sssd.git/src/providers/ipa, branch f23 sssd with jhrozek's patches IPA: Always re-fetch the keytab from the IPA server 2015-09-07T16:22:05+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-24T11:13:08+00:00 042600d08a9d3188d7d3135fc235e6a7c2237a4b Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.

This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Change the default of ldap_user_certificate to userCertificate;binary 2015-09-07T16:21:48+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-10T10:40:39+00:00 6a5abcaf3eb6133bc96c44a11e423fe7a0dca3a6 This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.

Resolves:
https://fedorahosted.org/sssd/ticket/2742

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Handle sssd-owned keytabs when running as root 2015-09-07T16:20:27+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T15:20:11+00:00 fd68d59f701ff90e4baae7b4bd137c374c719e8a https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/sssd/ticket/2718

This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
IPA: Better debugging 2015-09-07T16:20:14+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T13:17:57+00:00 9581883ba3d8651aca3888d6883f41280cd97979 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
IPA: Remove MPG groups if getgrgid was called before getpw() 2015-09-07T16:12:16+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-21T09:44:03+00:00 e5dcfc2888611cadc482307d8b5147f85332ec86 https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/sssd/ticket/2724

This bug only affects IPA clients that are connected to IPA servers with
AD trust and ID mapping in effect.

If an IPA client calls getgrgid() for an ID that matches a user, the
user's private group would be returned and stored as a group entry.

Subsequent queries for that user would fail, because MPG domains impose
uniqueness restriction for both the ID and name space across groups and
users.

To work around that, we remove the UPG groups in MPG domains during a
group lookup.

Reviewed-by: Sumit Bose <sbose@redhat.com>
KRB5: Add and use krb5_auth_queue_send to queue requests by default 2015-07-06T13:23:44+00:00 Jakub Hrozek jhrozek@redhat.com 2015-06-30T17:40:46+00:00 01ec08efd0e166ac6f390f8627c6d08dcc63ccc4 Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2701

Previously, only the krb5 provides used to queue requests, which
resulted in concurrent authentication requests stepping on one another.

This patch queues requests by default.

Reviewed-by: Sumit Bose <sbose@redhat.com>
views: Add is_default_view helper function 2015-07-02T11:37:38+00:00 Michal Židek mzidek@redhat.com 2015-06-24T16:03:49+00:00 9ac2a33f4cdc4941fa63118dcffe8058854f33c4 Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Ticket:
https://fedorahosted.org/sssd/ticket/2641

Reviewed-by: Pavel Reichl <preichl@redhat.com>
LDAP/IPA: add user lookup by certificate 2015-06-19T16:48:13+00:00 Sumit Bose sbose@redhat.com 2015-05-27T16:23:49+00:00 caacea0dbfdc92613ae992681053b1d2665b80ca Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to https://fedorahosted.org/sssd/ticket/2596

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: add ldap_user_certificate option 2015-06-19T15:21:24+00:00 Sumit Bose sbose@redhat.com 2015-05-07T08:59:10+00:00 e22e04517b9f9d0c7759dc4768eedfd05908e9b6 Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to https://fedorahosted.org/sssd/ticket/2596

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
BUILD: Store keytabs in /var/lib/sss/keytabs 2015-06-16T16:27:39+00:00 Jakub Hrozek jhrozek@redhat.com 2015-06-16T11:22:32+00:00 dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94 Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek <mzidek@redhat.com> 
Make sure the directory is only accessible to the sssd user

Reviewed-by: Michal Židek <mzidek@redhat.com>