sssd.git/src/providers/ipa/ipa_init.c, branch simo_ccname sssd with jhrozek's patches LDAP: Make sdap_id_setup_tasks reusable for subdomains 2013-08-28T16:06:57+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-22T09:03:01+00:00 1c4144a6ce68dbd54c7c08a517d1f982ea57f19a Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well. 
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
IPA: Enable AD sites when in server mode 2013-08-28T14:19:51+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-14T19:12:07+00:00 de307ab8e390deabc5df9884a3f762bfb1581936 https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally 
https://fedorahosted.org/sssd/ticket/1964

Currently the AD sites are enabled unconditionally
KRB5: Do not send PAC in server mode 2013-07-23T12:18:03+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-19T05:36:28+00:00 48657b5de36a63b0c13ed5d53065871d59d8f10b The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case. 
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
IPA: Initialize server mode ctx if server mode is on 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T08:50:44+00:00 f8a4a5f6240156809e1b5ef03816f673281e3fa0 This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962
Add ipa_idmap_init() 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-14T10:49:46+00:00 8ff0aba893d8da1a8163ccaf9ad2c5b6bccd121f Use the sdap_idmap context for the IPA provider as well. https://fedorahosted.org/sssd/ticket/1961 
Use the sdap_idmap context for the IPA provider as well.

https://fedorahosted.org/sssd/ticket/1961
krb5: do not send pac for IPA users from the local domain 2013-06-25T12:34:39+00:00 Sumit Bose sbose@redhat.com 2013-06-24T18:59:53+00:00 fa4a9c4afcc0c62a693034e21f33356e64735687 So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995 
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.

Fixes https://fedorahosted.org/sssd/ticket/1995
providers: refresh expired netgroups 2013-06-10T18:30:57+00:00 Pavel Březina pbrezina@redhat.com 2013-05-14T13:00:05+00:00 7b5e7e539ae9312ab55d75aa94feaad549b2a708 https://fedorahosted.org/sssd/ticket/1713 
https://fedorahosted.org/sssd/ticket/1713
LDAP: sdap_id_ctx might contain several connections 2013-06-06T22:14:12+00:00 Jakub Hrozek jhrozek@redhat.com 2013-05-21T15:18:03+00:00 dcb44c39dda9699cdd6488fd116a51ced0687de3 With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches. 
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.

At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.

No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
IPA: Always initialize ID mapping 2013-05-27T17:09:04+00:00 Sumit Bose sbose@redhat.com 2013-05-07T19:36:51+00:00 aae5af7fb5fbdd780b06f2b5fb89dfe8ab52fb34 Because we now always want to store SIDs in the IPA provider, we also need to always initialize the ID mapping context. 
Because we now always want to store SIDs in the IPA provider, we also need
to always initialize the ID mapping context.
Remove unneeded parameter of setup_child and namespace it 2013-05-20T20:37:25+00:00 Jakub Hrozek jhrozek@redhat.com 2013-05-14T16:55:40+00:00 eb64d3406c15dcc5cb42c94488737bdbb9a15655 setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix. 
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.