| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
map_data_set_entry() passes pointers to the lengths of the key and the value
to map_data_save_list() which interpretes them as arrays of integers.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Use the amount of data that we could have read as the upper bound on
reasonable-looking request lengths.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Break out a backend_make_user_entry_from_nsswitch_passwd function for
converting a passwd structure to an entry, and rename the helper for
groups to match it.
|
| | |
|
| |
|
|
|
| |
Don't use the PAM handle before it's initialized or after it's freed
(static analysis).
|
| |
|
|
|
|
| |
The server's mainline code doesn't appear to log successful
authentication beyond what already shows up in the access log, so we
should probably behave ourselves.
|
| | |
|
| |
|
|
|
|
|
| |
Use a dummy user name if the one we get passed is NULL, which happens
when the bind target entry doesn't contain a "uid" attribute. Try to
avoid a timing attack by calling into PAM anyway. Switch to just
logging the detailed error information, and telling the client nothing.
|
| |
|
|
|
|
| |
Always use normalized RDNs as map keys, so that we can be sure that a
lookup using part of the DN will find the entry, even if it needed to be
escaped and/or normalized to something else at some point.
|
| |
|
|
|
|
| |
Make the addition of extensibleObject to the list of objectclasses
conditional on there being a ipaNTSecurityIdentifier value in the source
entry.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Handle cases where we fail to acquire locks.
|
| | |
|
| |
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
| |
|
|
|
|
| |
When allocating the array for returning a list of group entries, use
calloc() to ensure that the array is zero-filled, in case resizing it
fails for some reason.
|
| |
|
|
|
| |
If we're sending a result, don't log that we're sending a closest match,
even if it's "(null)", if we're not sending a closest match.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| | |
|
| |
|
|
|
|
|
| |
Don't bother to fetch the full set of request controls, since we don't
do anything with them. Merge what's left of backend_sch_do_pam_auth()
and do_pam_auth(). Separate the concoct-an-error-message logic out into
a helper that we call after both pam_authenticate() and pam_acct_mgmt().
|
| |
|
|
|
| |
Avoid possibly getting thrown by searches where a specified object class
is a prefix of one that we're looking for.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
When we fail to obtain a read lock on the data, attempt to fail the
operation, so that it can be retried later.
|
| |
|
|
|
|
| |
When we fail to write-lock our cache, cancel our update attempt. We'll
fall out of sync with the real data, but for now at least, that's better
than completely hosing the cache by updating it without the lock.
|
| |
|
|
|
| |
If we fail to get a read lock on the data, fail to answer the client's
NIS request.
|
| |
|
|
|
| |
The SLAPI and pthread rwlock functions, unlike the NSPR versions, return
result codes which can indicate failure. So don't throw them away.
|
| |
|
|
|
|
|
| |
Avoid using slapi_escape_filter_value(), which is newer than the
versions of directory server which we find in EL6, which leads to an
unresolvable symbol error if/when we try to call it at run-time, taking
down the server.
|
| | |
|
| |
|
|
|
| |
Originally we added a dedicated function to do this, but this was the
only place it was called from.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since trusted domain users do not exist in the LDAP tree, their
authentication is handed over to PAM stack with the hope that PAM is set
up properly to authenticate them.
Additionally, this patch completely refactors authentication for the
original DNs that *are* located in the LDAP tree. Previous way to handle
it was through referrals being sent back. However, this method does not
work at all.
Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand
over pre-bind processing to other directory server's plugins. If
slapi-nis set up with a higher precedence to them, authentication will
be handled by others.
|
| |
|
|
|
|
|
|
|
|
|
| |
Schema-compat plugin can be configured to serve users and groups through
the plugin configuration entry in directory server:
schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>
Separate trees should be configured to look up users and groups. If
minimal id value is missing, it will default to 1000.
|
| | |
|
| |
|
|
|
|
| |
src/back-sch-pam.c implements PAM authentication for users not found in
the LDAP tree using system-auth system service when running on FreeIPA
master server.
|
