sssd.git/src/providers/ipa, branch tests sssd with jhrozek's patches IPA: Retry fetching keytab if IPA user lookup fails 2015-09-23T21:08:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-17T15:11:34+00:00 42bd89dbe77846b6ee60365bba50da521745bca1 Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Required for:
    https://fedorahosted.org/sssd/ticket/2639

Instead of calling ipa_get_ad_acct_send directly, call a new request
ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and
either tries to request a new keytab every time the lookup fails but the
domain is online.

be_mark_dom_offline() is called when the retry fails with the new code.

The retry tries to re-setup the trusted domain. With two-way setups, the
request is a no-op. With one-way trust setups, the request re-fetches
new keytab unconditionally.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: Change ipa_server_trust_add_send request to be reusable from ID code 2015-09-23T21:08:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-17T15:09:24+00:00 4c53f8b7400630ae06459aa8b5079427edcaa348 Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Required for:
    https://fedorahosted.org/sssd/ticket/2639

Expose a request ipa_server_trusted_dom_setup_send that sets up a
trusted domain. The setup might include actions like retrieving a keytab
for one-way trusts.

Creating the AD ID context for the trused domain is now done in the
caller of this new request.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA PROVIDER: Resolve nested netgroup membership 2015-09-22T12:43:26+00:00 Petr Cech pcech@redhat.com 2015-09-02T15:51:12+00:00 e6595222c41af84288d303e8d464ce45b1408ed3 Informations about usergroup membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. This patch add appropriate memberOf attributes for searching in. Ticket: https://fedorahosted.org/sssd/ticket/2275 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add appropriate memberOf attributes
for searching in.

Ticket: https://fedorahosted.org/sssd/ticket/2275

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: Do not allow the AD lookup code to set backend as offline in server mode 2015-09-21T15:04:17+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-02T11:41:26+00:00 20162352030d1c577bb69d44e967d2c5839e5c0e https://fedorahosted.org/sssd/ticket/2637 In server mode, we should not allow the AD lookups to set the backend offline. Rather just let them report an error and deal with the error separately. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2637

In server mode, we should not allow the AD lookups to set the backend
offline. Rather just let them report an error and deal with the error
separately.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
UTIL: Convert domain->disabled into tri-state with domain states 2015-09-21T15:03:01+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-18T15:15:44+00:00 b5825c74b6bf7a99ae2172392dbecb51179013a6 Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Required for:
https://fedorahosted.org/sssd/ticket/2637

This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.

Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
sssd: incorrect checks on length values during packet decoding 2015-08-31T16:34:26+00:00 Michal Židek mzidek@redhat.com 2015-07-22T14:35:35+00:00 9f0bffebd070115ab47a92eadc6890a721c7b78d https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com> 
https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>
DYNDNS: remove zone command 2015-08-14T21:54:44+00:00 Pavel Reichl preichl@redhat.com 2015-07-23T09:30:34+00:00 4f2a07c422fa357ef6651bca8c48b8005280fa1d Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Remove zone command from message to nsupsate. This command is generally
used to hint nsupdate. In correctly configured environment such
information should be obtained via DNS.

If DNS does not provide necessary information we give other hints.

For more details see:
https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate

Resolves:
https://fedorahosted.org/sssd/ticket/2495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DYNDNS: Add a new option dyndns_server 2015-08-14T21:51:02+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-06T20:53:27+00:00 8145ab51b05aa86b2f1a21b49383f55e50b0a2e3 Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.

This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
IPA: Always re-fetch the keytab from the IPA server 2015-08-14T21:44:18+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-24T11:13:08+00:00 db5f9ab3feb85aa444eab20428ca2b98801b6783 Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.

This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Change the default of ldap_user_certificate to userCertificate;binary 2015-08-14T21:24:27+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-10T10:40:39+00:00 619e21ed9c7a71e35e53f38867b53ed974f1d36a This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.

Resolves:
https://fedorahosted.org/sssd/ticket/2742

Reviewed-by: Pavel Březina <pbrezina@redhat.com>