sssd.git/src/providers/ldap, branch mdbtest sssd with jhrozek's patches IPA: allow initgroups by SID for AD users 2015-04-29T09:33:22+00:00 Sumit Bose sbose@redhat.com 2015-04-22T14:57:37+00:00 f70a1adbfc30b9acc302027439fb8157e0c6ea2a If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Filter ad groups in initgroups 2015-04-14T11:13:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-13T07:50:29+00:00 b9fbeb75e7a4f50f98d979a70a710f9221892483 Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.

Resolves:
https://fedorahosted.org/sssd/ticket/2614

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Extract filtering AD group to function 2015-04-14T11:13:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-13T07:44:35+00:00 bad2fc8133d941e5a6c8d8016c9689e039265c61 Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Patch remove code duplication.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Do not set gid 0 twice 2015-04-14T11:13:16+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-10T12:33:35+00:00 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908 The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
and for second time in the function sdap_store_group_with_gid,
which was called every time from function sdap_save_group

[sysdb_set_entry_attr] (0x0080): ldb_modify failed:
    [Attribute or value exists](20)[attribute 'gidNumber': value #1
    on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
[sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_store_group_with_gid] (0x0040):
    Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com
[sdap_save_group] (0x0080): Could not store group with GID: [File exists]
[sdap_save_group] (0x0080):
    Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists]
[sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: Set sdap handle as explicitly connected in LDAP auth 2015-04-08T13:15:07+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-07T11:06:56+00:00 450c2b78ff0bd5044c4c73f32ca8459b211dd446 In case SSSD is set with id_provider=proxy and auth_provider=ldap, the LDAP provider is not used to retrieve the user info with the higher-level calls, but the lower-level connection establishment is used instead. In this case, we need to make sure to mark the connection as explicitly connected to be notified about results of looking up the DN. Resolves: https://fedorahosted.org/sssd/ticket/2620 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
In case SSSD is set with id_provider=proxy and auth_provider=ldap, the
LDAP provider is not used to retrieve the user info with the
higher-level calls, but the lower-level connection establishment is used
instead. In this case, we need to make sure to mark the connection as
explicitly connected to be notified about results of looking up the DN.

Resolves:
https://fedorahosted.org/sssd/ticket/2620

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
enumeration: fix talloc context 2015-04-08T09:22:09+00:00 Pavel Březina pbrezina@redhat.com 2015-03-25T11:08:04+00:00 725bb2a9901c4f673b107ed179f5d68ec443ca63 If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
If for some reason ptask fails (e.g. timeout), req is talloc freed
but because subreq is attached to ectx which is permanent it is
finished anyway. Then a crash occures when we are trying to access
callback data.

The same happens in sdap_dom_enum_ex_send.

Resolves:
https://fedorahosted.org/sssd/ticket/2611

Reviewed-by: Pavel Reichl <preichl@redhat.com>
LDAP: fix a typo in debug message 2015-03-26T10:23:26+00:00 Pavel Reichl preichl@redhat.com 2015-03-24T16:14:50+00:00 871f340834f25ca92a481718939164e708a70e29 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
ldap: refactor nds_check_expired to use util func 2015-03-23T11:07:03+00:00 Pavel Reichl preichl@redhat.com 2015-03-16T10:51:37+00:00 08f83281cf4b0f35e8569851fae7364e140371f9 Refactor nds_check_expired() to use utility function sss_utc_to_time_t(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Refactor nds_check_expired() to use utility function sss_utc_to_time_t().

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ldap: refactor check_pwexpire_kerberos to use util func 2015-03-23T11:06:59+00:00 Pavel Reichl preichl@redhat.com 2015-03-16T10:38:43+00:00 0ec41ab7d3fbb021967de16ea000c69dcedf7cb5 Refactor check_pwexpire_kerberos() to use utility function sss_utc_to_time_t(). Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Refactor check_pwexpire_kerberos() to use utility function
sss_utc_to_time_t().

Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
TESTS: test expiration 2015-03-23T11:06:51+00:00 Pavel Reichl preichl@redhat.com 2015-03-06T09:29:24+00:00 50b8a36b0932a510e825ed1ad8103f81ead2b7d8 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>