slapi-nis.git/src, branch slapi-nis-ad SLAPI-NIS back-sch.c: authenticate users through PAM system-auth service 2013-08-06T11:24:42+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-31T11:40:12+00:00 3d669fdb53b9ff257aaff1cae4339c1eaeef453b Since trusted domain users do not exist in the LDAP tree, their authentication is handed over to PAM stack with the hope that PAM is set up properly to authenticate them. Additionally, this patch completely refactors authentication for the original DNs that *are* located in the LDAP tree. Previous way to handle it was through referrals being sent back. However, this method does not work at all. Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand over pre-bind processing to other directory server's plugins. If slapi-nis set up with a higher precedence to them, authentication will be handled by others. 
Since trusted domain users do not exist in the LDAP tree, their authentication
is handed over to PAM stack with the hope that PAM is set up properly to
authenticate them.

Additionally, this patch completely refactors authentication for the original DNs
that *are* located in the LDAP tree. Previous way to handle it was through
referrals being sent back. However, this method does not work at all.

Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand over
pre-bind processing to other directory server's plugins. If slapi-nis set up
with a higher precedence to them, authentication will be handled by others.
back-sch.c: search users and groups through NSSWITCH 2013-08-06T11:24:42+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-31T11:38:37+00:00 b4baf59e2d9c4775485c483d3b7b779d4e426ec8 Schema-compat plugin can be configured to serve users and groups through the plugin configuration entry in directory server: schema-compat-lookup-nsswitch: <user|group> schema-compat-nsswitch-min-id: <value> Separate trees should be configured to look up users and groups. If minimal id value is missing, it will default to 1000. 
Schema-compat plugin can be configured to serve users and groups through the
plugin configuration entry in directory server:

schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>

Separate trees should be configured to look up users and groups.
If minimal id value is missing, it will default to 1000.
src/Makefile.am: add back-sch-nss.c and back-sch-pam.c to build 2013-08-06T11:24:42+00:00 Alexander Bokovoy abokovoy@redhat.com 2013-07-31T11:44:37+00:00 101b120efa6cd82be7ed0b4e65c7c428c958bad0 






schema-compat: add support for authenticating users through PAM
2013-08-06T11:24:42+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T11:36:13+00:00

3cc64ccf520e823bd2cfe595b0e4d91efbc92ebb

src/back-sch-pam.c implements PAM authentication for users not found in the LDAP tree
using system-auth system service when running on FreeIPA master server.





src/back-sch-pam.c implements PAM authentication for users not found in the LDAP tree
using system-auth system service when running on FreeIPA master server.







schema-compat: add support for querying users and groups through NSSWITCH
2013-08-06T11:24:42+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T11:35:15+00:00

4757303fa53ef14f084606adb0ed411fdfe23a25

src/back-sch-nss.c implements interface to query users and groups on FreeIPA
master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.





src/back-sch-nss.c implements interface to query users and groups on FreeIPA
master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.







back-sch: use plugin configuration to decide whether NSSWITCH should be consulted
2013-08-06T10:03:35+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T11:29:31+00:00

cb3638947ab0d562990ebab02e1f9282b3c9a9ec

When one instance of schema compat plugin is configured to consult NSSWITCH,
promote its configuration to the backend.

Default to not looking into NSSWITCH.





When one instance of schema compat plugin is configured to consult NSSWITCH,
promote its configuration to the backend.

Default to not looking into NSSWITCH.







back-sch: move structure definitions to back-sch.h to share with other code
2013-08-05T12:35:22+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T11:26:55+00:00

7a232d34f5c23ea30ec00ae2584af8db1b061032

NSSWITCH supporting code needs access to the schema-compat structures





NSSWITCH supporting code needs access to the schema-compat structures







format: add format_strdupbv() helper
2013-08-05T12:35:22+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T11:22:30+00:00

b32d84da5145efb0715b71c2ea2d563a068e6471

format_strdupbv() helper is handy when you need to store a string
value off the BER value.





format_strdupbv() helper is handy when you need to store a string
value off the BER value.







schema-compat: introduce a lock to protect PAM authentication
2013-08-05T12:35:22+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-07-31T10:28:58+00:00

04d8401285287e79415cdce445db51c5cff69f07

PAM stack requires exclusive access, therefore we need to use a write lock.

Required for authenticating synthetically created records coming outside
of LDAP store.





PAM stack requires exclusive access, therefore we need to use a write lock.

Required for authenticating synthetically created records coming outside
of LDAP store.







Add %sort() and %dribble_merge()
2013-05-23T23:46:59+00:00

Nalin Dahyabhai
nalin@redhat.com

2013-05-23T23:40:27+00:00

fd975c77fda8dc2485eede3c15aee3fc3d236a9f

Add %sort(), which binary-sorts a single list of values, and
%dribble_merge(), which takes a quoted length, a separator,
and some expressions and produces a list of lists of values
using the separator, where no list is larger than the length.





Add %sort(), which binary-sorts a single list of values, and
%dribble_merge(), which takes a quoted length, a separator,
and some expressions and produces a list of lists of values
using the separator, where no list is larger than the length.