sssd.git/src/providers/ldap/sdap_async_initgroups.c, branch dpstr sssd with jhrozek's patches LDAP: remove unused param. in sdap_fallback_local_user 2015-10-12T12:46:59+00:00 Pavel Reichl preichl@redhat.com 2015-10-11T20:42:30+00:00 8b789d6f0a39cd497d1115203db2f1f8dc195456 Remove unused sdap_options parameter. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Remove unused sdap_options parameter.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SDAP: Log failure from sysdb_handle_original_uuid 2015-06-14T19:32:33+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-06-04T13:36:21+00:00 56e88cd5f3501566778b138e4934ee8e7f3fa674 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
SDAP: Remove unnecessary argument from sdap_save_user 2015-05-22T10:31:01+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-05-15T13:22:47+00:00 dca741129d221558a4325479aefc617240f1ab08 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: allow initgroups by UUID for FreeIPA users 2015-05-06T08:43:59+00:00 Sumit Bose sbose@redhat.com 2015-04-29T14:46:14+00:00 0f9c28eb52d2b45c8a97f709308dc11377831b8c If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.

Related to https://fedorahosted.org/sssd/ticket/2642

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: allow initgroups by SID for AD users 2015-04-29T09:33:22+00:00 Sumit Bose sbose@redhat.com 2015-04-22T14:57:37+00:00 f70a1adbfc30b9acc302027439fb8157e0c6ea2a If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Filter ad groups in initgroups 2015-04-14T11:13:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-13T07:50:29+00:00 b9fbeb75e7a4f50f98d979a70a710f9221892483 Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.

Resolves:
https://fedorahosted.org/sssd/ticket/2614

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sdap: properly handle binary objectGuid attribute 2015-03-20T11:26:47+00:00 Sumit Bose sbose@redhat.com 2015-02-17T03:41:21+00:00 1d93029624d708119bbf803e6647a2cbb271f001 Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.

This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.

Resolves https://fedorahosted.org/sssd/ticket/2588

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Add missing new lines to debug messages 2015-03-17T13:40:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-02-17T15:40:01+00:00 87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP/AD: do not resolve group members during tokenGroups request 2015-03-17T10:52:29+00:00 Sumit Bose sbose@redhat.com 2015-03-09T15:36:29+00:00 d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1 During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.

This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.

https://fedorahosted.org/sssd/ticket/2601

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: Add UUID when saving incomplete groups 2015-01-30T11:40:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-01-27T15:02:33+00:00 108db0e3b9e06e530364ef8228634f5e3f6bd3b5 Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://fedorahosted.org/sssd/ticket/2571

Reviewed-by: Sumit Bose <sbose@redhat.com>