| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Handle cases where we fail to acquire locks.
|
| | |
|
| |
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
| |
|
|
|
|
| |
When allocating the array for returning a list of group entries, use
calloc() to ensure that the array is zero-filled, in case resizing it
fails for some reason.
|
| |
|
|
|
| |
If we're sending a result, don't log that we're sending a closest match,
even if it's "(null)", if we're not sending a closest match.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| | |
|
| |
|
|
|
|
|
| |
Don't bother to fetch the full set of request controls, since we don't
do anything with them. Merge what's left of backend_sch_do_pam_auth()
and do_pam_auth(). Separate the concoct-an-error-message logic out into
a helper that we call after both pam_authenticate() and pam_acct_mgmt().
|
| |
|
|
|
| |
Avoid possibly getting thrown by searches where a specified object class
is a prefix of one that we're looking for.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
When we fail to obtain a read lock on the data, attempt to fail the
operation, so that it can be retried later.
|
| |
|
|
|
|
| |
When we fail to write-lock our cache, cancel our update attempt. We'll
fall out of sync with the real data, but for now at least, that's better
than completely hosing the cache by updating it without the lock.
|
| |
|
|
|
| |
If we fail to get a read lock on the data, fail to answer the client's
NIS request.
|
| |
|
|
|
| |
The SLAPI and pthread rwlock functions, unlike the NSPR versions, return
result codes which can indicate failure. So don't throw them away.
|
| |
|
|
|
|
|
| |
Avoid using slapi_escape_filter_value(), which is newer than the
versions of directory server which we find in EL6, which leads to an
unresolvable symbol error if/when we try to call it at run-time, taking
down the server.
|
| | |
|
| |
|
|
|
| |
Originally we added a dedicated function to do this, but this was the
only place it was called from.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since trusted domain users do not exist in the LDAP tree, their
authentication is handed over to PAM stack with the hope that PAM is set
up properly to authenticate them.
Additionally, this patch completely refactors authentication for the
original DNs that *are* located in the LDAP tree. Previous way to handle
it was through referrals being sent back. However, this method does not
work at all.
Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand
over pre-bind processing to other directory server's plugins. If
slapi-nis set up with a higher precedence to them, authentication will
be handled by others.
|
| |
|
|
|
|
|
|
|
|
|
| |
Schema-compat plugin can be configured to serve users and groups through
the plugin configuration entry in directory server:
schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>
Separate trees should be configured to look up users and groups. If
minimal id value is missing, it will default to 1000.
|
| | |
|
| |
|
|
|
|
| |
src/back-sch-pam.c implements PAM authentication for users not found in
the LDAP tree using system-auth system service when running on FreeIPA
master server.
|
| |
|
|
|
| |
src/back-sch-nss.c implements interface to query users and groups on
FreeIPA master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.
|
| |
|
|
|
|
|
|
|
| |
consulted
When one instance of schema compat plugin is configured to consult
NSSWITCH, promote its configuration to the backend.
Default to not looking into NSSWITCH.
|
| |
|
|
| |
NSSWITCH supporting code needs access to the schema-compat structures
|
| |
|
|
|
|
|
|
| |
PAM stack requires exclusive access, therefore we need to use a write
lock.
Required for authenticating synthetically created records coming outside
of LDAP store.
|
| |
|
|
|
|
|
| |
Add %sort(), which binary-sorts a single list of values, and
%dribble_merge(), which takes a quoted length, a separator,
and some expressions and produces a list of lists of values
using the separator, where no list is larger than the length.
|
| | |
|
| |
|
|
|
| |
After we're done with decoded arguments from a client, use xdr_free() to
free anything that was dynamically-allocated.
|
| |
|
|
|
|
| |
Clear buffers that we encode data into before encoding them, to avoid
valgrind warnings that their contents are used before they're written
to.
|
| |
|
|
|
|
| |
Check for SLAPI_PLUGIN_OPRETURN values before we do anything, in case
there's an error from the backend operation, where the server calls the
postop plugins anyway.
|
| |
|
|
|
|
| |
When checking if we can skip processing for a given change, pay
attention to whether or not the changes cause the entry to need to be
added or removed from a map (#912673).
|
| |
|
|
|
| |
Correct a typo, suggesting the suffix option was -m rather than -s in
one place. Reported by Filip Holec.
|
| |
|
|
|
| |
Don't expect every connected client to be ready for I/O every time we
poll for the group of them. Fixes #923336.
|
| |
|
|
|
| |
- add missing newlines at the end of a couple of messages
- make that one bit that we compare to zero unsigned instead of signed
|
| | |
|
| |
|
|
|
| |
- put a newline at the end of these two messages
- register callbacks in a consistent order
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Check for BETXN support at build-time, provide options for disabling
or requiring that it be available for build to succeed.
* Track whether or not BETXN support is enabled in the plugin-local
state.
* Skip processing in post/internalpost callbacks if BETXN support is enabled.
* Skip work in betxnpost callbacks if BETXN support is disabled.
|
| |
|
|
|
|
|
|
|
|
| |
When NIS Plugin and Schema Compatibility Plugin config entries include
nsslapd-pluginbetxn: on
(the value could be yes, true or 1, too),
the plugins' update callbacks (add, delete, modify, and modrdn) are
called at the betxn pre/postop timing. By default, the value of
nsslapd-pluginbetxn is off.
(See also https://fedorahosted.org/389/ticket/351)
|
| |
|
|
|
|
|
| |
* add a definition for shadow.byname
* add a definition for passwd.adjunct.byname
* make passwd.byname/passwd.byuid hide userPassword if objectClass==shadowAccount
* base64-encode nis-disallowed-chars when we are printing defaults
|
| |
|
|
|
|
|
| |
Transaction support the way we added it is an all-or-nothing proposition
for a server installation, which turned out to be problematic, so 389 is
going to pursue another strategy for that. The new way requires that we
not register as a betxn plugin, ever.
|
| |
|
|
|
| |
We assumed that slapi_mods_add_smod() took ownership of the smod that we
pass in, when it really just keeps the contents.
|
| |
|
|
| |
until we hit an arithmetic exception (#810258)
|
