h>
#include <util/debug.h>
#include <util/talloc_stack.h>
#ifndef _SAMBA_UTIL_H_
bool trim_string(char *s, const char *front, const char *back);
@ -104,6 +105,8 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
@ -137,7 +140,6 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-
#define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
#define LDAP_ATTRIBUTE_HOME_DRIVE "ipaNTHomeDirectoryDrive"
#define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
#define LDAP_ATTRIBUTE_HOMEDIRECTORY "homeDirectory"
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
@ -259,18 +261,6 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
return true;
}
static char *sid_talloc_string(struct sss_idmap_ctx *ctx, void *final_ctx, const struct dom_sid *dom_sid)
{
enum idmap_error_code ret;
char *result = NULL;
ret = sss_idmap_smb_sid_to_sid(ctx, discard_const(dom_sid), &result);
if (ret != IDMAP_SUCCESS) {
return NULL;
}
return talloc_move(final_ctx, &result);
}
static bool is_null_sid(const struct dom_sid *sid)
{
size_t c;
@ -498,24 +488,9 @@ done:
return unix_dn;
}
/* Samba removed unixid_* helpers in c906153cc7af21abe508ddd30c447642327d6a5d */
static void ipasam_unixid_from_uid(struct unixid *id, uint32_t some_uid)
{
if (id) {
id->id = some_uid;
id->type = ID_TYPE_UID;
}
}
static void ipasam_unixid_from_gid(struct unixid *id, uint32_t some_gid)
{
if (id) {
id->id = some_gid;
id->type = ID_TYPE_GID;
}
}
static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
LDAPMessage *entry,
@ -544,18 +519,8 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
}
if (dom_sid_compare_domain(sid, domain_sid) != 0) {
char *debug_domain_sid = NULL;
err = sss_idmap_smb_sid_to_sid(idmap_ctx,
discard_const(domain_sid),
&debug_domain_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(10, ("SID %s is not in expected domain.\n",
str));
} else {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, debug_domain_sid));
talloc_free(debug_domain_sid);
}
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_dbg(domain_sid)));
res = false;
goto done;
}
@ -624,7 +589,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
allsids = talloc_asprintf_append_buffer(
allsids, "(%s=%s)",
LDAP_ATTRIBUTE_SID,
sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, &sid));
sid_string_talloc(mem_ctx, &sid));
if (allsids == NULL) {
goto done;
}
@ -825,8 +790,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
filter = talloc_asprintf(mem_ctx,
"(&(%s=%s)"
"(|(objectClass=%s)(objectClass=%s)))",
LDAP_ATTRIBUTE_SID,
sid_talloc_string(priv->idmap_ctx, mem_ctx, sid),
LDAP_ATTRIBUTE_SID, sid_string_talloc(mem_ctx, sid),
LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
@ -873,7 +837,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
goto done;
}
ipasam_unixid_from_gid(id, strtoul(gid_str, NULL, 10));
unixid_from_gid(id, strtoul(gid_str, NULL, 10));
idmap_cache_set_sid2unixid(sid, id);
@ -891,7 +855,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
goto done;
}
ipasam_unixid_from_uid(id, strtoul(value, NULL, 10));
unixid_from_uid(id, strtoul(value, NULL, 10));
idmap_cache_set_sid2unixid(sid, id);
@ -916,13 +880,9 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
struct dom_sid *user_sid = NULL;
int rc;
enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
TALLOC_CTX *tmp_ctx = talloc_new(priv);
if (tmp_ctx == NULL) {
goto done;
}
/* Fast fail if we get a request for uidNumber=0 because it currently
* will never exist in the directory
* Saves an expensive LDAP call of which failure will never be cached
@ -972,14 +932,14 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
user_sid_string, &user_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error creating sid structure for sid '%s'\n",
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
user_sid_string));
goto done;
}
sid_copy(sid, user_sid);
ipasam_unixid_from_uid(&id, uid);
unixid_from_uid(&id, uid);
idmap_cache_set_sid2unixid(sid, &id);
@ -1007,13 +967,9 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
size_t c;
int rc;
enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
TALLOC_CTX *tmp_ctx = talloc_new(priv);
if (tmp_ctx == NULL) {
goto done;
}
filter = talloc_asprintf(tmp_ctx,
"(|(&(gidNumber=%u)"
"(objectClass=%s))"
@ -1088,14 +1044,14 @@ found:
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
group_sid_string, &group_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error creating sid structure for sid '%s'\n",
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
group_sid_string));
goto done;
}
sid_copy(sid, group_sid);
ipasam_unixid_from_gid(&id, gid);
unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(sid, &id);
@ -1631,11 +1587,11 @@ static bool ipasam_search_grouptype(struct pdb_methods *methods,
state->base = talloc_strdup(search, ipasam_state->base_dn);
state->connection = ipasam_state->ldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = talloc_asprintf(search, "(&(objectclass=%s)(%s=%s*))",
LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
sid_talloc_string(
ipasam_state->idmap_ctx,
search, sid));
state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
"(%s=%s*))",
LDAP_OBJ_GROUPMAP,
LDAP_ATTRIBUTE_SID,
sid_string_talloc(search, sid));
state->attrs = talloc_attrs(search, "cn", LDAP_ATTRIBUTE_SID,
"displayName", "description",
NULL);
@ -1841,10 +1797,9 @@ done:
#define KRB_PRINC_CREATE_DISABLED 0x00000001
#define KRB_PRINC_CREATE_AGENT_PERMISSION 0x00000002
static bool set_krb_princ(struct ipasam_private *ipasam_state,
TALLOC_CTX *mem_ctx,
const char *princ, const char *alias,
const char *princ, const char *saltprinc,
const char *pwd,
const char *base_dn,
uint32_t create_flags)
@ -1902,15 +1857,14 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
LDAP_ATTRIBUTE_KRB_CANONICAL, princ);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
if (alias) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, alias);
}
if (saltprinc) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, saltprinc);
}
if ((create_flags & KRB_PRINC_CREATE_DISABLED)) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_TICKET_FLAGS,
__TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX));
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_KRB_TICKET_FLAGS, __TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX));
}
if ((create_flags & KRB_PRINC_CREATE_AGENT_PERMISSION)) {
@ -1923,19 +1877,18 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_IPAOPALLOW);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_IPAOPALLOW,
agent_dn);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ipasam_state->base_dn);
if (agent_dn == NULL) {
DEBUG(1, ("error configuring cross realm principal data for trust admins!\n"));
return false;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_IPAOPALLOW,
agent_dn);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
}
if (entry == NULL) {
ret = smbldap_add(ipasam_state->ldap_state, dn, mods);
} else {
@ -1946,7 +1899,7 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
return false;
}
ret = set_cross_realm_pw(ipasam_state, princ, pwd);
ret = set_cross_realm_pw(ipasam_state, saltprinc ? saltprinc : princ, pwd);
if (ret != 0) {
DEBUG(1, ("set_cross_realm_pw failed.\n"));
return false;
@ -1988,21 +1941,18 @@ enum princ_mod {
};
static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain, const char *flat_name,
const char *pwd_incoming,
const char *pwd_outgoing,
const char *domain, const char *pwd,
uint32_t trust_direction,
enum princ_mod mod)
{
char *trusted_dn;
char *princ_l;
char *princ_r;
char *princ_r_tdo, *princ_l_tdo;
char *princ_tdo;
char *saltprinc_tdo;
char *remote_realm;
bool ok;
int failed = 0;
TALLOC_CTX *tmp_ctx;
const char *r_tdo_alias, *l_tdo_alias;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@ -2017,113 +1967,46 @@ static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state,
trusted_dn = trusted_domain_dn(tmp_ctx, ipasam_state, domain);
princ_l = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
remote_realm, ipasam_state->realm);
princ_l_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
flat_name, ipasam_state->realm);
l_tdo_alias = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
flat_name, ipasam_state->realm);
princ_l = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", remote_realm,
ipasam_state->realm);
princ_r = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
ipasam_state->realm, remote_realm);
princ_r_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
ipasam_state->flat_name, remote_realm);
ipasam_state->realm, remote_realm);
r_tdo_alias = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
princ_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
ipasam_state->flat_name, remote_realm);
if (trusted_dn == NULL || princ_l == NULL || princ_l_tdo == NULL ||
l_tdo_alias == NULL || princ_r == NULL || princ_r_tdo == NULL ||
r_tdo_alias == NULL) {
saltprinc_tdo = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
ipasam_state->flat_name, remote_realm);
if (trusted_dn == NULL || princ_l == NULL ||
princ_r == NULL || princ_tdo == NULL || saltprinc_tdo == NULL) {
ok = false;
goto done;
}
switch (mod) {
case SET_PRINC:
/* We must use two sets by two principals here because
* they are used for different needs and must have
* different salts */
failed = 0;
/* INBOUND TRUST */
if ((trust_direction & LSA_TRUST_DIRECTION_INBOUND) != 0) {
/* First: krbtgt/<OUR REALM>@<REMOTE REALM>, enabled by default
* in case of the inboud trust */
failed += !set_krb_princ(ipasam_state, tmp_ctx, princ_r, NULL,
pwd_outgoing, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
/* Second: krbtgt/<OUR FLATNAME>@<REMOTE REALM>
* is only used for SSSD to be able to talk to
* AD DCs but it has to have canonical name set
* to krbtgt/<OUR FLATNAME> and alias it to
* <OUR FLATNAME$> because it is the salt used
* by AD DCs when using this principal,
* otherwise authentication will fail.
*
* *disable* use of this principal on our side as it is
* only used to retrieve trusted domain credentials by
* AD Trust Agents across the IPA topology */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
r_tdo_alias, princ_r_tdo,
pwd_incoming, trusted_dn,
(KRB_PRINC_CREATE_DISABLED |
KRB_PRINC_CREATE_AGENT_PERMISSION));
ok = (failed == 0);
if (!ok) {
goto done;
}
}
failed = 0;
/* OUTBOUND TRUST */
/* Create Kerberos principal for inbound trust, enabled by default */
ok = set_krb_princ(ipasam_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
/* Create Kerberos principal corresponding to TDO in AD for SSSD usage, disabled by default */
ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn,
KRB_PRINC_CREATE_DISABLED | KRB_PRINC_CREATE_AGENT_PERMISSION);
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
/* First: krbtgt/<REMOTE REALM>@<OUR REALM>, enabled by default */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
princ_l, NULL,
pwd_outgoing, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
/* Second: <REMOTE FLAT NAME>$@<OUR REALM>, enabled by default
* as it is used for a remote DC to authenticate against IPA Samba
*
* A local account for the outbound trust must have
* POSIX and SMB identities associated with our domain but we associate
* them with the trust domain object itself */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
princ_l_tdo, l_tdo_alias,
pwd_incoming, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
ok = (failed == 0);
if (!ok) {
goto done;
}
/* Create Kerberos principal for outbound trust, enabled by default */
ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
}
if (!ok) {
goto done;
}
break;
case DEL_PRINC:
failed = 0;
if ((trust_direction & LSA_TRUST_DIRECTION_INBOUND) != 0) {
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_r, trusted_dn);
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_r_tdo, trusted_dn);
ok = (failed == 0);
if (!ok) {
goto done;
}
}
failed = 0;
ok = del_krb_princ(ipasam_state, tmp_ctx, princ_r, trusted_dn);
ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_tdo, trusted_dn);
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_l, trusted_dn);
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_l_tdo, trusted_dn);
ok = (failed == 0);
if (!ok) {
goto done;
}
ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_l, trusted_dn);
}
if (!ok) {
goto done;
}
break;
default:
@ -2139,22 +2022,16 @@ done:
}
static bool set_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain, const char* flat_name,
const char *pwd_incoming, const char *pwd_outgoing,
uint32_t trust_direction)
const char *domain, const char *pwd, uint32_t trust_direction)
{
return handle_cross_realm_princs(ipasam_state, domain, flat_name,
pwd_incoming,
pwd_outgoing,
trust_direction, SET_PRINC);
return handle_cross_realm_princs(ipasam_state, domain, pwd, trust_direction, SET_PRINC);
}
static bool del_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain, const char *flat_name)
const char *domain)
{
uint32_t trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND;
return handle_cross_realm_princs(ipasam_state, domain, flat_name,
NULL, NULL, trust_direction, DEL_PRINC);
return handle_cross_realm_princs(ipasam_state, domain, NULL, trust_direction, DEL_PRINC);
}
static bool get_trusted_domain_int(struct ipasam_private *ipasam_state,
@ -2302,6 +2179,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
if (dummy == NULL) {
DEBUG(9, ("Attribute %s not present.\n",
LDAP_ATTRIBUTE_TRUST_SID));
ZERO_STRUCT(td->security_identifier);
} else {
err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx,
dummy, &sid);
@ -2448,7 +2326,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
char *sid_str;
bool ok;
sid_str = sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, sid);
sid_str = sid_string_talloc(mem_ctx, sid);
if (sid_str == NULL) {
return NT_STATUS_NO_MEMORY;
}
@ -2561,8 +2439,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
int ret, i, count;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
char *trustpw_incoming, *trustpw_outgoing;
char *sid, *tda_name;
char *trustpw;
char *sid;
char **in_blacklist = NULL;
char **out_blacklist = NULL;
uint32_t enctypes, trust_offset;
@ -2587,8 +2465,6 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
LDAP_OBJ_TRUSTED_DOMAIN);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass",
LDAP_OBJ_ID_OBJECT);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass",
LDAP_OBJ_POSIXACCOUNT);
}
if (entry != NULL) {
@ -2601,23 +2477,12 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_GIDNUMBER,
ipasam_state->fallback_primary_group_gid_str);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_HOMEDIRECTORY,
"/dev/null");
}
if (td->netbios_name != NULL) {
tda_name = talloc_asprintf(tmp_ctx, "%s$", td->netbios_name);
if (!tda_name) {
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_FLAT_NAME,
td->netbios_name);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_UID,
tda_name);
}
if (td->domain_name != NULL) {
@ -2629,8 +2494,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (!is_null_sid(&td->security_identifier)) {
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_TRUST_SID,
sid_talloc_string(ipasam_state->idmap_ctx,
tmp_ctx, &td->security_identifier));
sid_string_talloc(tmp_ctx, &td->security_identifier));
}
if (td->trust_type != 0) {
@ -2754,38 +2618,13 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (entry == NULL) { /* FIXME: allow password updates here */
status = get_trust_pwd(tmp_ctx, &td->trust_auth_incoming,
&trustpw_incoming, NULL);
&trustpw, NULL);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = get_trust_pwd(tmp_ctx, &td->trust_auth_outgoing,
&trustpw_outgoing, NULL);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
res = set_cross_realm_princs(ipasam_state, td->domain_name, td->netbios_name,
trustpw_incoming, trustpw_outgoing,
td->trust_direction);
{
/* Replace memset() use by an explicit loop to avoid
* both compile time and link time optimisations.
* We could have used memset_s() from C++11 but it is
* currently not implemented by GCC or glibc.
*/
volatile char *p = (void *) trustpw_incoming;
volatile char *q = (void *) trustpw_outgoing;
size_t plen = strlen(trustpw_incoming);
size_t qlen = strlen(trustpw_outgoing);
while (plen--) {
*p++ = '\0';
}
while (qlen--) {
*q++ = '\0';
}
}
res = set_cross_realm_princs(ipasam_state, td->domain_name,
trustpw, td->trust_direction);
memset(trustpw, 0, strlen(trustpw));
if (!res) {
DEBUG(1, ("error writing cross realm principals!\n"));
status = NT_STATUS_UNSUCCESSFUL;
@ -2854,7 +2693,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
talloc_get_type_abort(methods->private_data, struct ipasam_private);
LDAPMessage *entry = NULL;
char *dn;
const char *domain_name, *flat_name;
const char *domain_name;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
@ -2892,17 +2731,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
goto done;
}
flat_name = get_single_attribute(tmp_ctx, priv2ld(ipasam_state), entry,
LDAP_ATTRIBUTE_FLAT_NAME);
if (flat_name == NULL) {
DEBUG(1, ("Attribute %s not present.\n",
LDAP_ATTRIBUTE_FLAT_NAME));
status = NT_STATUS_INVALID_PARAMETER;
goto done;
}
if (!del_cross_realm_princs(ipasam_state, domain_name, flat_name)) {
if (!del_cross_realm_princs(ipasam_state, domain_name)) {
DEBUG(1, ("error deleting cross realm principals!\n"));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@ -3275,7 +3104,7 @@ static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state,
}
sid_copy(_sid, sid);
ipasam_unixid_from_gid(&id, gid);
unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(sid, &id);
@ -3337,7 +3166,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
}
}
ipasam_unixid_from_gid(&id, gid);
unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(group_sid, &id);
@ -3358,7 +3187,6 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
LDAPMessage * entry)
{
char *username = NULL;
struct berval **usernames = NULL;
char *domain = NULL;
char *nt_username = NULL;
char *fullname = NULL;
@ -3369,11 +3197,7 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
char *temp = NULL;
bool ret = false;
bool retval = false;
bool machine_account = false;
int status;
int len = 0;
int idx = 0;
size_t conv_size = 0;
DATA_BLOB nthash;
struct dom_sid *group_sid;
@ -3392,45 +3216,13 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
goto fn_exit;
}
usernames = ldap_get_values_len(priv2ld(ipasam_state), entry,
LDAP_ATTRIBUTE_UID);
if (usernames == NULL) {
if (!(username = smbldap_talloc_first_attribute(priv2ld(ipasam_state),
entry, LDAP_ATTRIBUTE_UID, tmp_ctx))) {
DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
"this user!\n"));
goto fn_exit;
}
len = ldap_count_values_len(usernames);
if (len > 1) {
/* Extract machine account as a user name if exists.
* If not, extract the first returned value */
for (int i=0; i < len; i++) {
if (usernames[i] != NULL &&
usernames[i]->bv_len > 0 &&
usernames[i]->bv_val[usernames[i]->bv_len-1] == '$') {
idx = i;
machine_account = true;
break;
}
}
}
/* convert_string_talloc() will eventually call smb_iconv() which will
* implicitly allocate space for NULL-termination in an encoding we use,
* thus we are OK with passing non-NULL-terminated source string. */
retval = convert_string_talloc(tmp_ctx,
CH_UTF8, CH_UNIX,
usernames[idx]->bv_val,
usernames[idx]->bv_len,
(void**)&username,
&conv_size);
if (!retval) {
DEBUG(1, ("init_sam_from_ldap: error converting uid to UNIX encoding!\n"));
goto fn_exit;
}
DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
nt_username = talloc_strdup(tmp_ctx, username);
@ -3501,9 +3293,7 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
}
/* Force machine accounts to be workstation trust type */
pdb_set_acct_ctrl(sampass, machine_account ? ACB_WSTRUST : ACB_NORMAL,
PDB_SET);
pdb_set_acct_ctrl(sampass, ACB_NORMAL, PDB_SET);
retval = smbldap_talloc_single_blob(tmp_ctx,
priv2ld(ipasam_state),
@ -3546,9 +3336,6 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
fn_exit:
if (usernames != NULL) {
ldap_value_free_len(usernames);
}
talloc_free(tmp_ctx);
return ret;
}
@ -3611,89 +3398,6 @@ done:
return status;
}
/*
* lookup of an account by SID
*
* Samba may ask for an account based on a SID value. Implement a callback to
* return a result of such lookup since we should have SID for every domain
* account that is supposed to be usable through SMB protocol.
*/
static NTSTATUS ipasam_getsampwsid(struct pdb_methods *methods,
struct samu *user,
const struct dom_sid *sid)
{
struct ipasam_private *ipasam_state =
talloc_get_type_abort(methods->private_data, struct ipasam_private);
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
char *filter = NULL;
char *sid_str = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int ret;
int count;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
sid_str = sid_talloc_string(ipasam_state->idmap_ctx, tmp_ctx, sid);
if (sid_str == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
filter = talloc_asprintf(tmp_ctx, "(&(|(%s=%s)(%s=%s))(%s=%s))",
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_SAMBASAMACCOUNT,
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_ID_OBJECT,
LDAP_ATTRIBUTE_SID, sid_str);
if (filter == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ret = smbldap_search(ipasam_state->ldap_state,
ipasam_state->base_dn,
LDAP_SCOPE_SUBTREE, filter, NULL, 0,
&result);
if (ret != LDAP_SUCCESS) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
count = ldap_count_entries(priv2ld(ipasam_state), result);
if (count != 1) {
DEBUG(3, ("Expected single entry returned for a SID lookup. "
"Got %d. Refuse lookup by SID %s", count, sid_str));
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
entry = ldap_first_entry(priv2ld(ipasam_state), result);
if (entry == NULL) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!init_sam_from_ldap(ipasam_state, user, entry)) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
status = NT_STATUS_OK;
done:
if (result != NULL) {
ldap_msgfree(result);
}
talloc_free(tmp_ctx);
return status;
}
static NTSTATUS ipasam_getsampwnam(struct pdb_methods *methods,
struct samu *user,
const char *sname)
@ -3917,8 +3621,7 @@ static void ipasam_free_private_data(void **vp)
(*ipasam_state)->result = NULL;
}
if ((*ipasam_state)->domain_dn != NULL) {
free((*ipasam_state)->domain_dn);
(*ipasam_state)->domain_dn = NULL;
SAFE_FREE((*ipasam_state)->domain_dn);
}
*ipasam_state = NULL;
@ -5004,7 +4707,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
ipasam_state->supported_enctypes = enctypes;
(*pdb_method)->getsampwnam = ipasam_getsampwnam;
(*pdb_method)->getsampwsid = ipasam_getsampwsid;
(*pdb_method)->search_users = ipasam_search_users;
(*pdb_method)->search_groups = ipasam_search_groups;
(*pdb_method)->search_aliases = ipasam_search_aliases;

13
daemons/ipa-slapi-plugins/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -247,8 +247,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -291,10 +289,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -315,6 +314,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -402,9 +403,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -467,8 +467,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -511,10 +509,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -535,6 +534,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -622,9 +623,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-dns/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -270,8 +270,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -314,10 +312,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -338,6 +337,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -425,9 +426,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -273,8 +273,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -317,10 +315,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -341,6 +340,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -428,9 +429,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

2
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
View File

@ -50,11 +50,9 @@ TESTS =
check_PROGRAMS =
if HAVE_CMOCKA
if HAVE_UNSHARE
TESTS += extdom_cmocka_tests
check_PROGRAMS += extdom_cmocka_tests
endif
endif
extdom_cmocka_tests_SOURCES = \
ipa_extdom_cmocka_tests.c \

19
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -98,8 +98,8 @@ host_triplet = @host@
@USE_SSS_NSS_TIMEOUT_FALSE@am__append_2 = back_extdom_nss_sss.c
TESTS = $(am__EXEEXT_1)
check_PROGRAMS = $(am__EXEEXT_1)
@HAVE_CMOCKA_TRUE@@HAVE_UNSHARE_TRUE@am__append_3 = extdom_cmocka_tests
@HAVE_CMOCKA_TRUE@@HAVE_UNSHARE_TRUE@am__append_4 = extdom_cmocka_tests
@HAVE_CMOCKA_TRUE@am__append_3 = extdom_cmocka_tests
@HAVE_CMOCKA_TRUE@am__append_4 = extdom_cmocka_tests
subdir = daemons/ipa-slapi-plugins/ipa-extdom-extop
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
@ -118,7 +118,7 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
@HAVE_CMOCKA_TRUE@@HAVE_UNSHARE_TRUE@am__EXEEXT_1 = extdom_cmocka_tests$(EXEEXT)
@HAVE_CMOCKA_TRUE@am__EXEEXT_1 = extdom_cmocka_tests$(EXEEXT)
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -489,8 +489,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -533,10 +531,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -557,6 +556,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -644,9 +645,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

4
daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h
View File

@ -35,9 +35,6 @@ enum nss_status {
NSS_STATUS_RETURN
};
/* default NSS operation timeout 10s (ipaExtdomMaxNssTimeout) */
#define DEFAULT_MAX_NSS_TIMEOUT (10*1000)
/* NSS backend operations implemented using either nss_sss.so.2 or libsss_nss_idmap API */
struct nss_ops_ctx;
@ -45,7 +42,6 @@ int back_extdom_init_context(struct nss_ops_ctx **nss_context);
void back_extdom_free_context(struct nss_ops_ctx **nss_context);
void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
unsigned int timeout);
unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context);
void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
const char *name);
void back_extdom_evict_group(struct nss_ops_ctx *nss_context,

7
daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c
View File

@ -135,7 +135,7 @@ fail:
}
/* Following four functions cannot be implemented with nss_sss.so.2
/* Following three functions cannot be implemented with nss_sss.so.2
* As result, we simply do nothing here */
void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
@ -143,10 +143,6 @@ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
/* no operation */
}
unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) {
return DEFAULT_MAX_NSS_TIMEOUT;
}
void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
const char *name) {
/* no operation */
@ -292,3 +288,4 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,
return ret;
}

13
daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
View File

@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) {
return NSS_STATUS_SUCCESS;
case ENOENT:
return NSS_STATUS_NOTFOUND;
case ERANGE:
return NSS_STATUS_TRYAGAIN;
case ETIME:
/* fall-through */
case ERANGE:
return NSS_STATUS_TRYAGAIN;
case ETIMEDOUT:
/* fall-through */
default:
@ -111,14 +111,6 @@ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
nss_context->timeout = timeout;
}
unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) {
if (nss_context == NULL) {
return DEFAULT_MAX_NSS_TIMEOUT;
}
return nss_context->timeout;
}
void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
const char *name) {
if (nss_context == NULL) {
@ -280,3 +272,4 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,
}
return __convert_sss_nss2nss_status(ret);
}

11
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
View File

@ -59,12 +59,10 @@
#include <lber.h>
#include <time.h>
#define IPA_389DS_PLUGIN_HELPER_CALLS
#include <sss_nss_idmap.h>
#define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4"
#define EXOP_EXTDOM_V1_OID "2.16.840.1.113730.3.8.10.4.1"
#define EXOP_EXTDOM_V2_OID "2.16.840.1.113730.3.8.10.4.2"
#define IPA_EXTDOM_PLUGIN_NAME "ipa-extdom-extop"
#define IPA_EXTDOM_FEATURE_DESC "IPA trusted domain ID mapper"
@ -74,8 +72,7 @@
enum extdom_version {
EXTDOM_V0 = 0,
EXTDOM_V1,
EXTDOM_V2
EXTDOM_V1
};
enum input_types {
@ -83,9 +80,7 @@ enum input_types {
INP_NAME,
INP_POSIX_UID,
INP_POSIX_GID,
INP_CERT,
INP_USERNAME,
INP_GROUPNAME
INP_CERT
};
enum request_types {
@ -162,8 +157,6 @@ struct ipa_extdom_ctx {
char *base_dn;
size_t max_nss_buf_size;
struct nss_ops_ctx *nss_ctx;
Slapi_Counter *extdom_instance_counter;
size_t extdom_max_instances;
};
struct domain_info {

89
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
View File

@ -21,7 +21,6 @@
*/
#define _GNU_SOURCE
#include <sched.h>
#include <errno.h>
#include <stdarg.h>
#include <stddef.h>
@ -37,13 +36,10 @@
#include <stdio.h>
#include <dlfcn.h>
static bool skip_tests = false;
#define MAX_BUF (1024*1024*1024)
struct test_data {
struct extdom_req *req;
struct ipa_extdom_ctx *ctx;
bool skip_test;
};
/*
@ -142,6 +138,40 @@ fail:
return -1;
}
struct {
const char *o, *n;
} path_table[] = {
{ .o = "/etc/passwd", .n = "./test_data/passwd"},
{ .o = "/etc/group", .n = "./test_data/group"},
{ .o = NULL, .n = NULL}};
FILE *(*original_fopen)(const char*, const char*) = NULL;
FILE *fopen(const char *path, const char *mode) {
const char *_path = NULL;
/* Do not handle before-main() cases */
if (original_fopen == NULL) {
return NULL;
}
for(int i=0; path_table[i].o != NULL; i++) {
if (strcmp(path, path_table[i].o) == 0) {
_path = path_table[i].n;
break;
}
}
return (*original_fopen)(_path ? _path : path, mode);
}
/* Attempt to initialize original_fopen before main()
* There is no explicit order when all initializers are called,
* so we might still be late here compared to a code in a shared
* library initializer, like libselinux */
void redefined_fopen_ctor (void) __attribute__ ((constructor));
void redefined_fopen_ctor(void) {
original_fopen = dlsym(RTLD_NEXT, "fopen");
}
void test_getpwnam_r_wrapper(void **state)
{
int ret;
@ -151,9 +181,6 @@ void test_getpwnam_r_wrapper(void **state)
struct test_data *test_data;
test_data = (struct test_data *) *state;
if (test_data->skip_test) {
skip();
}
ret = get_buffer(&buf_len, &buf);
assert_int_equal(ret, 0);
@ -211,9 +238,6 @@ void test_getpwuid_r_wrapper(void **state)
struct test_data *test_data;
test_data = (struct test_data *) *state;
if (test_data->skip_test) {
skip();
}
ret = get_buffer(&buf_len, &buf);
assert_int_equal(ret, 0);
@ -266,9 +290,6 @@ void test_getgrnam_r_wrapper(void **state)
struct test_data *test_data;
test_data = (struct test_data *) *state;
if (test_data->skip_test) {
skip();
}
ret = get_buffer(&buf_len, &buf);
assert_int_equal(ret, 0);
@ -319,9 +340,6 @@ void test_getgrgid_r_wrapper(void **state)
struct test_data *test_data;
test_data = (struct test_data *) *state;
if (test_data->skip_test) {
skip();
}
ret = get_buffer(&buf_len, &buf);
assert_int_equal(ret, 0);
@ -371,9 +389,6 @@ void test_get_user_grouplist(void **state)
struct test_data *test_data;
test_data = (struct test_data *) *state;
if (test_data->skip_test) {
skip();
}
/* This is a bit odd behaviour of getgrouplist() it does not check if the
* user exists, only if memberships of the user can be found. */
@ -431,11 +446,6 @@ static int extdom_req_setup(void **state)
assert_non_null(test_data->ctx->nss_ctx);
back_extdom_set_timeout(test_data->ctx->nss_ctx, 10000);
test_data->skip_test = skip_tests;
if (chroot("test_data") != 0) {
test_data->skip_test = true;
}
*state = test_data;
return 0;
@ -483,34 +493,6 @@ void test_set_err_msg(void **state)
#define TEST_SID "S-1-2-3-4"
#define TEST_DOMAIN_NAME "DOMAIN"
/* Always time out for test */
static
enum nss_status getgrgid_r_timeout(gid_t gid, struct group *result,
char *buffer, size_t buflen, int *errnop) {
return NSS_STATUS_UNAVAIL;
}
void test_pack_ber_user_timeout(void **state)
{
int ret;
struct berval *resp_val = NULL;
struct test_data *test_data;
enum nss_status (*oldgetgrgid_r)(gid_t gid, struct group *result,
char *buffer, size_t buflen, int *errnop);
test_data = (struct test_data *) *state;
oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r;
test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout;
ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST,
TEST_DOMAIN_NAME, "member001", 12345, 54321,
"gecos", "homedir", "shell", NULL, &resp_val);
test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r;
assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED);
ber_bvfree(resp_val);
}
char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \
0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34};
char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \
@ -632,7 +614,6 @@ void test_decode(void **state)
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_pack_ber_user_timeout),
cmocka_unit_test(test_getpwnam_r_wrapper),
cmocka_unit_test(test_getpwuid_r_wrapper),
cmocka_unit_test(test_getgrnam_r_wrapper),
@ -645,6 +626,6 @@ int main(int argc, const char *argv[])
cmocka_unit_test(test_decode),
};
skip_tests = (unshare(CLONE_NEWUSER) == -1);
assert_non_null(original_fopen);
return cmocka_run_group_tests(tests, extdom_req_setup, extdom_req_teardown);
}

368
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
View File

@ -114,13 +114,6 @@ int __nss_to_err(enum nss_status errcode)
}
}
static int get_timeout(struct ipa_extdom_ctx *ctx) {
if (ctx == NULL || ctx->nss_ctx == NULL) {
return DEFAULT_MAX_NSS_TIMEOUT;
}
return back_extdom_get_timeout(ctx->nss_ctx);
}
int getpwnam_r_wrapper(struct ipa_extdom_ctx *ctx, const char *name,
struct passwd *pwd, char **buf, size_t *buf_len)
{
@ -278,9 +271,7 @@ int parse_request_data(struct berval *req_val, struct extdom_req **_req)
* sid (1),
* name (2),
* posix uid (3),
* posix gid (4),
* username (5),
* groupname (6)
* posix gid (3)
* },
* requestType ENUMERATED {
* simple (1),
@ -346,8 +337,6 @@ int parse_request_data(struct berval *req_val, struct extdom_req **_req)
switch (req->input_type) {
case INP_NAME:
case INP_USERNAME:
case INP_GROUPNAME:
tag = ber_scanf(ber, "{aa}}", &req->data.name.domain_name,
&req->data.name.object_name);
break;
@ -389,8 +378,6 @@ void free_req_data(struct extdom_req *req)
switch (req->input_type) {
case INP_NAME:
case INP_USERNAME:
case INP_GROUPNAME:
ber_memfree(req->data.name.domain_name);
ber_memfree(req->data.name.object_name);
break;
@ -420,12 +407,6 @@ int check_request(struct extdom_req *req, enum extdom_version version)
}
}
if (version == EXTDOM_V0 || version == EXTDOM_V1) {
if (req->input_type == INP_USERNAME || req->input_type == INP_GROUPNAME) {
return LDAP_PROTOCOL_ERROR;
}
}
return LDAP_SUCCESS;
}
@ -542,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
ret = LDAP_INVALID_SYNTAX;
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@ -587,12 +568,10 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
ret = getgrgid_r_wrapper(ctx,
groups[c], &grp, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
@ -655,7 +634,7 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
ret = LDAP_INVALID_SYNTAX;
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@ -852,14 +831,11 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
}
if (request_type == REQ_SIMPLE) {
ret = sss_nss_getsidbyid_timeout(uid, get_timeout(ctx),
&sid_str, &id_type);
ret = sss_nss_getsidbyid(uid, &sid_str, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
|| id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup SID by UID");
ret = LDAP_OPERATIONS_ERROR;
@ -871,26 +847,21 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
} else {
ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(pwd.pw_name, get_timeout(ctx),
&kv_list, &id_type);
ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@ -932,13 +903,10 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
}
if (request_type == REQ_SIMPLE) {
ret = sss_nss_getsidbyid_timeout(gid, get_timeout(ctx),
&sid_str, &id_type);
ret = sss_nss_getsidbyid(gid, &sid_str, &id_type);
if (ret != 0 || id_type != SSS_ID_TYPE_GID) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup SID by GID");
ret = LDAP_OPERATIONS_ERROR;
@ -950,26 +918,21 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
} else {
ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(grp.gr_name, get_timeout(ctx),
&kv_list, &id_type);
ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@ -1009,13 +972,10 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx,
goto done;
}
ret = sss_nss_getlistbycert_timeout(input, get_timeout(ctx),
&fq_names, &id_types);
ret = sss_nss_getlistbycert(input, &fq_names, &id_types);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup name by certificate");
ret = LDAP_OPERATIONS_ERROR;
@ -1056,13 +1016,10 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
enum sss_id_type id_type;
struct sss_nss_kv *kv_list = NULL;
ret = sss_nss_getnamebysid_timeout(input, get_timeout(ctx),
&fq_name, &id_type);
ret = sss_nss_getnamebysid(input, &fq_name, &id_type);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup name by SID");
ret = LDAP_OPERATIONS_ERROR;
@ -1100,26 +1057,21 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_BOTH:
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(pwd.pw_name, get_timeout(ctx),
&kv_list, &id_type);
ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@ -1137,26 +1089,21 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_GID:
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(grp.gr_name, get_timeout(ctx),
&kv_list, &id_type);
ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@ -1184,48 +1131,17 @@ done:
return ret;
}
static int handle_simple_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
const char *fq_name,
struct berval **berval)
{
int ret;
char *sid_str = NULL;
enum sss_id_type id_type;
ret = sss_nss_getsidbyname_timeout(fq_name, get_timeout(ctx),
&sid_str, &id_type);
switch(ret) {
case 0:
ret = pack_ber_sid(sid_str, berval);
break;
case ENOENT:
ret = LDAP_NO_SUCH_OBJECT;
break;
case ETIMEDOUT:
case ETIME:
ret = LDAP_TIMELIMIT_EXCEEDED;
break;
default:
set_err_msg(req, "Failed to lookup SID by name");
ret = LDAP_OPERATIONS_ERROR;
break;
}
free(sid_str);
return ret;
}
static int handle_username_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
enum request_types request_type,
const char *name, const char *domain_name,
struct berval **berval)
static int handle_name_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
enum request_types request_type,
const char *name, const char *domain_name,
struct berval **berval)
{
int ret;
char *fq_name = NULL;
struct passwd pwd;
struct group grp;
char *sid_str = NULL;
enum sss_id_type id_type;
size_t buf_len;
char *buf = NULL;
@ -1247,159 +1163,93 @@ static int handle_username_request(struct ipa_extdom_ctx *ctx,
}
if (request_type == REQ_SIMPLE) {
/* REQ_SIMPLE */
ret = handle_simple_request(ctx, req, fq_name, berval);
goto done;
}
/* REQ_FULL || REQ_FULL_WITH_GROUPS */
ret = get_buffer(&buf_len, &buf);
if (ret != LDAP_SUCCESS) {
goto done;
}
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
switch(ret) {
case 0:
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(pwd.pw_name,
get_timeout(ctx),
&kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
}
ret = pack_ber_user(ctx,
(request_type == REQ_FULL ? RESP_USER
: RESP_USER_GROUPLIST),
domain_name, pwd.pw_name, pwd.pw_uid,
pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
pwd.pw_shell, kv_list, berval);
break;
case ENOMEM:
case ERANGE:
ret = LDAP_OPERATIONS_ERROR;
break;
case ETIMEDOUT:
ret = LDAP_TIMELIMIT_EXCEEDED;
break;
default:
ret = LDAP_NO_SUCH_OBJECT;
break;
}
done:
sss_nss_free_kv(kv_list);
free(fq_name);
free(buf);
return ret;
}
static int handle_groupname_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
enum request_types request_type,
const char *name, const char *domain_name,
struct berval **berval)
{
int ret;
char *fq_name = NULL;
struct group grp;
enum sss_id_type id_type;
size_t buf_len;
char *buf = NULL;
struct sss_nss_kv *kv_list = NULL;
/* with groups we can be sure that name doesn't contain the domain_name */
ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR,
domain_name);
if (ret == -1) {
ret = LDAP_OPERATIONS_ERROR;
set_err_msg(req, "Failed to create fully qualified name");
fq_name = NULL; /* content is undefined according to
asprintf(3) */
goto done;
}
if (request_type == REQ_SIMPLE) {
/* REQ_SIMPLE */
ret = handle_simple_request(ctx, req, fq_name, berval);
goto done;
}
/* REQ_FULL || REQ_FULL_WITH_GROUPS */
ret = get_buffer(&buf_len, &buf);
if (ret != LDAP_SUCCESS) {
goto done;
}
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname_timeout(grp.gr_name, get_timeout(ctx),
&kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
|| id_type == SSS_ID_TYPE_BOTH)) {
ret = sss_nss_getsidbyname(fq_name, &sid_str, &id_type);
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else {
set_err_msg(req, "Failed to read original data");
set_err_msg(req, "Failed to lookup SID by name");
ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
}
ret = pack_ber_group((request_type == REQ_FULL ? RESP_GROUP
: RESP_GROUP_MEMBERS),
domain_name, grp.gr_name, grp.gr_gid,
grp.gr_mem, kv_list, berval);
ret = pack_ber_sid(sid_str, berval);
} else {
ret = get_buffer(&buf_len, &buf);
if (ret != LDAP_SUCCESS) {
goto done;
}
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
if (ret == 0) {
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
|| id_type == SSS_ID_TYPE_BOTH)) {
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
}
ret = pack_ber_user(ctx,
(request_type == REQ_FULL ? RESP_USER
: RESP_USER_GROUPLIST),
domain_name, pwd.pw_name, pwd.pw_uid,
pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
pwd.pw_shell, kv_list, berval);
} else if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
goto done;
} else { /* no user entry found */
/* according to the getpwnam() man page there are a couple of
* error codes which can indicate that the user was not found. To
* be on the safe side we fail back to the group lookup on all
* errors. */
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT;
}
goto done;
}
if (request_type == REQ_FULL_WITH_GROUPS) {
ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type);
if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
|| id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
} else {
set_err_msg(req, "Failed to read original data");
ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
}
ret = pack_ber_group((request_type == REQ_FULL ? RESP_GROUP
: RESP_GROUP_MEMBERS),
domain_name, grp.gr_name, grp.gr_gid,
grp.gr_mem, kv_list, berval);
}
}
done:
sss_nss_free_kv(kv_list);
free(fq_name);
free(sid_str);
free(buf);
return ret;
}
static int handle_name_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
enum request_types request_type,
const char *name, const char *domain_name,
struct berval **berval)
{
int ret;
ret = handle_username_request(ctx, req, request_type,
name, domain_name, berval);
if (ret == LDAP_NO_SUCH_OBJECT) {
ret = handle_groupname_request(ctx, req, request_type,
name, domain_name, berval);
}
return ret;
}
int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
struct berval **berval)
{
@ -1431,18 +1281,6 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
req->data.name.object_name,
req->data.name.domain_name, berval);
break;
case INP_GROUPNAME:
ret = handle_groupname_request(ctx, req, req->request_type,
req->data.name.object_name,
req->data.name.domain_name, berval);
break;
case INP_USERNAME:
ret = handle_username_request(ctx, req, req->request_type,
req->data.name.object_name,
req->data.name.domain_name, berval);
break;
default:
set_err_msg(req, "Unknown input type");

139
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
View File

@ -42,6 +42,7 @@
#include "util.h"
#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024)
#define DEFAULT_MAX_NSS_TIMEOUT (10*1000)
Slapi_PluginDesc ipa_extdom_plugin_desc = {
IPA_EXTDOM_FEATURE_DESC,
@ -53,7 +54,6 @@ Slapi_PluginDesc ipa_extdom_plugin_desc = {
static char *ipa_extdom_oid_list[] = {
EXOP_EXTDOM_OID,
EXOP_EXTDOM_V1_OID,
EXOP_EXTDOM_V2_OID,
NULL
};
@ -62,112 +62,8 @@ static char *ipa_extdom_name_list[] = {
NULL
};
#define NSSLAPD_THREADNUMBER "nsslapd-threadnumber"
static int ipa_get_threadnumber(Slapi_ComponentId *plugin_id, size_t *threadnumber)
{
Slapi_PBlock *search_pb = NULL;
int search_result;
Slapi_Entry **search_entries = NULL;
int ret;
char *attrs[] = { NSSLAPD_THREADNUMBER, NULL };
search_pb = slapi_pblock_new();
if (search_pb == NULL) {
LOG_FATAL("Failed to create new pblock.\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
slapi_search_internal_set_pb(search_pb, "cn=config",
LDAP_SCOPE_BASE, "objectclass=*",
attrs, 0, NULL, NULL, plugin_id, 0);
ret = slapi_search_internal_pb(search_pb);
if (ret != 0) {
LOG_FATAL("Starting internal search failed.\n");
goto done;
}
ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT,
&search_result);
if (ret != 0 || search_result != LDAP_SUCCESS) {
LOG_FATAL("Internal search failed [%d][%d].\n", ret, search_result);
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
&search_entries);
if (ret != 0) {
LOG_FATAL("Failed to read searched entries.\n");
goto done;
}
if (search_entries == NULL || search_entries[0] == NULL) {
LOG("No existing entries.\n");
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
if (search_entries[1] != NULL) {
LOG("Too many results found.\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
*threadnumber = slapi_entry_attr_get_uint(search_entries[0],
NSSLAPD_THREADNUMBER);
if (*threadnumber <= 0) {
LOG_FATAL("No thread number found.\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
LOG("Found thread number [%zu].\n", *threadnumber);
ret = 0;
done:
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
return ret;
}
static int ipa_extdom_start(Slapi_PBlock *pb)
{
int ret;
struct ipa_extdom_ctx *ctx;
size_t threadnumber;
ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
if (ret != 0) {
return LDAP_OPERATIONS_ERROR;
}
ret = ipa_get_threadnumber(ctx->plugin_id, &threadnumber);
if (ret != 0) {
LOG("Unable to get thread number [%d]!\n", ret);
return ret;
}
if (ctx->extdom_max_instances >= threadnumber) {
LOG("Option ipaExtdomMaxInstances [%zu] is larger or equal the number "
"of worker threads [%zu], using defaults.\n",
ctx->extdom_max_instances, threadnumber);
ctx->extdom_max_instances = 0;
}
if (ctx->extdom_max_instances == 0) {
ctx->extdom_max_instances = (size_t)(threadnumber * 0.8);
if (ctx->extdom_max_instances == 0) {
ctx->extdom_max_instances = 1;
}
}
LOG("Using maximal [%zu] extdom instances for [%zu] threads.\n",
ctx->extdom_max_instances, threadnumber);
return LDAP_SUCCESS;
}
@ -182,7 +78,6 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
struct extdom_req *req = NULL;
struct ipa_extdom_ctx *ctx;
enum extdom_version version;
bool counter_set = false;
ret = slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid);
if (ret != 0) {
@ -196,8 +91,6 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
version = EXTDOM_V0;
} else if (strcasecmp(oid, EXOP_EXTDOM_V1_OID) == 0) {
version = EXTDOM_V1;
} else if (strcasecmp(oid, EXOP_EXTDOM_V2_OID) == 0) {
version = EXTDOM_V2;
} else {
return SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
}
@ -216,16 +109,6 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
goto done;
}
if (slapi_counter_get_value(ctx->extdom_instance_counter)
> ctx->extdom_max_instances) {
rc = LDAP_BUSY;
err_msg = "Too many extdom instances running.\n";
goto done;
}
slapi_counter_increment(ctx->extdom_instance_counter);
counter_set = true;
ret = parse_request_data(req_val, &req);
if (ret != LDAP_SUCCESS) {
rc = LDAP_UNWILLING_TO_PERFORM;
@ -244,8 +127,6 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
if (ret != LDAP_SUCCESS) {
if (ret == LDAP_NO_SUCH_OBJECT) {
rc = LDAP_NO_SUCH_OBJECT;
} else if (ret == LDAP_TIMELIMIT_EXCEEDED) {
rc = LDAP_TIMELIMIT_EXCEEDED;
} else {
rc = LDAP_OPERATIONS_ERROR;
err_msg = "Failed to handle the request.\n";
@ -270,14 +151,6 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
rc = LDAP_SUCCESS;
done:
if (counter_set) {
if (slapi_counter_get_value(ctx->extdom_instance_counter) == 0) {
LOG("Instance counter already 0, this is unexpected.\n");
} else {
slapi_counter_decrement(ctx->extdom_instance_counter);
}
}
if ((req != NULL) && (req->err_msg != NULL)) {
err_msg = req->err_msg;
}
@ -346,16 +219,6 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx)
back_extdom_set_timeout(ctx->nss_ctx, timeout);
LOG("Maximal nss timeout (in ms) set to [%u]!\n", timeout);
ctx->extdom_max_instances = slapi_entry_attr_get_uint(e, "ipaExtdomMaxInstances");
LOG("Maximal instances from config [%zu]!\n", ctx->extdom_max_instances);
ctx->extdom_instance_counter = slapi_counter_new();
if (ctx->extdom_instance_counter == NULL) {
LOG("Unable to initialize instance counter!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = 0;
done:

0
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group → daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
View File

0
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd → daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
View File

13
daemons/ipa-slapi-plugins/ipa-lockout/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -271,8 +271,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -315,10 +313,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -339,6 +338,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -426,9 +427,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -271,8 +271,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -315,10 +313,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -339,6 +338,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -426,9 +427,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -269,8 +269,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -313,10 +311,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -337,6 +336,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -424,9 +425,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

13
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.in
View File

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -269,8 +269,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@ -313,10 +311,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@ -337,6 +336,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@ -424,9 +425,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@

Some files were not shown because too many files have changed in this diff Show More