mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use of timeout-enabled nsswitch calls provided by libsss_nss_idmap. Standard POSIX nsswitch API has no way to cancel requests which may cause ipa-extdom-extop requests to hang far too long and potentially exhaust LDAP server workers. In addition, glibc nsswitch API iterates through all nsswitch modules one by one and with multiple parallel requests a lock up may happen in an unrelated nsswitch module like nss_files.so.2. A solution to the latter issue is to directly load nss_sss.so.2 plugin and utilize it. This, however, does not solve a problem with lack of cancellable API. With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of nsswitch API that is directly integrated with SSSD client side machinery used by nss_sss.so.2. As result, this API can be used instead of loading nss_sss.so.2 directly. To support older SSSD version, both direct loading of nss_sss.so.2 and new timeout-enabled API are supported by this changeset. An API to abstract both is designed to be a mix between internal glibc nsswitch API and external nsswitch API that libsss_nss_idmap mimics. API does not expose per-call timeout. Instead, it allows to set a timeout per nsswitch operation context to reduce requirements on information a caller has to maintain. A choice which API to use is made at configure time. In order to test the API, a cmocka test is updated to explicitly load nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always depend on availablility of SSSD, predictable testing would not be possible without it otherwise. Also, cmocka test does not use nss_wrapper anymore because nss_wrapper overrides higher level glibc nsswitch API while we are loading an individual nsswitch module directly. As result, cmocka test overrides fopen() call used by nss_files.so.2 to load /etc/passwd and /etc/group. An overridden version changes paths to /etc/passwd and /etc/group to a local test_data/passwd and test_data/group. This way we can continue testing a backend API for ipa-extdom-extop with the same data as with nss_wrapper. Fixes https://pagure.io/freeipa/issue/5464 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
166 lines
6.7 KiB
Plaintext
166 lines
6.7 KiB
Plaintext
dnl server dependencies
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl - Check for DS slapi plugin
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
|
|
SAVE_CPPFLAGS=$CPPFLAGS
|
|
CPPFLAGS=$NSPR_CFLAGS
|
|
AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
|
|
if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
|
|
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
|
|
fi
|
|
AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
|
|
if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
|
|
AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
|
|
fi
|
|
CPPFLAGS=$SAVE_CPPFLAGS
|
|
|
|
if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
|
|
AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
|
|
fi
|
|
|
|
dnl -- dirsrv is needed for the extdom unit tests --
|
|
PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
|
|
# slapi-plugin.h includes nspr.h
|
|
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
|
|
|
|
dnl -- sss_idmap is needed by the extdom exop --
|
|
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
|
|
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
|
|
AC_CHECK_LIB([sss_nss_idmap],
|
|
[sss_nss_getlistbycert],
|
|
[ ],
|
|
[AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])],
|
|
[])
|
|
|
|
dnl --- if sss_nss_idmap provides _timeout() API, use it
|
|
bck_cflags="$CFLAGS"
|
|
CFLAGS="$CFLAGS -DIPA_389DS_PLUGIN_HELPER_CALLS"
|
|
AC_CHECK_DECLS([sss_nss_getpwnam_timeout], [], [], [[#include <sss_nss_idmap.h>]])
|
|
CFLAGS="$bck_cflags"
|
|
|
|
if test "x$ac_cv_have_decl_sss_nss_getpwnam_timeout" = xyes ; then
|
|
AC_DEFINE(USE_SSS_NSS_TIMEOUT,1,[Use extended NSS API provided by SSSD])
|
|
fi
|
|
|
|
dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin --
|
|
PKG_CHECK_EXISTS([sss_certmap],
|
|
[PKG_CHECK_MODULES([SSSCERTMAP], [sss_certmap])],
|
|
[AC_MSG_NOTICE([sss_certmap not found])])
|
|
AC_CHECK_HEADER([krb5/certauth_plugin.h],
|
|
[have_certauth_plugin=yes],
|
|
[have_certauth_plugin=no])
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl - Check for KRB5 krad
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
|
|
AC_CHECK_LIB(krad, main, [ ], [AC_MSG_ERROR([libkrad not found])])
|
|
KRAD_LIBS="-lkrad"
|
|
krb5rundir="${localstatedir}/run/krb5kdc"
|
|
AC_SUBST(KRAD_LIBS)
|
|
AC_SUBST(krb5rundir)
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl - Check for UUID library
|
|
dnl ---------------------------------------------------------------------------
|
|
PKG_CHECK_MODULES([UUID], [uuid])
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl Check for ndr_krb5pac and other samba libraries
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
PKG_CHECK_MODULES([TALLOC], [talloc])
|
|
PKG_CHECK_MODULES([TEVENT], [tevent])
|
|
PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
|
|
PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
|
|
PKG_CHECK_MODULES([NDR], [ndr])
|
|
PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
|
|
SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
|
|
AC_SUBST(SAMBA40EXTRA_LIBPATH)
|
|
|
|
bck_cflags="$CFLAGS"
|
|
CFLAGS="$NDRPAC_CFLAGS"
|
|
AC_CHECK_MEMBER(
|
|
[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
|
|
[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
|
|
[struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
|
|
[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
|
|
[[#include <ndr.h>
|
|
#include <gen_ndr/krb5pac.h>]])
|
|
|
|
CFLAGS="$bck_cflags"
|
|
|
|
LIBPDB_NAME=""
|
|
AC_CHECK_LIB([samba-passdb],
|
|
[make_pdb_method],
|
|
[LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
|
|
[LIBPDB_NAME="pdb"],
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
if test "x$LIB_PDB_NAME" = "xpdb" ; then
|
|
AC_CHECK_LIB([$LIBPDB_NAME],
|
|
[make_pdb_method],
|
|
[HAVE_LIBPDB=1],
|
|
[AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])],
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
fi
|
|
|
|
AC_SUBST(LIBPDB_NAME)
|
|
|
|
AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
|
|
[AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])],
|
|
[AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
AC_CHECK_LIB([smbldap],[smbldap_get_ldap],
|
|
[AC_DEFINE([HAVE_SMBLDAP_GET_LDAP], [1], [struct smbldap_state is opaque])],
|
|
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])],
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback],
|
|
[AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])],
|
|
[AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])],
|
|
[$SAMBA40EXTRA_LIBPATH])
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl Check for libunistring
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h]))
|
|
AC_CHECK_LIB([unistring],
|
|
[ulc_casecmp],
|
|
[UNISTRING_LIBS="-lunistring"],
|
|
[AC_MSG_ERROR([libunistring does not have ulc_casecmp])])
|
|
AC_SUBST(UNISTRING_LIBS)
|
|
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl Check for libverto
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
PKG_CHECK_MODULES([LIBVERTO], [libverto])
|
|
|
|
dnl ---------------------------------------------------------------------------
|
|
dnl - Check for systemd directories
|
|
dnl ---------------------------------------------------------------------------
|
|
|
|
PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
|
|
AC_ARG_WITH([systemdsystemunitdir],
|
|
AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
|
|
[Directory for systemd service files]),
|
|
[systemdsystemunitdir=$with_systemdsystemunitdir],
|
|
[systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
|
|
AC_SUBST([systemdsystemunitdir])
|
|
|
|
AC_ARG_WITH([systemdtmpfilesdir],
|
|
AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
|
|
[Directory for systemd-tmpfiles configuration files]),
|
|
[systemdtmpfilesdir=$with_systemdtmpfilesdir],
|
|
[systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
|
|
AC_SUBST([systemdtmpfilesdir])
|
|
|