sssd.git/src/providers/ad, branch master sssd with jhrozek's patches GPO: Use sss_unique_file and close fd on failure 2015-09-01T11:01:42+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-12T10:45:34+00:00 3954cd07dae78bf79136f0854472757d1ed26897 The GPO child didn't remove temporary file on failure and didn't close the fd on failure (the latter was not much of a problem for a short-lived child process). Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The GPO child didn't remove temporary file on failure and didn't close
the fd on failure (the latter was not much of a problem for a
short-lived child process).

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
AD: send less logs to syslog 2015-09-01T09:26:26+00:00 Pavel Reichl preichl@redhat.com 2015-08-28T12:06:18+00:00 bfa5e3869bb68213f08169efe55c45cb625e8fd0 Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Create new callback that handles logging messages in cyrus sasl library.

Resolves:
https://fedorahosted.org/sssd/ticket/2561

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
sssd: incorrect checks on length values during packet decoding 2015-08-31T16:34:26+00:00 Michal Židek mzidek@redhat.com 2015-07-22T14:35:35+00:00 9f0bffebd070115ab47a92eadc6890a721c7b78d https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com> 
https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>
DYNDNS: remove zone command 2015-08-14T21:54:44+00:00 Pavel Reichl preichl@redhat.com 2015-07-23T09:30:34+00:00 4f2a07c422fa357ef6651bca8c48b8005280fa1d Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Remove zone command from message to nsupsate. This command is generally
used to hint nsupdate. In correctly configured environment such
information should be obtained via DNS.

If DNS does not provide necessary information we give other hints.

For more details see:
https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate

Resolves:
https://fedorahosted.org/sssd/ticket/2495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DYNDNS: Add a new option dyndns_server 2015-08-14T21:51:02+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-06T20:53:27+00:00 8145ab51b05aa86b2f1a21b49383f55e50b0a2e3 Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.

This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
AD: Use ad_site also when site search fails 2015-07-29T15:24:15+00:00 Pavel Březina pbrezina@redhat.com 2015-07-28T11:49:37+00:00 cbbd8ce524a7e1ae0a1b553c2af18fbef59a06ce https://fedorahosted.org/sssd/ticket/2725 Some deployments use the ad_site option for cases where the AD clients are not able to find a site for one reason or another. With our current code, the ad_site option value can only override a site that the client found, not supply the value for cases no site could be found. This patch fixes the issue. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
https://fedorahosted.org/sssd/ticket/2725

Some deployments use the ad_site option for cases where the AD clients
are not able to find a site for one reason or another. With our current
code, the ad_site option value can only override a site that the client
found, not supply the value for cases no site could be found.

This patch fixes the issue.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
AD: Handle cases where no GPOs apply 2015-07-26T18:33:07+00:00 Stephen Gallagher sgallagh@redhat.com 2015-07-20T13:29:19+00:00 7c18b65dbdeb584a946c055f2db3814544b17232 It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.

We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration

We also need to delete the result object from the cache to ensure that
offline operation will also grant access.

Resolves:
https://fedorahosted.org/sssd/ticket/2713

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Fix minor typos 2015-07-23T09:10:16+00:00 Yuri Chornoivan yurchor@ukr.net 2015-06-26T05:52:12+00:00 f91029dd8d7dbc026a5c73e222926db957240cb4 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
LDAP: Add the wildcard_limit option 2015-07-15T15:32:46+00:00 Jakub Hrozek jhrozek@redhat.com 2015-06-17T14:13:51+00:00 b9e74a747b8f1012bba3575f3e4289ef4877d64a Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related:
    https://fedorahosted.org/sssd/ticket/2553

Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
GPO: Fix incorrect strerror on GPO access denial 2015-06-23T13:43:07+00:00 Stephen Gallagher sgallagh@redhat.com 2015-06-11T13:17:02+00:00 b08b6a994dcca108bb571458da092e0e320ce9c2 We're attempting to use strerror() to print the result from ad_gpo_access_check(), but that function returns an extended SSSD errno Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We're attempting to use strerror() to print the result from
ad_gpo_access_check(), but that function returns an extended SSSD errno

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>