From 957eb7d587e480ec8c976d1735cd5190c62e9e44 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 12 Apr 2013 20:53:00 +0200 Subject: [PATCH] Use allow-realm-logins by default if manage-system When manage-system is false, use allow-permitted-logins as the default login policy, otherwise allow-realm-logins https://bugs.freedesktop.org/show_bug.cgi?id=61858 --- service/realm-sssd-ad.c | 17 +++++++++++++++-- service/realm-sssd-ipa.c | 24 ++++++++++++++++++++++-- service/realm-sssd.c | 26 +++++++++++++------------- service/realm-sssd.h | 7 +++++++ 4 files changed, 57 insertions(+), 17 deletions(-) diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c index e476b3a..6d80f83 100644 --- a/service/realm-sssd-ad.c +++ b/service/realm-sssd-ad.c @@ -162,10 +162,13 @@ static gboolean configure_sssd_for_domain (RealmIniConfig *config, const gchar *realm, const gchar *workgroup, + GVariant *options, GError **error) { + const gchar *access_provider; gboolean ret; gchar *domain; + gchar *section; gchar **parts; gchar *rdn; gchar *dn; @@ -192,7 +195,6 @@ configure_sssd_for_domain (RealmIniConfig *config, "use_fully_qualified_names", "True", "id_provider", "ad", - "access_provider", "ad", "ad_domain", domain, "krb5_realm", realm, @@ -202,6 +204,16 @@ configure_sssd_for_domain (RealmIniConfig *config, "fallback_homedir", home, NULL); + if (ret) { + if (realm_options_manage_system (options, domain)) + access_provider = "ad"; + else + access_provider = "simple"; + section = realm_sssd_config_domain_to_section (workgroup); + ret = realm_sssd_set_login_policy (config, section, access_provider, NULL, NULL, error); + free (section); + } + g_free (home); g_free (domain); g_free (dn); @@ -246,7 +258,8 @@ on_join_do_sssd (GObject *source, if (error == NULL) { configure_sssd_for_domain (realm_sssd_get_config (sssd), - join->realm_name, workgroup, &error); + join->realm_name, workgroup, + join->options, &error); } if (error == NULL) { diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c index 5bc6e3c..4b056cd 100644 --- a/service/realm-sssd-ipa.c +++ b/service/realm-sssd-ipa.c @@ -99,6 +99,7 @@ realm_sssd_ipa_class_init (RealmSssdIpaClass *klass) typedef struct { GDBusMethodInvocation *invocation; GPtrArray *argv; + GVariant *options; GBytes *input; } EnrollClosure; @@ -109,6 +110,7 @@ enroll_closure_free (gpointer data) g_object_unref (enroll->invocation); if (enroll->argv) g_ptr_array_unref (enroll->argv); + g_variant_unref (enroll->options); g_bytes_unref (enroll->input); g_slice_free (EnrollClosure, enroll); } @@ -166,8 +168,12 @@ on_ipa_client_do_restart (GObject *source, EnrollClosure *enroll = g_simple_async_result_get_op_res_gpointer (async); RealmSssd *sssd = REALM_SSSD (g_async_result_get_source_object (user_data)); RealmKerberos *realm = REALM_KERBEROS (sssd); + const gchar *access_provider; GError *error = NULL; GString *output = NULL; + RealmIniConfig *config; + const gchar *domain; + gchar *section; gchar *home; gint status; @@ -190,11 +196,13 @@ on_ipa_client_do_restart (GObject *source, } } + domain = realm_kerberos_get_name (realm); + config = realm_sssd_get_config (sssd); + if (error == NULL) { home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home")); - realm_sssd_config_update_domain (realm_sssd_get_config (sssd), - realm_kerberos_get_name (realm), &error, + realm_sssd_config_update_domain (config, domain, &error, "re_expression", "(?P[^@]+)@(?P.+$)", "full_name_format", "%1$s@%2$s", "cache_credentials", "True", @@ -207,6 +215,16 @@ on_ipa_client_do_restart (GObject *source, } if (error == NULL) { + if (realm_options_manage_system (enroll->options, domain)) + access_provider = "ipa"; + else + access_provider = "simple"; + section = realm_sssd_config_domain_to_section (domain); + realm_sssd_set_login_policy (config, section, access_provider, NULL, NULL, &error); + free (section); + } + + if (error == NULL) { realm_service_enable_and_restart ("sssd", enroll->invocation, on_restart_done, g_object_ref (async)); @@ -293,6 +311,7 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership, async = g_simple_async_result_new (G_OBJECT (realm), callback, user_data, NULL); enroll = g_slice_new0 (EnrollClosure); enroll->invocation = g_object_ref (invocation); + enroll->options = g_variant_ref (options); g_simple_async_result_set_op_res_gpointer (async, enroll, enroll_closure_free); if (g_variant_lookup (options, REALM_DBUS_OPTION_COMPUTER_OU, "&s", &computer_ou)) { @@ -442,6 +461,7 @@ realm_sssd_ipa_leave_async (RealmKerberosMembership *membership, async = g_simple_async_result_new (G_OBJECT (realm), callback, user_data, NULL); enroll = g_slice_new0 (EnrollClosure); enroll->invocation = g_object_ref (invocation); + enroll->options = g_variant_ref (options); g_simple_async_result_set_op_res_gpointer (async, enroll, enroll_closure_free); if (realm_sssd_get_config_section (sssd) == NULL) { diff --git a/service/realm-sssd.c b/service/realm-sssd.c index aaea8ee..fe289e9 100644 --- a/service/realm-sssd.c +++ b/service/realm-sssd.c @@ -71,13 +71,13 @@ on_logins_restarted (GObject *source, g_object_unref (self); } -static gboolean -sssd_config_change_login_policy (RealmIniConfig *config, - const gchar *section, - const gchar *access_provider, - const gchar **add_names, - const gchar **remove_names, - GError **error) +gboolean +realm_sssd_set_login_policy (RealmIniConfig *config, + const gchar *section, + const gchar *access_provider, + const gchar **add_names, + const gchar **remove_names, + GError **error) { gchar *allow; @@ -193,12 +193,12 @@ realm_sssd_logins_async (RealmKerberos *realm, sssd_config_check_login_list (remove_names, &error); if (error == NULL) { - sssd_config_change_login_policy (self->pv->config, - self->pv->section, - access_provider, - (const gchar **)add_names, - (const gchar **)remove_names, - &error); + realm_sssd_set_login_policy (self->pv->config, + self->pv->section, + access_provider, + (const gchar **)add_names, + (const gchar **)remove_names, + &error); } if (error == NULL) { diff --git a/service/realm-sssd.h b/service/realm-sssd.h index 84268e2..50fbe1e 100644 --- a/service/realm-sssd.h +++ b/service/realm-sssd.h @@ -66,6 +66,13 @@ void realm_sssd_deconfigure_domain_tail (RealmSssd *self, GSimpleAsyncResult *async, GDBusMethodInvocation *invocation); +gboolean realm_sssd_set_login_policy (RealmIniConfig *config, + const gchar *section, + const gchar *access_provider, + const gchar **add_names, + const gchar **remove_names, + GError **error); + void realm_sssd_update_properties (RealmSssd *self); G_END_DECLS -- 1.8.1.4