sssd.git/src/providers/ipa, branch nonroot-libcap sssd with jhrozek's patches IPA: add support for new extdom plugin version 2014-09-30T16:24:53+00:00 Sumit Bose sbose@redhat.com 2014-09-05T08:34:01+00:00 28c70f003c7b330ab1d998a4eff1248d272a6ba9 Initially the extdom plugin was only used to translate SIDs of AD user and groups to names or POSIX IDs. On IPA clients group memberships were resolved with the help of the PAC in the Kerberos ticket which required that the user has logged in at least once. Home directory and the login shell were auto generated. The new version of the extdom plugin can return the complete list of group memberships of a user and the list of all members of a group. Additionally the gecos field, home directory and login shell are returned together with an optional list of key-value pairs for arbitrary data which is written unmodified to the cache. Fixes https://fedorahosted.org/sssd/ticket/2159 and https://fedorahosted.org/sssd/ticket/2041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.

The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.

Fixes https://fedorahosted.org/sssd/ticket/2159
  and https://fedorahosted.org/sssd/ticket/2041

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: Use GC for group lookups in server mode 2014-09-25T08:12:57+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-09T20:13:52+00:00 a20ce8cd43d72c89e2ea1d65aefe24ba270f040f https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
https://fedorahosted.org/sssd/ticket/2412

Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Add alternative objectClass to group attribute maps 2014-09-15T08:12:57+00:00 Michal Zidek mzidek@redhat.com 2014-09-10T10:41:16+00:00 6f91c61426c8cfbfec52d5e77ae4650007694e69 In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.

Fixes:
https://fedorahosted.org/sssd/ticket/2436

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: process non-posix nested groups 2014-09-08T16:55:17+00:00 Pavel Reichl preichl@redhat.com 2014-07-16T12:52:43+00:00 bc8c93ffe881271043492c938c626a9be948000e Do not expect objectClass to be posixGroup but rather more general groupofnames. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Do not expect objectClass to be posixGroup but rather more general
groupofnames.

Resolves:
https://fedorahosted.org/sssd/ticket/2343

Reviewed-by: Michal Židek <mzidek@redhat.com>
SSS_CACHE: Allow sss_cache tool to flush SSH hosts cache 2014-09-05T09:40:39+00:00 William B william@adelaide.edu.au 2014-07-21T09:13:25+00:00 3ac7c4fe618ede980a4df8d90341ef1fd0f1f62f Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2358

Signed-off-by: Jan Cholasta <jcholast@redhat.com>

Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
SDAP: new option - DN to ppolicy on LDAP 2014-08-27T12:25:05+00:00 Pavel Reichl preichl@redhat.com 2014-08-06T15:05:53+00:00 5668d294a39326f7024cbf24333e33ee970caf2d To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.

Resolves:
https://fedorahosted.org/sssd/ticket/2364

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Revert "IPA: new attribute map for non-posix groups" 2014-08-19T17:23:22+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-19T17:23:22+00:00 ac67376a47ed52374641e7a4f6fd97712fe5171b This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f. 
This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.
IPA: new attribute map for non-posix groups 2014-08-19T13:46:58+00:00 Pavel Reichl preichl@redhat.com 2014-07-16T12:33:58+00:00 4c560e7b98e7ab71d22be24d2fbc468396cb634f Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Create new set of attributes to be used when processing non-posix groups.

Resolves:
https://fedorahosted.org/sssd/ticket/2343

Reviewed-by: Michal Židek <mzidek@redhat.com>
IPA: handle searches by SID in apply_subdomain_homedir 2014-08-19T12:28:44+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-12T08:32:33+00:00 82347f452febe3cbffc36b0a3308ffb462515442 https://fedorahosted.org/sssd/ticket/2391 apply_subdomain_homedir() didn't handle the situation where an entity that doesn't match was requested from the cache. For user and group lookups this wasn't a problem because the negative match was caught sooner. But SID lookups can match either user or group. When a group SID was requested, the preceding LDAP request matched the SID and stored the group in the cache. Then apply_subdomain_homedir() only tried to search user by SID, didn't find the entry and accessed a NULL pointer. A simple reproducer is: $ python >>> import pysss_nss_idmap >>> pysss_nss_idmap.getnamebysid(group_sid) The group_sid can be anything, including Domain Users (XXX-513) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
https://fedorahosted.org/sssd/ticket/2391

apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.

But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.

A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)

The group_sid can be anything, including Domain Users (XXX-513)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
case_sensitivity = preserving 2014-07-29T12:52:06+00:00 Michal Zidek mzidek@redhat.com 2014-07-15T16:10:34+00:00 ff22e829fd73fc53027d1e6ca005a9ac334086dd If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
If case_sensitivity is set to 'preserving', getXXnam
returns name attribute in the same format as
stored in LDAP.

Fixes:
https://fedorahosted.org/sssd/ticket/2367

Reviewed-by: Pavel Reichl <preichl@redhat.com>