2017-01-03 07:32:05 -06:00
|
|
|
dnl server dependencies
|
|
|
|
|
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl - Check for DS slapi plugin
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
2020-06-08 08:59:24 -05:00
|
|
|
# 389-ds headers depend on NSPR
|
|
|
|
|
PKG_CHECK_MODULES([NSPR], [nspr])
|
|
|
|
|
|
2018-04-04 09:05:13 -05:00
|
|
|
# Need to hack CPPFLAGS to be able to correctly detect slapi-plugin.h
|
2017-01-03 07:32:05 -06:00
|
|
|
SAVE_CPPFLAGS=$CPPFLAGS
|
|
|
|
|
CPPFLAGS=$NSPR_CFLAGS
|
|
|
|
|
AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
|
|
|
|
|
if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
|
|
|
|
|
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
|
|
|
|
|
fi
|
|
|
|
|
AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
|
|
|
|
|
if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
|
|
|
|
|
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
|
|
|
|
|
fi
|
|
|
|
|
CPPFLAGS=$SAVE_CPPFLAGS
|
|
|
|
|
|
|
|
|
|
if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
|
|
|
|
|
AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
|
|
|
|
|
fi
|
|
|
|
|
|
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
"Kerberos principal expiration" is set in UTC and when server is in
different timezone, the time difference between timezone is respected by
the IPA server/client for Kerberos authentication.
The problem is due to mktime() assuming default time zone but since we
parse the time using Zulu (UTC+0) timezone, mktime() forces current time
zone offset added.
The method is using mktime() and comparing to the current time obtained
with time(NULL). According to its man page, mktime is considering the
time as local time:
The mktime() function converts a broken-down time structure, expressed
as local time, to calendar time representation.
Instead mktime() we should use timegm(). The problem is that it is
non-standard GNU extension and it is recommended (in the man page for
timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
mktime(), unset TZ, but since we are running in a multi-threaded
environment this is problematic.
On the other hand, we already rely on GNU extensions and enable them
with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.
The fix, therefore, is to use timegm() instead of mktime() in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
ipapwd_write_krb_keys()).
Fixes: https://pagure.io/freeipa/issue/8362
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 06:55:38 -05:00
|
|
|
AC_CHECK_FUNC(timegm, [], [AC_MSG_ERROR([timegm not found])])
|
|
|
|
|
|
2017-01-03 07:32:05 -06:00
|
|
|
dnl -- dirsrv is needed for the extdom unit tests --
|
|
|
|
|
PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
|
2017-03-15 00:14:25 -05:00
|
|
|
# slapi-plugin.h includes nspr.h
|
|
|
|
|
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
|
2017-01-03 07:32:05 -06:00
|
|
|
|
|
|
|
|
dnl -- sss_idmap is needed by the extdom exop --
|
|
|
|
|
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
|
2017-03-17 08:48:50 -05:00
|
|
|
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
|
2017-03-29 02:43:11 -05:00
|
|
|
AC_CHECK_LIB([sss_nss_idmap],
|
|
|
|
|
[sss_nss_getlistbycert],
|
2017-04-05 05:24:17 -05:00
|
|
|
[ ],
|
2017-03-29 02:43:11 -05:00
|
|
|
[AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])],
|
|
|
|
|
[])
|
2017-01-03 07:32:05 -06:00
|
|
|
|
ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-14 04:44:02 -06:00
|
|
|
dnl --- if sss_nss_idmap provides _timeout() API, use it
|
|
|
|
|
bck_cflags="$CFLAGS"
|
|
|
|
|
CFLAGS="$CFLAGS -DIPA_389DS_PLUGIN_HELPER_CALLS"
|
|
|
|
|
AC_CHECK_DECLS([sss_nss_getpwnam_timeout], [], [], [[#include <sss_nss_idmap.h>]])
|
|
|
|
|
CFLAGS="$bck_cflags"
|
|
|
|
|
|
|
|
|
|
if test "x$ac_cv_have_decl_sss_nss_getpwnam_timeout" = xyes ; then
|
|
|
|
|
AC_DEFINE(USE_SSS_NSS_TIMEOUT,1,[Use extended NSS API provided by SSSD])
|
|
|
|
|
fi
|
|
|
|
|
|
2022-03-04 07:52:25 -06:00
|
|
|
dnl --- if sss_nss_idmap provides sss_nss_getorigbyusername_timeout and
|
|
|
|
|
dnl --- sss_nss_getorigbygroupname_timeout , use it
|
|
|
|
|
bck_cflags="$CFLAGS"
|
|
|
|
|
CFLAGS="$CFLAGS -DIPA_389DS_PLUGIN_HELPER_CALLS"
|
|
|
|
|
AC_CHECK_DECLS([sss_nss_getorigbyusername_timeout, sss_nss_getorigbygroupname_timeout], [], [], [[#include <sss_nss_idmap.h>]])
|
|
|
|
|
CFLAGS="$bck_cflags"
|
|
|
|
|
|
2017-02-02 05:32:13 -06:00
|
|
|
dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin --
|
|
|
|
|
PKG_CHECK_EXISTS([sss_certmap],
|
|
|
|
|
[PKG_CHECK_MODULES([SSSCERTMAP], [sss_certmap])],
|
|
|
|
|
[AC_MSG_NOTICE([sss_certmap not found])])
|
|
|
|
|
AC_CHECK_HEADER([krb5/certauth_plugin.h],
|
|
|
|
|
[have_certauth_plugin=yes],
|
|
|
|
|
[have_certauth_plugin=no])
|
|
|
|
|
|
2018-07-11 15:48:01 -05:00
|
|
|
dnl -- Check if we can build the kdcpolicy plugin
|
|
|
|
|
AC_CHECK_HEADER([krb5/kdcpolicy_plugin.h],
|
|
|
|
|
[have_kdcpolicy_plugin=yes],
|
|
|
|
|
[have_kdcpolicy_plugin=no])
|
|
|
|
|
|
2017-01-03 07:32:05 -06:00
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl - Check for KRB5 krad
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
|
2017-04-05 05:24:17 -05:00
|
|
|
AC_CHECK_LIB(krad, main, [ ], [AC_MSG_ERROR([libkrad not found])])
|
2017-01-03 07:32:05 -06:00
|
|
|
KRAD_LIBS="-lkrad"
|
2020-04-15 05:13:00 -05:00
|
|
|
krb5rundir="${runstatedir}/krb5kdc"
|
2017-01-03 07:32:05 -06:00
|
|
|
AC_SUBST(KRAD_LIBS)
|
|
|
|
|
AC_SUBST(krb5rundir)
|
|
|
|
|
|
2022-01-13 06:34:55 -06:00
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl - Check for KRB5 KDB API issue_pac support
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
|
|
|
|
|
AC_CHECK_MEMBER([kdb_vftabl.issue_pac],
|
|
|
|
|
[have_kdb_issue_pac=yes],
|
2022-06-07 03:41:19 -05:00
|
|
|
[have_kdb_issue_pac=no], [#include <kdb.h>])
|
2022-01-13 06:34:55 -06:00
|
|
|
|
2023-03-24 12:32:37 -05:00
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl - Check for KRB5 krb5_kdc_sign_ticket function
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
|
|
|
|
|
[AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
|
|
|
|
|
[krb5_pac_full_sign_compat() is available.])],
|
|
|
|
|
[AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
|
|
|
|
|
|
2017-01-03 07:32:05 -06:00
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl - Check for UUID library
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
PKG_CHECK_MODULES([UUID], [uuid])
|
|
|
|
|
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl Check for ndr_krb5pac and other samba libraries
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
PKG_CHECK_MODULES([TALLOC], [talloc])
|
|
|
|
|
PKG_CHECK_MODULES([TEVENT], [tevent])
|
|
|
|
|
PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
|
|
|
|
|
PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
|
|
|
|
|
PKG_CHECK_MODULES([NDR], [ndr])
|
|
|
|
|
PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
|
|
|
|
|
SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
|
|
|
|
|
AC_SUBST(SAMBA40EXTRA_LIBPATH)
|
|
|
|
|
|
|
|
|
|
bck_cflags="$CFLAGS"
|
|
|
|
|
CFLAGS="$NDRPAC_CFLAGS"
|
|
|
|
|
AC_CHECK_MEMBER(
|
|
|
|
|
[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
|
|
|
|
|
[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
|
|
|
|
|
[struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
|
|
|
|
|
[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
|
|
|
|
|
[[#include <ndr.h>
|
|
|
|
|
#include <gen_ndr/krb5pac.h>]])
|
2021-10-30 02:08:34 -05:00
|
|
|
AC_CHECK_MEMBER(
|
|
|
|
|
[struct PAC_UPN_DNS_INFO.ex],
|
|
|
|
|
[AC_DEFINE([HAVE_PAC_UPN_DNS_INFO_EX], [1],
|
|
|
|
|
[union PAC_UPN_DNS_INFO_EX is available.])],
|
|
|
|
|
[AC_MSG_NOTICE([union PAC_UPN_DNS_INFO_EX is not available, account protection is not active])],
|
|
|
|
|
[[#include <ndr.h>
|
|
|
|
|
#include <gen_ndr/krb5pac.h>]])
|
2017-01-03 07:32:05 -06:00
|
|
|
|
2021-10-30 02:09:27 -05:00
|
|
|
AC_CHECK_MEMBER(
|
|
|
|
|
[struct PAC_REQUESTER_SID.sid],
|
|
|
|
|
[AC_DEFINE([HAVE_PAC_REQUESTER_SID], [1],
|
|
|
|
|
[struct PAC_REQUESTER_SID is available.])],
|
|
|
|
|
[AC_MSG_NOTICE([struct PAC_REQUESTER_SID is not available, account protection is not active])],
|
|
|
|
|
[[#include <ndr.h>
|
|
|
|
|
#include <gen_ndr/krb5pac.h>]])
|
2021-10-30 01:10:09 -05:00
|
|
|
|
|
|
|
|
AC_CHECK_MEMBER(
|
|
|
|
|
[struct PAC_ATTRIBUTES_INFO.flags],
|
|
|
|
|
[AC_DEFINE([HAVE_PAC_ATTRIBUTES_INFO], [1],
|
|
|
|
|
[struct PAC_ATTRIBUTES_INFO is available.])],
|
|
|
|
|
[AC_MSG_NOTICE([struct PAC_ATTRIBUTES_INFO is not available, account protection is not active])],
|
|
|
|
|
[[#include <ndr.h>
|
|
|
|
|
#include <gen_ndr/krb5pac.h>]])
|
2017-01-03 07:32:05 -06:00
|
|
|
CFLAGS="$bck_cflags"
|
|
|
|
|
|
|
|
|
|
LIBPDB_NAME=""
|
|
|
|
|
AC_CHECK_LIB([samba-passdb],
|
|
|
|
|
[make_pdb_method],
|
|
|
|
|
[LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
|
|
|
|
|
[LIBPDB_NAME="pdb"],
|
|
|
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
|
|
|
|
|
|
if test "x$LIB_PDB_NAME" = "xpdb" ; then
|
|
|
|
|
AC_CHECK_LIB([$LIBPDB_NAME],
|
|
|
|
|
[make_pdb_method],
|
|
|
|
|
[HAVE_LIBPDB=1],
|
|
|
|
|
[AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])],
|
|
|
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
AC_SUBST(LIBPDB_NAME)
|
|
|
|
|
|
|
|
|
|
AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
|
|
|
|
|
[AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])],
|
|
|
|
|
[AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
|
|
|
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
|
|
2017-04-19 07:16:15 -05:00
|
|
|
AC_CHECK_LIB([smbldap],[smbldap_get_ldap],
|
|
|
|
|
[AC_DEFINE([HAVE_SMBLDAP_GET_LDAP], [1], [struct smbldap_state is opaque])],
|
|
|
|
|
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])],
|
|
|
|
|
[$SAMBA40EXTRA_LIBPATH])
|
2017-01-03 07:32:05 -06:00
|
|
|
|
2017-07-03 06:38:05 -05:00
|
|
|
AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback],
|
|
|
|
|
[AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])],
|
|
|
|
|
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])],
|
|
|
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
|
|
2017-01-03 07:32:05 -06:00
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl Check for libunistring
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h]))
|
|
|
|
|
AC_CHECK_LIB([unistring],
|
|
|
|
|
[ulc_casecmp],
|
|
|
|
|
[UNISTRING_LIBS="-lunistring"],
|
|
|
|
|
[AC_MSG_ERROR([libunistring does not have ulc_casecmp])])
|
|
|
|
|
AC_SUBST(UNISTRING_LIBS)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl Check for libverto
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
PKG_CHECK_MODULES([LIBVERTO], [libverto])
|
2020-08-01 03:49:30 -05:00
|
|
|
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
dnl Check for unshare(2) - Linux-only. We also check for chroot(2) as we use both
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
AC_CHECK_HEADER(sched.h, [
|
|
|
|
|
AC_CHECK_FUNC(unshare, [], [AC_MSG_WARN([unshare not found, no extdom unit tests to be run])])
|
|
|
|
|
AC_CHECK_FUNC(chroot, [], [AC_MSG_WARN([chroot not found, no extdom unit tests to be run])])
|
|
|
|
|
], [AC_MSG_WARN([sched.h not found, unshare is not available])])
|
