| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
|
|
|
|
|
|
|
|
|
|
|
|
| |
users via NSS
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.
The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".
This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a schema-compat-relevant-subtree configuration option, listing the
only parts of the DIT that we should ever look at, either as source
entries or as other entries which contain data which might be pulled in
as part of computing the contents of compat entries.
This is more or less the whitelist to schema-compat-ignore-subtree's
blacklist.
|
|
|
|
|
|
|
| |
Add a schema-compat-ignore-subtree configuration option, listing parts
of the DIT that we should never look at, neither as source entries nor
as random other entries which contain data which might be pulled in as
part of computing the contents of compat entries.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nsswitch
If schema compat plugin configuration has
'schema-compat-lookup-nsswitch: user|group' then schema compat plugin
will perform lookups of users/groups that were not found in the main
store using getpwnam_r()/getgrnam_r() and libsss_nss_idmap library.
This is special case to support legacy clients. Schema compat plugin in
the case is assumed to be running on FreeIPA master configured with
trusts against Active Directory and SSSD 1.11+ configured as
ipa_server_mode = True.
Additionally, such entries are added to schema compat plugin's map cache
and can be used for authentication purposes. They will use PAM
authentication pass-through to 'system-auth' service.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Check for BETXN support at build-time, provide options for disabling
or requiring that it be available for build to succeed.
* Track whether or not BETXN support is enabled in the plugin-local
state.
* Skip processing in post/internalpost callbacks if BETXN support is enabled.
* Skip work in betxnpost callbacks if BETXN support is disabled.
|
|
|
|
|
|
|
| |
Transaction support the way we added it is an all-or-nothing proposition
for a server installation, which turned out to be problematic, so 389 is
going to pursue another strategy for that. The new way requires that we
not register as a betxn plugin, ever.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
entryUSN or the root DSE's lastUSN (if we have no source entry)
|
| |
|
|\ |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|