| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
|
|
| |
Update the FSF's address in COPYING to match what's currently listed
on their web site (rcritten).
Escape what might be interpreted as a macro in the changelog (rcritten).
|
| |
|
| |
|
|
|
|
|
| |
Originally we added a dedicated function to do this, but this was the
only place it was called from.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since trusted domain users do not exist in the LDAP tree, their
authentication is handed over to PAM stack with the hope that PAM is set
up properly to authenticate them.
Additionally, this patch completely refactors authentication for the
original DNs that *are* located in the LDAP tree. Previous way to handle
it was through referrals being sent back. However, this method does not
work at all.
Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand
over pre-bind processing to other directory server's plugins. If
slapi-nis set up with a higher precedence to them, authentication will
be handled by others.
|
|
|
|
|
|
|
|
|
|
|
| |
Schema-compat plugin can be configured to serve users and groups through
the plugin configuration entry in directory server:
schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>
Separate trees should be configured to look up users and groups. If
minimal id value is missing, it will default to 1000.
|
| |
|
|
|
|
|
|
| |
src/back-sch-pam.c implements PAM authentication for users not found in
the LDAP tree using system-auth system service when running on FreeIPA
master server.
|
|
|
|
|
| |
src/back-sch-nss.c implements interface to query users and groups on
FreeIPA master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.
|
|
|
|
|
|
|
|
|
| |
consulted
When one instance of schema compat plugin is configured to consult
NSSWITCH, promote its configuration to the backend.
Default to not looking into NSSWITCH.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nsswitch
If schema compat plugin configuration has
'schema-compat-lookup-nsswitch: user|group' then schema compat plugin
will perform lookups of users/groups that were not found in the main
store using getpwnam_r()/getgrnam_r() and libsss_nss_idmap library.
This is special case to support legacy clients. Schema compat plugin in
the case is assumed to be running on FreeIPA master configured with
trusts against Active Directory and SSSD 1.11+ configured as
ipa_server_mode = True.
Additionally, such entries are added to schema compat plugin's map cache
and can be used for authentication purposes. They will use PAM
authentication pass-through to 'system-auth' service.
|
|
|
|
| |
NSSWITCH supporting code needs access to the schema-compat structures
|
|
|
|
|
|
|
|
| |
PAM stack requires exclusive access, therefore we need to use a write
lock.
Required for authenticating synthetically created records coming outside
of LDAP store.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Add %sort(), which binary-sorts a single list of values, and
%dribble_merge(), which takes a quoted length, a separator,
and some expressions and produces a list of lists of values
using the separator, where no list is larger than the length.
|
| |
|
|
|
|
|
| |
After we're done with decoded arguments from a client, use xdr_free() to
free anything that was dynamically-allocated.
|
|
|
|
|
|
| |
Clear buffers that we encode data into before encoding them, to avoid
valgrind warnings that their contents are used before they're written
to.
|
|
|
|
|
| |
The schema declarations which we use for self-tests contain some syntax
errors that are flagged by newer versions of ns-slapd. Fix them.
|
| |
|
|
|
|
|
|
| |
Check for SLAPI_PLUGIN_OPRETURN values before we do anything, in case
there's an error from the backend operation, where the server calls the
postop plugins anyway.
|
|
|
|
|
|
| |
When checking if we can skip processing for a given change, pay
attention to whether or not the changes cause the entry to need to be
added or removed from a map (#912673).
|
|
|
|
|
| |
Correct a typo, suggesting the suffix option was -m rather than -s in
one place. Reported by Filip Holec.
|
| |
|
|
|
|
|
| |
Don't expect every connected client to be ready for I/O every time we
poll for the group of them. Fixes #923336.
|
| |
|
|
|
|
|
|
|
|
| |
* Work around multilib warnings in our example .ldif files by taking
advantage of the server's ability to turn a bare name into a full
module path.
* Fix the day-of-week in some of the packaging changelog, going by the
SCM changelog for the right values.
|
| |
|
|
|
|
|
| |
- add missing newlines at the end of a couple of messages
- make that one bit that we compare to zero unsigned instead of signed
|
| |
|
| |
|
| |
|
|
|
|
|
| |
- put a newline at the end of these two messages
- register callbacks in a consistent order
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
- control transaction support at run-time, deciding when to do things based
on the value of the nsslapd-pluginbetxn attribute in the plugin's entry
- NIS: add default settings for shadow.byname and passwd.adjunct.byname maps
|
| |
|
|
|
|
|
|
|
|
|
| |
* Check for BETXN support at build-time, provide options for disabling
or requiring that it be available for build to succeed.
* Track whether or not BETXN support is enabled in the plugin-local
state.
* Skip processing in post/internalpost callbacks if BETXN support is enabled.
* Skip work in betxnpost callbacks if BETXN support is disabled.
|
|
|
|
|
| |
Case sensitive comparisons keep getting tripped up by DN
canonicalization and the like.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When NIS Plugin and Schema Compatibility Plugin config entries include
nsslapd-pluginbetxn: on
(the value could be yes, true or 1, too),
the plugins' update callbacks (add, delete, modify, and modrdn) are
called at the betxn pre/postop timing. By default, the value of
nsslapd-pluginbetxn is off.
(See also https://fedorahosted.org/389/ticket/351)
|
| |
|
|
|
|
|
|
|
| |
* add a definition for shadow.byname
* add a definition for passwd.adjunct.byname
* make passwd.byname/passwd.byuid hide userPassword if objectClass==shadowAccount
* base64-encode nis-disallowed-chars when we are printing defaults
|