sssd.git/src/providers/ldap/ldap_init.c, branch nonroot-libcap sssd with jhrozek's patches SDAP: account lockout to restrict access via ssh key 2014-08-27T12:25:08+00:00 Pavel Reichl preichl@redhat.com 2014-08-01T16:44:24+00:00 2a91d3dd0ce4387332db27bd1a0c0005c74f870e Be able to configure sssd to honor openldap account lock to restrict access via ssh key. Introduce new ldap_access_order value ('lock') for enabling/disabling this feature. Account is considered locked if pwdAccountLockedTime attribut has value of 000001010000Z. ------------------------------------------------------------------------ Quotation from man slapo-ppolicy: pwdAccountLockedTime This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE". ------------------------------------------------------------------------ Also set default value for sdap_pwdlockout_dn to cn=ppolicy,ou=policies,${search_base} Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.

Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.

------------------------------------------------------------------------
Quotation from man slapo-ppolicy:

pwdAccountLockedTime

This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the  directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------

Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}

Resolves:
https://fedorahosted.org/sssd/ticket/2364

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Setup periodic task only once. 2014-02-26T09:28:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-02-12T13:33:49+00:00 057cb583f02bf47678c393cb8f1f74861c2b960b If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init If you enable enumeration and use different providers for id and sudo(autofs) then another periodic task will be scheduled. This can cause weird behaviour (e.g. missing members of group) Perodic tasks will be started only by id_provider. Resolves: https://fedorahosted.org/sssd/ticket/2153 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)

Perodic tasks will be started only by id_provider.

Resolves:
https://fedorahosted.org/sssd/ticket/2153

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Update DEBUG* invocations to use new levels 2014-02-12T21:31:02+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2014-02-12T15:12:59+00:00 83bf46f4066e3d5e838a32357c201de9bd6ecdfd Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:

grep -rl --include '*.[hc]' DEBUG . |
    while read f; do
        mv "$f"{,.orig}
        perl -e 'use strict;
                 use File::Slurp;
                 my @map=qw"
                    SSSDBG_FATAL_FAILURE
                    SSSDBG_CRIT_FAILURE
                    SSSDBG_OP_FAILURE
                    SSSDBG_MINOR_FAILURE
                    SSSDBG_CONF_SETTINGS
                    SSSDBG_FUNC_DATA
                    SSSDBG_TRACE_FUNC
                    SSSDBG_TRACE_LIBS
                    SSSDBG_TRACE_INTERNAL
                    SSSDBG_TRACE_ALL
                 ";
                 my $text=read_file(\*STDIN);
                 my $repl;
                 $text=~s/
                            ^
                            (
                                .*
                                \b
                                (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
                                \s*
                                \(\s*
                            )(
                                [0-9]
                            )(
                                \s*,
                            )
                            (
                                \s*
                            )
                            (
                                .*
                            )
                            $
                         /
                            $repl = $1.$map[$3].$4.$5.$6,
                            length($repl) <= 80
                                ? $repl
                                : $1.$map[$3].$4."\n".(" " x length($1)).$6
                         /xmge;
                 print $text;
        ' < "$f.orig" > "$f"
        rm "$f.orig"
    done

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Make DEBUG macro invocations variadic 2014-02-12T21:30:55+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2014-02-12T15:12:04+00:00 a3c8390d19593b1e5277d95bfb4ab206d4785150 Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.

This script was used to update the code:

grep -rwl --include '*.[hc]' DEBUG . |
    while read f; do
        mv "$f"{,.orig}
        perl -e \
            'use strict;
             use File::Slurp;
             my $text=read_file(\*STDIN);
             $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
             print $text;' < "$f.orig" > "$f"
        rm "$f.orig"
    done

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
LDAP: Prevent from using uninitialized sdap_options 2013-11-14T18:41:18+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-11-13T07:32:23+00:00 a7767459b4c7fea7022db0f468730ba3fceec679 ldap_get_options can fail in time of ldap back end initialisation and then sssd try to release uninitialised sdap_options. Resolves: https://fedorahosted.org/sssd/ticket/2147 
ldap_get_options can fail in time of ldap back end initialisation
and then sssd try to release uninitialised sdap_options.

Resolves:
https://fedorahosted.org/sssd/ticket/2147
AD: Use the ad_access_filter if it's set 2013-10-25T19:02:43+00:00 Jakub Hrozek jhrozek@redhat.com 2013-10-07T16:02:04+00:00 efe6b4a9d374339cac2528cdeb43720957c6b7c9 Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically. 
Related:
https://fedorahosted.org/sssd/ticket/2082

Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
LDAP: Make sdap_id_setup_tasks reusable for subdomains 2013-08-28T16:06:57+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-22T09:03:01+00:00 1c4144a6ce68dbd54c7c08a517d1f982ea57f19a Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well. 
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
providers: refresh expired netgroups 2013-06-10T18:30:57+00:00 Pavel Březina pbrezina@redhat.com 2013-05-14T13:00:05+00:00 7b5e7e539ae9312ab55d75aa94feaad549b2a708 https://fedorahosted.org/sssd/ticket/1713 
https://fedorahosted.org/sssd/ticket/1713
LDAP: new SDAP domain structure 2013-06-06T22:14:13+00:00 Jakub Hrozek jhrozek@redhat.com 2013-05-27T06:48:02+00:00 749cfb5d3270b5daf389d51a0dbd3fd2aec6e05d Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain. 
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.

This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
LDAP: sdap_id_ctx might contain several connections 2013-06-06T22:14:12+00:00 Jakub Hrozek jhrozek@redhat.com 2013-05-21T15:18:03+00:00 dcb44c39dda9699cdd6488fd116a51ced0687de3 With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches. 
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.

At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.

No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.