mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
243 lines
5.5 KiB
Markdown
243 lines
5.5 KiB
Markdown
|
# Extdom plugin protocol
|
||
|
|
||
|
SSSD on ipa client uses extdom plugin to translate SID to names and POSIX IDs. It can
|
||
|
also return secondary groups for any user.
|
||
|
|
||
|
## EXTDOM V0 (2.16.840.1.113730.3.8.10.4)
|
||
|
|
||
|
### V0 request
|
||
|
|
||
|
/*
|
||
|
* ExtdomRequestValue ::= SEQUENCE {
|
||
|
* inputType ENUMERATED {
|
||
|
* sid (1),
|
||
|
* name (2),
|
||
|
* posix uid (3),
|
||
|
* posix gid (4)
|
||
|
* },
|
||
|
* requestType ENUMERATED {
|
||
|
* simple (1),
|
||
|
* full (2)
|
||
|
* },
|
||
|
* data InputData
|
||
|
* }
|
||
|
*
|
||
|
* InputData ::= CHOICE {
|
||
|
* sid OCTET STRING,
|
||
|
* name NameDomainData
|
||
|
* uid PosixUid,
|
||
|
* gid PosixGid
|
||
|
* }
|
||
|
*
|
||
|
* NameDomainData ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* object_name OCTET STRING
|
||
|
* }
|
||
|
*
|
||
|
* PosixUid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* PosixGid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*/
|
||
|
|
||
|
### V0 reply
|
||
|
|
||
|
/*
|
||
|
* ExtdomResponseValue ::= SEQUENCE {
|
||
|
* responseType ENUMERATED {
|
||
|
* sid (1),
|
||
|
* name (2),
|
||
|
* posix_user (3),
|
||
|
* posix_group (4)
|
||
|
* },
|
||
|
* data OutputData
|
||
|
* }
|
||
|
*
|
||
|
* OutputData ::= CHOICE {
|
||
|
* sid OCTET STRING,
|
||
|
* name NameDomainData,
|
||
|
* user PosixUser,
|
||
|
* group PosixGroup
|
||
|
* }
|
||
|
*
|
||
|
* NameDomainData ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* object_name OCTET STRING
|
||
|
* }
|
||
|
*
|
||
|
* PosixUser ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* user_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* PosixGroup ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* group_name OCTET STRING,
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*/
|
||
|
|
||
|
## EXTDOM V1 (2.16.840.1.113730.3.8.10.4.1)
|
||
|
|
||
|
In V1 version the requestType is extended of `full_with_groups`.
|
||
|
The response introduces new type `posix_user_grouplist` containing
|
||
|
the list of groups
|
||
|
|
||
|
### V1 request
|
||
|
|
||
|
/*
|
||
|
* ExtdomRequestValue ::= SEQUENCE {
|
||
|
* inputType ENUMERATED {
|
||
|
* sid (1),
|
||
|
* name (2),
|
||
|
* posix uid (3),
|
||
|
* posix gid (4),
|
||
|
* },
|
||
|
* requestType ENUMERATED {
|
||
|
* simple (1),
|
||
|
* full (2),
|
||
|
* full_with_groups (3)
|
||
|
* },
|
||
|
* data InputData
|
||
|
* }
|
||
|
*
|
||
|
* InputData ::= CHOICE {
|
||
|
* sid OCTET STRING,
|
||
|
* name NameDomainData
|
||
|
* uid PosixUid,
|
||
|
* gid PosixGid
|
||
|
* }
|
||
|
*
|
||
|
* NameDomainData ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* object_name OCTET STRING
|
||
|
* }
|
||
|
*
|
||
|
* PosixUid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* PosixGid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*/
|
||
|
|
||
|
### V1 reply
|
||
|
|
||
|
/*
|
||
|
* ExtdomResponseValue ::= SEQUENCE {
|
||
|
* responseType ENUMERATED {
|
||
|
* sid (1),
|
||
|
* name (2),
|
||
|
* posix_user (3),
|
||
|
* posix_group (4),
|
||
|
* posix_user_grouplist (5)
|
||
|
* },
|
||
|
* data OutputData
|
||
|
* }
|
||
|
*
|
||
|
* OutputData ::= CHOICE {
|
||
|
* sid OCTET STRING,
|
||
|
* name NameDomainData,
|
||
|
* user PosixUser,
|
||
|
* group PosixGroup,
|
||
|
* user_grouplist PosixUserGrouplist
|
||
|
* }
|
||
|
*
|
||
|
* NameDomainData ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* object_name OCTET STRING
|
||
|
* }
|
||
|
*
|
||
|
* PosixUser ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* user_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
|
||
|
*
|
||
|
* PosixGroup ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* group_name OCTET STRING,
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* PosixUserGrouplist ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* user_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* gid INTEGER
|
||
|
* gecos OCTET STRING,
|
||
|
* home_directory OCTET STRING,
|
||
|
* shell OCTET STRING,
|
||
|
* grouplist GroupNameList
|
||
|
* }
|
||
|
*
|
||
|
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
## EXTDOM V2 (2.16.840.1.113730.3.8.10.4.2)
|
||
|
|
||
|
The `name` request tries to translate name to ID. It first tries translate it
|
||
|
as if it is a user and when it fails, it tries to resolve is as group.
|
||
|
|
||
|
To make it more efficient when SSSD knows the type of requested object, two new
|
||
|
inputTypes are defined - username and groupname.
|
||
|
|
||
|
The response is the same as in V1
|
||
|
|
||
|
### V2 request
|
||
|
|
||
|
/*
|
||
|
* ExtdomRequestValue ::= SEQUENCE {
|
||
|
* inputType ENUMERATED {
|
||
|
* sid (1),
|
||
|
* name (2),
|
||
|
* posix uid (3),
|
||
|
* posix gid (4),
|
||
|
* username (5),
|
||
|
* groupname (6)
|
||
|
* },
|
||
|
* requestType ENUMERATED {
|
||
|
* simple (1),
|
||
|
* full (2),
|
||
|
* full_with_groups (3)
|
||
|
* },
|
||
|
* data InputData
|
||
|
* }
|
||
|
*
|
||
|
* InputData ::= CHOICE {
|
||
|
* sid OCTET STRING,
|
||
|
* name NameDomainData
|
||
|
* uid PosixUid,
|
||
|
* gid PosixGid
|
||
|
* }
|
||
|
*
|
||
|
* NameDomainData ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* object_name OCTET STRING
|
||
|
* }
|
||
|
*
|
||
|
* PosixUid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* uid INTEGER
|
||
|
* }
|
||
|
*
|
||
|
* PosixGid ::= SEQUENCE {
|
||
|
* domain_name OCTET STRING,
|
||
|
* gid INTEGER
|
||
|
* }
|
||
|
*/
|