sssd.git/src/providers/ipa, branch pwrap sssd with jhrozek's patches HBAC: remove misleading comment about deny rules 2015-10-08T18:46:13+00:00 Pavel Reichl preichl@redhat.com 2015-10-05T13:39:29+00:00 046b063e73e6f2a1bb0e2e1e654ed777b5276edc HBAC deny rules are no longer supported. This comment should have been removed as part of 'Remove HBAC DENY rules from SSSD' https://fedorahosted.org/sssd/ticket/912 Reviewed-by: Michal Židek <mzidek@redhat.com> 
HBAC deny rules are no longer supported. This comment should have
been removed as part of 'Remove HBAC DENY rules from SSSD'

https://fedorahosted.org/sssd/ticket/912

Reviewed-by: Michal Židek <mzidek@redhat.com>
AD: Provide common connection list construction functions 2015-10-07T10:42:03+00:00 Jakub Hrozek jhrozek@redhat.com 2015-10-01T11:13:05+00:00 309aa83d16b5919f727af04850bcd0799ba0962f https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/sssd/ticket/2810

Provides a new AD common function ad_ldap_conn_list() that creates a
list of AD connection to use along with properties to avoid mistakes
when manually constructing these lists.

Reviewed-by: Sumit Bose <sbose@redhat.com>
DYNDNS: use realm and server commands only as fallback 2015-10-05T18:59:44+00:00 Pavel Reichl preichl@redhat.com 2015-07-23T14:51:50+00:00 12a1c64105ff56b39e197264fec2d9aba6b84185 Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: fix minor memory leak 2015-10-02T10:50:33+00:00 Pavel Reichl preichl@redhat.com 2015-09-04T11:03:45+00:00 a2d6d4db64a7c3b27dea22fe52245925d688bd2d Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
HBAC: Better libhbac debugging 2015-10-01T19:37:30+00:00 Petr Cech pcech@redhat.com 2015-07-24T14:56:49+00:00 65ce66c43141f7e5c8482a8f8e7e217a23791588 Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com> 
Added support for logging via external log function.
Log provides information about rules evaluating (HBAC_DBG_INFO level)
and additionally can describe rules (HBAC_DBG_TRACE level).

Resolves:
https://fedorahosted.org/sssd/ticket/2703

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
IPA: Retry fetching keytab if IPA user lookup fails 2015-09-23T21:08:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-17T15:11:34+00:00 42bd89dbe77846b6ee60365bba50da521745bca1 Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Required for:
    https://fedorahosted.org/sssd/ticket/2639

Instead of calling ipa_get_ad_acct_send directly, call a new request
ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and
either tries to request a new keytab every time the lookup fails but the
domain is online.

be_mark_dom_offline() is called when the retry fails with the new code.

The retry tries to re-setup the trusted domain. With two-way setups, the
request is a no-op. With one-way trust setups, the request re-fetches
new keytab unconditionally.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: Change ipa_server_trust_add_send request to be reusable from ID code 2015-09-23T21:08:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-17T15:09:24+00:00 4c53f8b7400630ae06459aa8b5079427edcaa348 Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Required for:
    https://fedorahosted.org/sssd/ticket/2639

Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.

Creating the AD ID context for the trused domain is now done in the
caller of this new request.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA PROVIDER: Resolve nested netgroup membership 2015-09-22T12:43:26+00:00 Petr Cech pcech@redhat.com 2015-09-02T15:51:12+00:00 e6595222c41af84288d303e8d464ce45b1408ed3 Informations about usergroup membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. This patch add appropriate memberOf attributes for searching in. Ticket: https://fedorahosted.org/sssd/ticket/2275 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add appropriate memberOf attributes
for searching in.

Ticket: https://fedorahosted.org/sssd/ticket/2275

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: Do not allow the AD lookup code to set backend as offline in server mode 2015-09-21T15:04:17+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-02T11:41:26+00:00 20162352030d1c577bb69d44e967d2c5839e5c0e https://fedorahosted.org/sssd/ticket/2637 In server mode, we should not allow the AD lookups to set the backend offline. Rather just let them report an error and deal with the error separately. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2637

In server mode, we should not allow the AD lookups to set the backend
offline. Rather just let them report an error and deal with the error
separately.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
UTIL: Convert domain->disabled into tri-state with domain states 2015-09-21T15:03:01+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-18T15:15:44+00:00 b5825c74b6bf7a99ae2172392dbecb51179013a6 Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Required for:
https://fedorahosted.org/sssd/ticket/2637

This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.

Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>