mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
extdom: add extdom protocol documentation
Add the description of extdom protocol and its versions Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
84b6c0f53b
commit
bddf64b9da
242
doc/designs/extdom-plugin-protocol.md
Normal file
242
doc/designs/extdom-plugin-protocol.md
Normal file
@ -0,0 +1,242 @@
|
||||
# Extdom plugin protocol
|
||||
|
||||
SSSD on ipa client uses extdom plugin to translate SID to names and POSIX IDs. It can
|
||||
also return secondary groups for any user.
|
||||
|
||||
## EXTDOM V0 (2.16.840.1.113730.3.8.10.4)
|
||||
|
||||
### V0 request
|
||||
|
||||
/*
|
||||
* ExtdomRequestValue ::= SEQUENCE {
|
||||
* inputType ENUMERATED {
|
||||
* sid (1),
|
||||
* name (2),
|
||||
* posix uid (3),
|
||||
* posix gid (4)
|
||||
* },
|
||||
* requestType ENUMERATED {
|
||||
* simple (1),
|
||||
* full (2)
|
||||
* },
|
||||
* data InputData
|
||||
* }
|
||||
*
|
||||
* InputData ::= CHOICE {
|
||||
* sid OCTET STRING,
|
||||
* name NameDomainData
|
||||
* uid PosixUid,
|
||||
* gid PosixGid
|
||||
* }
|
||||
*
|
||||
* NameDomainData ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* object_name OCTET STRING
|
||||
* }
|
||||
*
|
||||
* PosixUid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* }
|
||||
*
|
||||
* PosixGid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* gid INTEGER
|
||||
* }
|
||||
*/
|
||||
|
||||
### V0 reply
|
||||
|
||||
/*
|
||||
* ExtdomResponseValue ::= SEQUENCE {
|
||||
* responseType ENUMERATED {
|
||||
* sid (1),
|
||||
* name (2),
|
||||
* posix_user (3),
|
||||
* posix_group (4)
|
||||
* },
|
||||
* data OutputData
|
||||
* }
|
||||
*
|
||||
* OutputData ::= CHOICE {
|
||||
* sid OCTET STRING,
|
||||
* name NameDomainData,
|
||||
* user PosixUser,
|
||||
* group PosixGroup
|
||||
* }
|
||||
*
|
||||
* NameDomainData ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* object_name OCTET STRING
|
||||
* }
|
||||
*
|
||||
* PosixUser ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* user_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* gid INTEGER
|
||||
* }
|
||||
*
|
||||
* PosixGroup ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* group_name OCTET STRING,
|
||||
* gid INTEGER
|
||||
* }
|
||||
*/
|
||||
|
||||
## EXTDOM V1 (2.16.840.1.113730.3.8.10.4.1)
|
||||
|
||||
In V1 version the requestType is extended of `full_with_groups`.
|
||||
The response introduces new type `posix_user_grouplist` containing
|
||||
the list of groups
|
||||
|
||||
### V1 request
|
||||
|
||||
/*
|
||||
* ExtdomRequestValue ::= SEQUENCE {
|
||||
* inputType ENUMERATED {
|
||||
* sid (1),
|
||||
* name (2),
|
||||
* posix uid (3),
|
||||
* posix gid (4),
|
||||
* },
|
||||
* requestType ENUMERATED {
|
||||
* simple (1),
|
||||
* full (2),
|
||||
* full_with_groups (3)
|
||||
* },
|
||||
* data InputData
|
||||
* }
|
||||
*
|
||||
* InputData ::= CHOICE {
|
||||
* sid OCTET STRING,
|
||||
* name NameDomainData
|
||||
* uid PosixUid,
|
||||
* gid PosixGid
|
||||
* }
|
||||
*
|
||||
* NameDomainData ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* object_name OCTET STRING
|
||||
* }
|
||||
*
|
||||
* PosixUid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* }
|
||||
*
|
||||
* PosixGid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* gid INTEGER
|
||||
* }
|
||||
*/
|
||||
|
||||
### V1 reply
|
||||
|
||||
/*
|
||||
* ExtdomResponseValue ::= SEQUENCE {
|
||||
* responseType ENUMERATED {
|
||||
* sid (1),
|
||||
* name (2),
|
||||
* posix_user (3),
|
||||
* posix_group (4),
|
||||
* posix_user_grouplist (5)
|
||||
* },
|
||||
* data OutputData
|
||||
* }
|
||||
*
|
||||
* OutputData ::= CHOICE {
|
||||
* sid OCTET STRING,
|
||||
* name NameDomainData,
|
||||
* user PosixUser,
|
||||
* group PosixGroup,
|
||||
* user_grouplist PosixUserGrouplist
|
||||
* }
|
||||
*
|
||||
* NameDomainData ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* object_name OCTET STRING
|
||||
* }
|
||||
*
|
||||
* PosixUser ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* user_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* gid INTEGER
|
||||
* }
|
||||
*
|
||||
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
|
||||
*
|
||||
* PosixGroup ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* group_name OCTET STRING,
|
||||
* gid INTEGER
|
||||
* }
|
||||
*
|
||||
* PosixUserGrouplist ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* user_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* gid INTEGER
|
||||
* gecos OCTET STRING,
|
||||
* home_directory OCTET STRING,
|
||||
* shell OCTET STRING,
|
||||
* grouplist GroupNameList
|
||||
* }
|
||||
*
|
||||
* GroupNameList ::= SEQUENCE OF groupname OCTET STRING
|
||||
*
|
||||
*/
|
||||
|
||||
## EXTDOM V2 (2.16.840.1.113730.3.8.10.4.2)
|
||||
|
||||
The `name` request tries to translate name to ID. It first tries translate it
|
||||
as if it is a user and when it fails, it tries to resolve is as group.
|
||||
|
||||
To make it more efficient when SSSD knows the type of requested object, two new
|
||||
inputTypes are defined - username and groupname.
|
||||
|
||||
The response is the same as in V1
|
||||
|
||||
### V2 request
|
||||
|
||||
/*
|
||||
* ExtdomRequestValue ::= SEQUENCE {
|
||||
* inputType ENUMERATED {
|
||||
* sid (1),
|
||||
* name (2),
|
||||
* posix uid (3),
|
||||
* posix gid (4),
|
||||
* username (5),
|
||||
* groupname (6)
|
||||
* },
|
||||
* requestType ENUMERATED {
|
||||
* simple (1),
|
||||
* full (2),
|
||||
* full_with_groups (3)
|
||||
* },
|
||||
* data InputData
|
||||
* }
|
||||
*
|
||||
* InputData ::= CHOICE {
|
||||
* sid OCTET STRING,
|
||||
* name NameDomainData
|
||||
* uid PosixUid,
|
||||
* gid PosixGid
|
||||
* }
|
||||
*
|
||||
* NameDomainData ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* object_name OCTET STRING
|
||||
* }
|
||||
*
|
||||
* PosixUid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* uid INTEGER
|
||||
* }
|
||||
*
|
||||
* PosixGid ::= SEQUENCE {
|
||||
* domain_name OCTET STRING,
|
||||
* gid INTEGER
|
||||
* }
|
||||
*/
|
Loading…
Reference in New Issue
Block a user