summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Finish PAM->LDAP mapping logging codeNalin Dahyabhai2013-08-121-15/+40
|
* Handle binds to compat entries without "uid"sNalin Dahyabhai2013-08-121-11/+35
| | | | | | | Use a dummy user name if the one we get passed is NULL, which happens when the bind target entry doesn't contain a "uid" attribute. Try to avoid a timing attack by calling into PAM anyway. Switch to just logging the detailed error information, and telling the client nothing.
* Always use normalized RDNs as map keysNalin Dahyabhai2013-08-121-2/+3
| | | | | | Always use normalized RDNs as map keys, so that we can be sure that a lookup using part of the DN will find the entry, even if it needed to be escaped and/or normalized to something else at some point.
* Only add extensibleObject if we have an SIDNalin Dahyabhai2013-08-121-1/+1
| | | | | | Make the addition of extensibleObject to the list of objectclasses conditional on there being a ipaNTSecurityIdentifier value in the source entry.
* Properly escape DNs of nsswitch-based entriesNalin Dahyabhai2013-08-121-15/+59
|
* Suppress some compiler warningsNalin Dahyabhai2013-08-121-0/+1
|
* Remove some unused variablesNalin Dahyabhai2013-08-122-6/+1
|
* Handle locking failuresNalin Dahyabhai2013-08-121-37/+64
| | | | Handle cases where we fail to acquire locks.
* Make notes of our staged nsswitch lookupsNalin Dahyabhai2013-08-121-0/+23
|
* Switch to tracking entry sources explicitlyNalin Dahyabhai2013-08-122-13/+2
| | | | | | Don't depend on a text attribute in a synthetic entry to tell us where it came from; just record it in the entry's backend_data and consult it directly later.
* Ensure that the grouplist entry array is initedNalin Dahyabhai2013-08-121-1/+1
| | | | | | When allocating the array for returning a list of group entries, use calloc() to ensure that the array is zero-filled, in case resizing it fails for some reason.
* Don't log "with closest match (null)"Nalin Dahyabhai2013-08-121-15/+14
| | | | | If we're sending a result, don't log that we're sending a closest match, even if it's "(null)", if we're not sending a closest match.
* Formatting, implicit NULL checksNalin Dahyabhai2013-08-121-4/+4
|
* Fix a type safety errorNalin Dahyabhai2013-08-121-1/+1
|
* Explicitly track the sources of cached entriesNalin Dahyabhai2013-08-122-7/+20
|
* Renames and fix a memory leakNalin Dahyabhai2013-08-123-55/+56
| | | | | | | | Rename backend_staged_data to backend_staged_search. Fix some formatting. Change how we walk the list of entries retrieved using a staged search so that if the map's been removed since the search was staged, we still free the temporary entry structures.
* Comment cleanupNalin Dahyabhai2013-08-121-7/+8
|
* Consolidate PAM error checking/handling/reportingNalin Dahyabhai2013-08-121-144/+108
| | | | | | | Don't bother to fetch the full set of request controls, since we don't do anything with them. Merge what's left of backend_sch_do_pam_auth() and do_pam_auth(). Separate the concoct-an-error-message logic out into a helper that we call after both pam_authenticate() and pam_acct_mgmt().
* Compare object class names in bervals correctlyNalin Dahyabhai2013-08-121-3/+21
| | | | | Avoid possibly getting thrown by searches where a specified object class is a prefix of one that we're looking for.
* Collapse a pair of blank linesNalin Dahyabhai2013-08-121-1/+0
|
* Make --with-pam-service a build-time optionNalin Dahyabhai2013-08-071-1/+2
|
* Build using sss_nss_idmap/PAM CFLAGS, tooNalin Dahyabhai2013-08-071-0/+3
|
* Notice when read locks failNalin Dahyabhai2013-08-071-24/+50
| | | | | When we fail to obtain a read lock on the data, attempt to fail the operation, so that it can be retried later.
* Notice when we fail to write lockNalin Dahyabhai2013-08-071-6/+45
| | | | | | When we fail to write-lock our cache, cancel our update attempt. We'll fall out of sync with the real data, but for now at least, that's better than completely hosing the cache by updating it without the lock.
* Check if we fail to read-lockNalin Dahyabhai2013-08-071-8/+75
| | | | | If we fail to get a read lock on the data, fail to answer the client's NIS request.
* Remember that locking can failNalin Dahyabhai2013-08-074-21/+24
| | | | | The SLAPI and pthread rwlock functions, unlike the NSPR versions, return result codes which can indicate failure. So don't throw them away.
* Avoid slapi_escape_filter_value(), which is freshNalin Dahyabhai2013-08-071-4/+4
| | | | | | | Avoid using slapi_escape_filter_value(), which is newer than the versions of directory server which we find in EL6, which leads to an unresolvable symbol error if/when we try to call it at run-time, taking down the server.
* Add some missing "#ifdef HAVE_SSS_NSS_IDMAP"sNalin Dahyabhai2013-08-071-4/+12
|
* Add inlined version of what format_strdupbv()Nalin Dahyabhai2013-08-071-1/+6
| | | | | Originally we added a dedicated function to do this, but this was the only place it was called from.
* back-sch.c: authenticate users through PAM system-auth serviceAlexander Bokovoy2013-08-071-18/+126
| | | | | | | | | | | | | | | | Since trusted domain users do not exist in the LDAP tree, their authentication is handed over to PAM stack with the hope that PAM is set up properly to authenticate them. Additionally, this patch completely refactors authentication for the original DNs that *are* located in the LDAP tree. Previous way to handle it was through referrals being sent back. However, this method does not work at all. Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand over pre-bind processing to other directory server's plugins. If slapi-nis set up with a higher precedence to them, authentication will be handled by others.
* back-sch.c: search users and groups through NSSWITCHAlexander Bokovoy2013-08-071-6/+124
| | | | | | | | | | | Schema-compat plugin can be configured to serve users and groups through the plugin configuration entry in directory server: schema-compat-lookup-nsswitch: <user|group> schema-compat-nsswitch-min-id: <value> Separate trees should be configured to look up users and groups. If minimal id value is missing, it will default to 1000.
* src/Makefile.am: add back-sch-nss.c and back-sch-pam.c to buildAlexander Bokovoy2013-08-071-0/+10
|
* schema-compat: add support for authenticating users through PAMAlexander Bokovoy2013-08-071-0/+290
| | | | | | src/back-sch-pam.c implements PAM authentication for users not found in the LDAP tree using system-auth system service when running on FreeIPA master server.
* schema-compat: add support for querying users and groups through NSSWITCHAlexander Bokovoy2013-08-071-0/+574
| | | | | src/back-sch-nss.c implements interface to query users and groups on FreeIPA master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.
* back-sch: use plugin configuration to decide whether NSSWITCH should be ↵Alexander Bokovoy2013-08-071-1/+44
| | | | | | | | | consulted When one instance of schema compat plugin is configured to consult NSSWITCH, promote its configuration to the backend. Default to not looking into NSSWITCH.
* back-sch: move structure definitions to back-sch.h to share with other codeAlexander Bokovoy2013-08-073-33/+97
| | | | NSSWITCH supporting code needs access to the schema-compat structures
* schema-compat: introduce a lock to protect PAM authenticationAlexander Bokovoy2013-08-072-0/+5
| | | | | | | | PAM stack requires exclusive access, therefore we need to use a write lock. Required for authenticating synthetically created records coming outside of LDAP store.
* Add %sort() and %dribble_merge()Nalin Dahyabhai2013-05-231-1/+286
| | | | | | | Add %sort(), which binary-sorts a single list of values, and %dribble_merge(), which takes a quoted length, a separator, and some expressions and produces a list of lists of values using the separator, where no list is larger than the length.
* Clean up logging a little bitNalin Dahyabhai2013-05-231-8/+10
|
* Don't leak decoded XDR memoryNalin Dahyabhai2013-05-231-0/+8
| | | | | After we're done with decoded arguments from a client, use xdr_free() to free anything that was dynamically-allocated.
* Fix some uninitialized-jump warningsNalin Dahyabhai2013-05-232-1/+5
| | | | | | Clear buffers that we encode data into before encoding them, to avoid valgrind warnings that their contents are used before they're written to.
* check SLAPI_PLUGIN_OPRETURN valuesNalin Dahyabhai2013-04-041-0/+21
| | | | | | Check for SLAPI_PLUGIN_OPRETURN values before we do anything, in case there's an error from the backend operation, where the server calls the postop plugins anyway.
* don't skip changes that only affect map membershipNalin Dahyabhai2013-04-041-11/+16
| | | | | | When checking if we can skip processing for a given change, pay attention to whether or not the changes cause the entry to need to be added or removed from a map (#912673).
* correct typo (-m rather than -s)Nalin Dahyabhai2013-03-201-1/+1
| | | | | Correct a typo, suggesting the suffix option was -m rather than -s in one place. Reported by Filip Holec.
* Fix multiplexing of multiple clientsNalin Dahyabhai2013-03-191-5/+11
| | | | | Don't expect every connected client to be ready for I/O every time we poll for the group of them. Fixes #923336.
* fixup log messages and a signed booleanNalin Dahyabhai2012-11-143-5/+5
| | | | | - add missing newlines at the end of a couple of messages - make that one bit that we compare to zero unsigned instead of signed
* include header to avoid implicit declarationNalin Dahyabhai2012-11-141-0/+1
|
* log message fixupsNalin Dahyabhai2012-11-142-11/+13
| | | | | - put a newline at the end of these two messages - register callbacks in a consistent order
* explicitly check for "no" valuesNalin Dahyabhai2012-11-141-1/+9
|
* warning cleanup: remove unused variablesNalin Dahyabhai2012-11-131-3/+2
|
generated by cgit (git 2.34.1) at 2024-11-11 17:16:30 +0000