freeipa/server.m4

228 lines
9.5 KiB
Plaintext
Raw Normal View History

dnl server dependencies
dnl ---------------------------------------------------------------------------
dnl - Check for DS slapi plugin
dnl ---------------------------------------------------------------------------
# 389-ds headers depend on NSPR
PKG_CHECK_MODULES([NSPR], [nspr])
# Need to hack CPPFLAGS to be able to correctly detect slapi-plugin.h
SAVE_CPPFLAGS=$CPPFLAGS
CPPFLAGS=$NSPR_CFLAGS
AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
fi
AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
fi
CPPFLAGS=$SAVE_CPPFLAGS
if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
fi
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset "Kerberos principal expiration" is set in UTC and when server is in different timezone, the time difference between timezone is respected by the IPA server/client for Kerberos authentication. The problem is due to mktime() assuming default time zone but since we parse the time using Zulu (UTC+0) timezone, mktime() forces current time zone offset added. The method is using mktime() and comparing to the current time obtained with time(NULL). According to its man page, mktime is considering the time as local time: The mktime() function converts a broken-down time structure, expressed as local time, to calendar time representation. Instead mktime() we should use timegm(). The problem is that it is non-standard GNU extension and it is recommended (in the man page for timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call mktime(), unset TZ, but since we are running in a multi-threaded environment this is problematic. On the other hand, we already rely on GNU extensions and enable them with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already. The fix, therefore, is to use timegm() instead of mktime() in daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and ipapwd_write_krb_keys()). Fixes: https://pagure.io/freeipa/issue/8362 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 06:55:38 -05:00
AC_CHECK_FUNC(timegm, [], [AC_MSG_ERROR([timegm not found])])
dnl -- dirsrv is needed for the extdom unit tests --
PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
# slapi-plugin.h includes nspr.h
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
bck_cflags="$CFLAGS"
CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
[Use LDAP operation note for multi-factor LDAP BIND])],
[], [[#include <dirsrv/slapi-plugin.h>]])
CFLAGS="$bck_cflags"
dnl -- sss_idmap is needed by the extdom exop --
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
AC_CHECK_LIB([sss_nss_idmap],
[sss_nss_getlistbycert],
[ ],
[AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])],
[])
ipa-extdom-extop: refactor nsswitch operations Refactor nsswitch operations in ipa-extdom-extop plugin to allow use of timeout-enabled nsswitch calls provided by libsss_nss_idmap. Standard POSIX nsswitch API has no way to cancel requests which may cause ipa-extdom-extop requests to hang far too long and potentially exhaust LDAP server workers. In addition, glibc nsswitch API iterates through all nsswitch modules one by one and with multiple parallel requests a lock up may happen in an unrelated nsswitch module like nss_files.so.2. A solution to the latter issue is to directly load nss_sss.so.2 plugin and utilize it. This, however, does not solve a problem with lack of cancellable API. With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of nsswitch API that is directly integrated with SSSD client side machinery used by nss_sss.so.2. As result, this API can be used instead of loading nss_sss.so.2 directly. To support older SSSD version, both direct loading of nss_sss.so.2 and new timeout-enabled API are supported by this changeset. An API to abstract both is designed to be a mix between internal glibc nsswitch API and external nsswitch API that libsss_nss_idmap mimics. API does not expose per-call timeout. Instead, it allows to set a timeout per nsswitch operation context to reduce requirements on information a caller has to maintain. A choice which API to use is made at configure time. In order to test the API, a cmocka test is updated to explicitly load nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always depend on availablility of SSSD, predictable testing would not be possible without it otherwise. Also, cmocka test does not use nss_wrapper anymore because nss_wrapper overrides higher level glibc nsswitch API while we are loading an individual nsswitch module directly. As result, cmocka test overrides fopen() call used by nss_files.so.2 to load /etc/passwd and /etc/group. An overridden version changes paths to /etc/passwd and /etc/group to a local test_data/passwd and test_data/group. This way we can continue testing a backend API for ipa-extdom-extop with the same data as with nss_wrapper. Fixes https://pagure.io/freeipa/issue/5464 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-14 04:44:02 -06:00
dnl --- if sss_nss_idmap provides _timeout() API, use it
bck_cflags="$CFLAGS"
CFLAGS="$CFLAGS -DIPA_389DS_PLUGIN_HELPER_CALLS"
AC_CHECK_DECLS([sss_nss_getpwnam_timeout], [], [], [[#include <sss_nss_idmap.h>]])
CFLAGS="$bck_cflags"
if test "x$ac_cv_have_decl_sss_nss_getpwnam_timeout" = xyes ; then
AC_DEFINE(USE_SSS_NSS_TIMEOUT,1,[Use extended NSS API provided by SSSD])
fi
dnl --- if sss_nss_idmap provides sss_nss_getorigbyusername_timeout and
dnl --- sss_nss_getorigbygroupname_timeout , use it
bck_cflags="$CFLAGS"
CFLAGS="$CFLAGS -DIPA_389DS_PLUGIN_HELPER_CALLS"
AC_CHECK_DECLS([sss_nss_getorigbyusername_timeout, sss_nss_getorigbygroupname_timeout], [], [], [[#include <sss_nss_idmap.h>]])
CFLAGS="$bck_cflags"
dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin --
PKG_CHECK_EXISTS([sss_certmap],
[PKG_CHECK_MODULES([SSSCERTMAP], [sss_certmap])],
[AC_MSG_NOTICE([sss_certmap not found])])
AC_CHECK_HEADER([krb5/certauth_plugin.h],
[have_certauth_plugin=yes],
[have_certauth_plugin=no])
dnl -- Check if we can build the kdcpolicy plugin
AC_CHECK_HEADER([krb5/kdcpolicy_plugin.h],
[have_kdcpolicy_plugin=yes],
[have_kdcpolicy_plugin=no])
dnl ---------------------------------------------------------------------------
dnl - Check for KRB5 krad
dnl ---------------------------------------------------------------------------
AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
AC_CHECK_LIB(krad, main, [ ], [AC_MSG_ERROR([libkrad not found])])
KRAD_LIBS="-lkrad"
krb5rundir="${runstatedir}/krb5kdc"
AC_SUBST(KRAD_LIBS)
AC_SUBST(krb5rundir)
dnl ---------------------------------------------------------------------------
dnl - Check for KRB5 KDB API issue_pac support
dnl ---------------------------------------------------------------------------
AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
AC_CHECK_MEMBER([kdb_vftabl.issue_pac],
[have_kdb_issue_pac=yes],
[have_kdb_issue_pac=no], [#include <kdb.h>])
dnl ---------------------------------------------------------------------------
dnl - Check for KRB5 krb5_kdc_sign_ticket function
dnl ---------------------------------------------------------------------------
AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
[AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
[krb5_pac_full_sign_compat() is available.])],
[AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
dnl ---------------------------------------------------------------------------
dnl - Check for UUID library
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([UUID], [uuid])
dnl ---------------------------------------------------------------------------
dnl Check for ndr_krb5pac and other samba libraries
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([TALLOC], [talloc])
PKG_CHECK_MODULES([TEVENT], [tevent])
PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
PKG_CHECK_MODULES([NDR], [ndr])
PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
AC_SUBST(SAMBA40EXTRA_LIBPATH)
bck_cflags="$CFLAGS"
CFLAGS="$NDRPAC_CFLAGS"
AC_CHECK_MEMBER(
[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
[struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
[[#include <ndr.h>
#include <gen_ndr/krb5pac.h>]])
AC_CHECK_MEMBER(
[struct PAC_UPN_DNS_INFO.ex],
[AC_DEFINE([HAVE_PAC_UPN_DNS_INFO_EX], [1],
[union PAC_UPN_DNS_INFO_EX is available.])],
[AC_MSG_NOTICE([union PAC_UPN_DNS_INFO_EX is not available, account protection is not active])],
[[#include <ndr.h>
#include <gen_ndr/krb5pac.h>]])
AC_CHECK_MEMBER(
[struct PAC_REQUESTER_SID.sid],
[AC_DEFINE([HAVE_PAC_REQUESTER_SID], [1],
[struct PAC_REQUESTER_SID is available.])],
[AC_MSG_NOTICE([struct PAC_REQUESTER_SID is not available, account protection is not active])],
[[#include <ndr.h>
#include <gen_ndr/krb5pac.h>]])
AC_CHECK_MEMBER(
[struct PAC_ATTRIBUTES_INFO.flags],
[AC_DEFINE([HAVE_PAC_ATTRIBUTES_INFO], [1],
[struct PAC_ATTRIBUTES_INFO is available.])],
[AC_MSG_NOTICE([struct PAC_ATTRIBUTES_INFO is not available, account protection is not active])],
[[#include <ndr.h>
#include <gen_ndr/krb5pac.h>]])
CFLAGS="$bck_cflags"
LIBPDB_NAME=""
AC_CHECK_LIB([samba-passdb],
[make_pdb_method],
[LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
[LIBPDB_NAME="pdb"],
[$SAMBA40EXTRA_LIBPATH])
if test "x$LIB_PDB_NAME" = "xpdb" ; then
AC_CHECK_LIB([$LIBPDB_NAME],
[make_pdb_method],
[HAVE_LIBPDB=1],
[AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])],
[$SAMBA40EXTRA_LIBPATH])
fi
AC_SUBST(LIBPDB_NAME)
AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
[AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])],
[AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
[$SAMBA40EXTRA_LIBPATH])
AC_CHECK_LIB([smbldap],[smbldap_get_ldap],
[AC_DEFINE([HAVE_SMBLDAP_GET_LDAP], [1], [struct smbldap_state is opaque])],
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])],
[$SAMBA40EXTRA_LIBPATH])
AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback],
[AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])],
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])],
[$SAMBA40EXTRA_LIBPATH])
AC_CHECK_LIB([samba-security-private-samba],[dom_sid_string],
[SAMBA_SECURITY_LIBS=samba-security-private-samba],
[AC_CHECK_LIB([samba-security-samba4],[dom_sid_string],
[SAMBA_SECURITY_LIBS=samba-security-samba4],
[AC_MSG_ERROR([Cannot find private samba-security library])],
[$SAMBA40EXTRA_LIBPATH])],
[$SAMBA40EXTRA_LIBPATH])
AC_SUBST(SAMBA_SECURITY_LIBS)
dnl ---------------------------------------------------------------------------
dnl Check for libunistring
dnl ---------------------------------------------------------------------------
AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h]))
AC_CHECK_LIB([unistring],
[ulc_casecmp],
[UNISTRING_LIBS="-lunistring"],
[AC_MSG_ERROR([libunistring does not have ulc_casecmp])])
AC_SUBST(UNISTRING_LIBS)
dnl ---------------------------------------------------------------------------
dnl Check for libverto
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBVERTO], [libverto])
dnl ---------------------------------------------------------------------------
dnl Check for unshare(2) - Linux-only. We also check for chroot(2) as we use both
dnl ---------------------------------------------------------------------------
AC_CHECK_HEADER(sched.h, [
AC_CHECK_FUNC(unshare, [], [AC_MSG_WARN([unshare not found, no extdom unit tests to be run])])
AC_CHECK_FUNC(chroot, [], [AC_MSG_WARN([chroot not found, no extdom unit tests to be run])])
], [AC_MSG_WARN([sched.h not found, unshare is not available])])