sssd.git/src/providers, branch nonroot-libcap

SBUS: Chown the sbus socket if needed

2014-10-07T17:51:11+00:00

SSSD: Add the possibility to specify a UID and GID to run as

2014-10-07T11:48:05+00:00

UTIL: Do not depend on monitor code

2014-10-07T11:48:05+00:00

Just moves code around. There should be a way to use the server.c module
without linking the monitor code.

UTIL: Move become_user outside krb5 tree

2014-10-07T11:48:04+00:00

In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.

GPO: remove unused talloc contexts

2014-10-03T14:25:25+00:00

Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.

Reviewed-by: Stephen Gallagher

GPO: Use argument ndg_flags instead of constant

2014-10-03T14:25:00+00:00

Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.

[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
    ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
    ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type

Reviewed-by: Stephen Gallagher

AD-GPO resolve conflicting policy settings correctly

2014-10-02T12:13:39+00:00

Resolves:
https://fedorahosted.org/sssd/ticket/2437

Reviewed-by: Stephen Gallagher

AD GPO: Fix incorrect return of EACCES

2014-10-02T12:13:16+00:00

In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.

Related:
https://fedorahosted.org/sssd/ticket/2437

Reviewed-by: Jakub Hrozek

IPA: add support for new extdom plugin version

2014-09-30T16:24:53+00:00

Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.

The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.

Fixes https://fedorahosted.org/sssd/ticket/2159
  and https://fedorahosted.org/sssd/ticket/2041

Reviewed-by: Jakub Hrozek

LDAP: Do not require a dereference control to be retuned in a reply

2014-09-29T17:16:45+00:00

When we attempt to request attributes that are not present in
the dereferenced links, some serves might not send the dereference
control back at all. Be permissive and treat the search as if
it didn't find anything.

Reviewed-by: Pavel Reichl