sssd.git/src/providers/ldap, branch nonroot-libcap sssd with jhrozek's patches LDAP: Do not require a dereference control to be retuned in a reply 2014-09-29T17:16:45+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-24T14:43:48+00:00 f3d4b3e03b1505a539977c86b59ff4aa967580d1 When we attempt to request attributes that are not present in the dereferenced links, some serves might not send the dereference control back at all. Be permissive and treat the search as if it didn't find anything. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
When we attempt to request attributes that are not present in
the dereferenced links, some serves might not send the dereference
control back at all. Be permissive and treat the search as if
it didn't find anything.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Fix debug messages - trailing '.' 2014-09-29T16:15:01+00:00 Pavel Reichl preichl@redhat.com 2014-09-27T11:06:44+00:00 c683b8d730f4ec838244147d70a0275d53459aa5 Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Fix debug messages where '\n' was wrongly followed by '.'.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
LDAP: Do not clobber return value when multiple controls are returned 2014-09-16T11:39:22+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-15T12:18:17+00:00 6a3ec7ba6f99b027c4c15a360ef0116fe60a0705 We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
We loop over the array of returned controls and set 'ret' based on the
control value. In case multiple controls were returned, the 'ret'
variable might be clobbered with result of a string-to-int conversion.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Use the alternative objectclass in group maps. 2014-09-15T08:13:00+00:00 Michal Zidek mzidek@redhat.com 2014-09-10T10:56:54+00:00 7ba70236daccb48432350147d0560b3302518cee Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Use the alternative group objectclass in queries.

Fixes:
https://fedorahosted.org/sssd/ticket/2436

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Add alternative objectClass to group attribute maps 2014-09-15T08:12:57+00:00 Michal Zidek mzidek@redhat.com 2014-09-10T10:41:16+00:00 6f91c61426c8cfbfec52d5e77ae4650007694e69 In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.

Fixes:
https://fedorahosted.org/sssd/ticket/2436

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: Always free talloc_req 2014-09-10T16:23:48+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-09T08:45:40+00:00 4113389146cde7034bec7980a7fdf0d50f4c7bf7 On failure, the subreq wasn't freed, which was not a big deal given the parent request would free the subreq anyway, but it's better to follow the usual pattern. Reviewed-by: Simo Sorce <simo@redhat.com> 
On failure, the subreq wasn't freed, which was not a big deal given the
parent request would free the subreq anyway, but it's better to follow
the usual pattern.

Reviewed-by: Simo Sorce <simo@redhat.com>
LDAP: Check return value 2014-09-08T18:49:52+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-08T18:30:25+00:00 d80412010e18d1f48aa402bf7e31a909008edb24 Reported by Coverity Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reported by Coverity

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
LDAP: Skip dereferenced entries that we are not permitted to read 2014-09-08T17:13:26+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-08T09:49:40+00:00 2284e50c801a53541016eb9a5af00d1250d36afb https://fedorahosted.org/sssd/ticket/2421 In case we dereference an entry, for which we have /some/ permissions for reading, but we only request attributes that we can't access, the dereference control only returns the DN. This is also the case with the current version of 389DS for cases where no entries at all are readable. In this case, the server should not return the DN at all, though. This DS bug was tracked as https://fedorahosted.org/389/ticket/47885 Reviewed-by: Michal Židek <mzidek@redhat.com> 
https://fedorahosted.org/sssd/ticket/2421

In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.

This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885

Reviewed-by: Michal Židek <mzidek@redhat.com>
AD: process non-posix nested groups using tokenGroups 2014-09-08T16:55:26+00:00 Pavel Reichl preichl@redhat.com 2014-08-22T12:56:32+00:00 4932db6258ccfb612a3a28eb6a618c2f042b9d58 When initgr is performed for AD supporting tokenGroups, do not skip non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com> 
When initgr is performed for AD supporting tokenGroups, do not skip
non-posix groups.

Resolves:
https://fedorahosted.org/sssd/ticket/2343

Reviewed-by: Michal Židek <mzidek@redhat.com>
AD: process non-posix nested groups w/o tokenGroups 2014-09-08T16:55:23+00:00 Pavel Reichl preichl@redhat.com 2014-08-21T18:03:08+00:00 981bf55532fbec91a106f82d7daf32094c76dfe0 When initgr is performed for AD not supporting tokenGroups, do not filter out groups without gid attribute or with gid equal to zero. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com> 
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.

Resolves:
https://fedorahosted.org/sssd/ticket/2343

Reviewed-by: Michal Židek <mzidek@redhat.com>