sssd.git/src/providers/ldap/sdap.c, branch nonroot-libcap sssd with jhrozek's patches Use the alternative objectclass in group maps. 2014-09-15T08:13:00+00:00 Michal Zidek mzidek@redhat.com 2014-09-10T10:56:54+00:00 7ba70236daccb48432350147d0560b3302518cee Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Use the alternative group objectclass in queries.

Fixes:
https://fedorahosted.org/sssd/ticket/2436

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: Skip dereferenced entries that we are not permitted to read 2014-09-08T17:13:26+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-08T09:49:40+00:00 2284e50c801a53541016eb9a5af00d1250d36afb https://fedorahosted.org/sssd/ticket/2421 In case we dereference an entry, for which we have /some/ permissions for reading, but we only request attributes that we can't access, the dereference control only returns the DN. This is also the case with the current version of 389DS for cases where no entries at all are readable. In this case, the server should not return the DN at all, though. This DS bug was tracked as https://fedorahosted.org/389/ticket/47885 Reviewed-by: Michal Židek <mzidek@redhat.com> 
https://fedorahosted.org/sssd/ticket/2421

In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.

This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885

Reviewed-by: Michal Židek <mzidek@redhat.com>
LDAP: Fall back to functional level of Windows Server 2003 2014-09-01T11:41:59+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-27T15:21:26+00:00 0fafb51756913e78dbf523a69fc3a4ef2bac54ec The newest functional level we branch for is currently DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for Windows server 2003 ends in 2015) we can safely set the functional level to 2003 if the attribute is present but not a known value. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The newest functional level we branch for is currently
DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for
Windows server 2003 ends in 2015) we can safely set the functional level
to 2003 if the attribute is present but not a known value.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Add Windows Server 2012 R2 functional level 2014-09-01T11:41:51+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-27T15:14:07+00:00 9ea0969f6a9e52b7c57feb5808266b0739ee40a4 https://fedorahosted.org/sssd/ticket/2418 According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a Windows Server 2012 R2 has a functional level set to '6'. We need to support that value in order for tokenGroups to be functional. For more information on the functional levels, please refer to: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2418

According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a
Windows Server 2012 R2 has a functional level set to '6'. We need to
support that value in order for tokenGroups to be functional.

For more information on the functional levels, please refer to:
    http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SDAP: Free bervals on failure in sdap_parse_entry 2014-07-08T18:28:13+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-07T19:55:14+00:00 5ab0dedd52d248b2cf2eb028338919bc0046e2a9 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
SDAP: Remove unused function sdap_get_msg_dn 2014-07-08T18:28:11+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-07T19:33:32+00:00 88eac3adf8424b65195e725ff724c79d38500e1d This function was not used since 2009. Unused and untested function would just rot, better to remove it completely. Reviewed-by: Michal Židek <mzidek@redhat.com> 
This function was not used since 2009. Unused and untested function
would just rot, better to remove it completely.

Reviewed-by: Michal Židek <mzidek@redhat.com>
LDAP: Remove unused output parameter _dn from sdap_parse_entry 2014-07-08T18:28:09+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-07T19:29:05+00:00 34de8a00f5b480ef3f46d2516e072e4acf1ebf87 No caller directly accessed this parameter. Moreover, it seemed useless since the same data is available as SYSDB_ORIGINAL_DN in the attributes. Reviewed-by: Michal Židek <mzidek@redhat.com> 
No caller directly accessed this parameter. Moreover, it seemed useless
since the same data is available as SYSDB_ORIGINAL_DN in the attributes.

Reviewed-by: Michal Židek <mzidek@redhat.com>
SDAP: Fix DEBUG message priorities in sdap_parse_entry 2014-07-08T18:28:06+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-07T19:23:23+00:00 004b3589f85808bcfcb0019aa92e47d3ce4017c9 While I was changing the sdap_parse_entry function, I also realized that some of the DEBUG messages were converted to the #defines, but their level was still not accurate. This patch fixes the DEBUG levels and indentation around them. Reviewed-by: Michal Židek <mzidek@redhat.com> 
While I was changing the sdap_parse_entry function, I also realized that
some of the DEBUG messages were converted to the #defines, but their
level was still not accurate. This patch fixes the DEBUG levels and
indentation around them.

Reviewed-by: Michal Židek <mzidek@redhat.com>
LDAP: Try all attributes when saving an entry 2014-07-08T18:28:03+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-04T14:58:11+00:00 eed2073f6f7bed7df0327b9fc0f2d410975d5332 The same LDAP attribute might be used several times for the same user or group attribute. For instance, some servers have a global "ID" number that should be used for both UID and GID. However, our sdap_parse_entry() function only copied the LDAP attribute to the first matching sysdb attribute. This patch adds a second nested loop that checks if any of the other LDAP attributes are eligible. Reviewed-by: Michal Židek <mzidek@redhat.com> 
The same LDAP attribute might be used several times for the same user or
group attribute. For instance, some servers have a global "ID" number
that should be used for both UID and GID. However, our
sdap_parse_entry() function only copied the LDAP attribute to the first
matching sysdb attribute.

This patch adds a second nested loop that checks if any of the other
LDAP attributes are eligible.

Reviewed-by: Michal Židek <mzidek@redhat.com>
Make LDAP extra attributes available to IPA and AD 2014-05-02T11:34:54+00:00 Sumit Bose sbose@redhat.com 2013-08-12T15:06:18+00:00 d2969c6b23c722445bd699c830adb7601ba1cdc6 https://fedorahosted.org/sssd/ticket/2073 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
https://fedorahosted.org/sssd/ticket/2073

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>