sssd.git/src/providers/ipa, branch mdbtest sssd with jhrozek's patches IPA: fix segfault in ipa_s2n_exop 2015-04-29T15:09:04+00:00 Aron Parsons parsonsa@bit-sys.com 2015-04-29T03:19:32+00:00 c520f40d1a2d77cf1d413451b5682297733521ed can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com> 
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: allow initgroups by SID for AD users 2015-04-29T09:33:22+00:00 Sumit Bose sbose@redhat.com 2015-04-22T14:57:37+00:00 f70a1adbfc30b9acc302027439fb8157e0c6ea2a If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: check ghosts in groups found by uuid as well 2015-04-27T13:42:39+00:00 Sumit Bose sbose@redhat.com 2015-04-24T15:07:22+00:00 605dc7fcc848dffb7c9d270c864c70e6dff1242e With views and overrides groups are not allowed to have ghost members anymore because the name of a member might be overridden. To achieve this ghost members are looked up and resolved later during group lookups. Currently this is only done for group lookups by name but should happen as well if the group is looked up by uuid. Resolves https://fedorahosted.org/sssd/ticket/2631 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.

Resolves https://fedorahosted.org/sssd/ticket/2631

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: use sysdb_attrs_add_string_safe to add group member 2015-04-27T13:41:21+00:00 Sumit Bose sbose@redhat.com 2015-04-03T10:12:34+00:00 625cff0b0938538e51fdd3b2d985e6082b492ea5 The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: do not try to save override data for the default view 2015-04-27T13:39:12+00:00 Sumit Bose sbose@redhat.com 2015-04-22T13:10:07+00:00 2ab9a4538eb2e1a255e645f7efdcfd6bb722d265 For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
For the default view all override data is available in the cached user
or group object. Even if separate override data is available it should
not be written into the cache.

Resolves https://fedorahosted.org/sssd/ticket/2630

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
subdom: Remove unused function get_flat_name_from_subdomain_name 2015-04-16T07:31:48+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-15T19:12:26+00:00 6fa190d636805a7126ebc775c0eacdd97dd78035 The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and
is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
selinux: Only call semanage if the context actually changes 2015-04-14T17:58:30+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-09T20:18:35+00:00 1e0fa55fb377db788e065de917ba8e149eb56161 https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> 
https://fedorahosted.org/sssd/ticket/2624

Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.

Adds talloc dependency to libsss_semanage.

Reviewed-by: Michal Židek <mzidek@redhat.com>
IPA: Remove the ipa_hbac_treat_deny_as option 2015-03-24T20:03:41+00:00 Jakub Hrozek jhrozek@redhat.com 2015-03-16T10:48:39+00:00 6dff95bdfe437afc0b62b5270d0d84140981c786 https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2603

Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Deprecate the ipa_hbac_treat_deny_as option 2015-03-24T20:03:38+00:00 Jakub Hrozek jhrozek@redhat.com 2015-03-16T10:28:25+00:00 fdfe33975cd902bf7a334e49f2667f6346c4e6ae https://fedorahosted.org/sssd/ticket/2603 Deny rules have not been supported by the IPA server since 2.1. We should deprecate the ipa_hbac_treat_deny_as option. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2603

Deny rules have not been supported by the IPA server since 2.1. We
should deprecate the ipa_hbac_treat_deny_as option.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled 2015-03-24T20:03:35+00:00 Jakub Hrozek jhrozek@redhat.com 2015-03-16T10:12:25+00:00 c41ae115bfa808d04e729dcbd759d8aae8387ce7 https://fedorahosted.org/sssd/ticket/2603 If deny rules are not in effect, we can skip malformed HBAC rules because at worst we will deny access. If deny rules are in effect, we need to error out to be on the safe side and avoid skipping a deny rule. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2603

If deny rules are not in effect, we can skip malformed HBAC rules
because at worst we will deny access. If deny rules are in effect, we
need to error out to be on the safe side and avoid skipping a deny rule.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>