Commit 5743ea9e authored by Russ Allbery's avatar Russ Allbery

ad_ldap_base now contains the entire base DN

The meaning of the ad_ldap_base configuration option has changed, and
it's now mandatory for status synchronization.  This setting should
now contain the full DN of the tree in Active Directory where account
information is stored (such as cn=Accounts,dc=example,dc=com).
Previously, the dc components should be omitted and were derived from
the realm; this is no longer done.  If this configuration option is
not set, principal status will not be synchronized to Active
Directory.
parent ef7753cc
User-Visible krb5-sync Changes
krb5-sync 2.4 (unreleased)
krb5-sync 3.0 (unreleased)
The meaning of the ad_ldap_base configuration option has changed, and
it's now mandatory for status synchronization. This setting should
now contain the full DN of the tree in Active Directory where account
information is stored (such as cn=Accounts,dc=example,dc=com).
Previously, the dc components should be omitted and were derived from
the realm; this is no longer done. If this configuration option is
not set, principal status will not be synchronized to Active
Directory.
Drop support for MIT Kerberos versions prior to 1.9. All major
distributions are now shipping with a newer version of MIT Kerberos
......
......@@ -206,7 +206,7 @@ CONFIGURATION
ad_principal = service/sync@WINDOWS.EXAMPLE.COM
ad_realm = WINDOWS.EXAMPLE.COM
ad_admin_server = dc1.windows.example.com
ad_ldap_base = ou=People
ad_ldap_base = ou=People,dc=windows,dc=example,dc=com
ad_instances = root ipass
ad_base_instance = windows
ad_queue_only = false
......@@ -220,23 +220,26 @@ CONFIGURATION
principal. In other words, it's not possible to have multiple
configurations based on the realm of the principal affected.
The ad_keytab option specifies the location of a srvtab or keytab for
The ad_keytab option specifies the location of a keytab for
authenticating to the other realm, the ad_principal option specifies the
principal to authenticate as (using the key in the srvtab or keytab),
and the ad_realm option specifies the foreign realm. ad_admin_server is
the host to contact via LDAP to push account status changes.
ad_ldap_base specifies the base tree inside Active Directory where
account information is stored. Omit the trailing "dc=" part; it will be
added automatically from ad_realm. The default is "dc=Accounts".
and the ad_realm option specifies the foreign realm. These options must
be set.
ad_admin_server is the host to contact via LDAP to push account status
changes. ad_ldap_base specifies the root of the tree inside Active
Directory where account information is stored. These options must be
set in order to synchronize status changes, but can be omitted to only
synchronize passwords.
The ad_instances option specifies which instances have passwords and
account status propagated to that environment. By default, all
principals with non-empty instances are not propagated. You can list a
specific set of instances (space-separated) which are propagated to the
AD environment. The ad_instances option is only used by the plugin and
is not used by the command-line utility. Any principals passed to the
command-line utility will be acted on, even if they have non-empty
instances.
account status propagated to that environment. By default, only
principals no instances (single-part principals) are propagated. You
can list a specific set of instances (space-separated), which will then
also be propagated to Active Directory. The ad_instances option is only
used by the plugin and is not used by the command-line utility. Any
principals passed to the command-line utility will be acted on, even if
they have non-empty instances.
If ad_base_instance is set, then any password change for a
single-component principal (such as user@EXAMPLE.COM) will be handled
......
......@@ -268,8 +268,7 @@ sync_ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
LDAP *ld = NULL;
LDAPMessage *res = NULL;
LDAPMod mod, *mod_array[2];
char *dname, *lb, *end, *dn;
char ldapbase[256];
char *dn;
char *ldapuri = NULL, *ldapdn = NULL, *control = NULL, *target = NULL;
struct berval **vals = NULL;
char *value;
......@@ -281,7 +280,7 @@ sync_ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
/* Ensure the configuration is sane. */
CHECK_CONFIG(ad_admin_server);
CHECK_CONFIG(ad_realm);
CHECK_CONFIG(ad_ldap_base);
/* Get the credentials we'll use to make the change in AD. */
code = get_creds(config, ctx, &ccache);
......@@ -324,30 +323,6 @@ sync_ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
goto done;
}
/*
* Convert the domain name to a DN. The default is ou=Accounts, which
* is what Stanford uses, but the base DN prior to the dc portion for
* the realm can be changed with a configuration option.
*/
memset(ldapbase, 0, sizeof(ldapbase));
if (config->ad_ldap_base == NULL)
strlcpy(ldapbase, "ou=Accounts,dc=", sizeof(ldapbase));
else {
strlcpy(ldapbase, config->ad_ldap_base, sizeof(ldapbase));
strlcat(ldapbase, ",dc=", sizeof(ldapbase));
}
lb = ldapbase + strlen(ldapbase);
end = ldapbase + sizeof(ldapbase) - 1;
for (dname = config->ad_realm; lb < end && *dname != '\0'; dname++) {
if (*dname == '.') {
*lb = '\0';
strlcat(ldapbase, ",dc=", sizeof(ldapbase));
lb += 4;
} else {
*lb++ = *dname;
}
}
/*
* Since all we know is the local principal, we have to convert that to
* the AD principal and then query Active Directory via LDAP to get back
......@@ -363,8 +338,9 @@ sync_ad_status(kadm5_hook_modinfo *config, krb5_context ctx,
code = sync_error_system(ctx, "cannot allocate memory");
goto done;
}
code = ldap_search_ext_s(ld, ldapbase, LDAP_SCOPE_SUBTREE, ldapdn,
(char **) attrs, 0, NULL, NULL, NULL, 0, &res);
code = ldap_search_ext_s(ld, config->ad_ldap_base, LDAP_SCOPE_SUBTREE,
ldapdn, (char **) attrs, 0, NULL, NULL, NULL, 0,
&res);
if (code != LDAP_SUCCESS) {
code = sync_error_ldap(ctx, code, "LDAP search for \"%s\" failed",
ldapdn);
......
......@@ -259,6 +259,7 @@ sync_status(kadm5_hook_modinfo *config, krb5_context ctx,
if (config->ad_admin_server == NULL
|| config->ad_keytab == NULL
|| config->ad_ldap_base == NULL
|| config->ad_principal == NULL
|| config->ad_realm == NULL)
return 0;
......
......@@ -7,6 +7,7 @@
ad_principal = service/krb5-sync@EXAMPLE.COM
ad_realm = AD.EXAMPLE.COM
ad_admin_server = ad.example.com
ad_ldap_base = ou=Accounts,dc=ad,dc=example,dc=com
ad_instances = exclude
queue_dir = queue
......
......@@ -7,6 +7,7 @@
ad_principal = service/krb5-sync@EXAMPLE.COM
ad_realm = AD.EXAMPLE.COM
ad_admin_server = ad.example.com
ad_ldap_base = ou=Accounts,dc=ad,dc=example,dc=com
ad_instances = exclude
ad_queue_only = true
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment