sssd.git/src/responder, branch nonroot sssd with jhrozek's patches Fix: always check return value of unlink() 2014-11-28T15:16:37+00:00 Pavel Reichl preichl@redhat.com 2014-11-28T13:17:44+00:00 aff8b0e3b41644c70704b78e15501779d52b6ff4 Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2506

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PAM: Move is_uid_trusted from pam_ctx to preq 2014-11-25T17:48:34+00:00 Jakub Hrozek jhrozek@redhat.com 2014-11-23T20:07:58+00:00 ff7481ff6f75d92470cff56632ad06ff7f10e895 Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Keeping a per-request flag in a global structure is really dangerous.

Reviewed-by: Sumit Bose <sbose@redhat.com>
PAM: Check for trusted domain before sending the request to BE 2014-11-25T17:48:11+00:00 Jakub Hrozek jhrozek@redhat.com 2014-11-23T18:43:04+00:00 fb106682e0277955e203ad074a368ddeb121fed3 https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/sssd/ticket/2501

Moving the checks to one place has the advantage of not duplicating
security decisions. Previously, the checks were scattered all over the
responder code, making testing hard.

The disadvantage is that we actually check for the presence of the user,
which might trigger some back end lookups. But I think the benefits
overweight the disadvantage.

Also only check the requested domains from a trusted client. An untrusted
client should simply have no say in what domains he wants to talk to, it
should ignore the 'domains' option.

Reviewed-by: Sumit Bose <sbose@redhat.com>
PAM: Make pam_forwarder_parse_data static 2014-11-24T20:22:48+00:00 Jakub Hrozek jhrozek@redhat.com 2014-11-22T16:59:28+00:00 ca92e649ed6501c225782f59914a2c506026c10c Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Reviewed-by: Pavel Reichl <preichl@redhat.com>
NSS: Fix warning enumerated type mixed with another type 2014-11-10T09:31:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-06T13:06:03+00:00 1a818ee8e01136166e7f2b37a441e7e779c6b1f4 src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with another type "enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very strict in this. Reviewed-by: Michal Židek <mzidek@redhat.com> 
src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with
another type

"enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very
strict in this.

Reviewed-by: Michal Židek <mzidek@redhat.com>
Add ssh pubkey to origbyname request 2014-11-05T14:26:47+00:00 Sumit Bose sbose@redhat.com 2014-11-04T12:58:39+00:00 f9f513ee1dd4ca10ab980a180d0468ae5167d021 Since the IPA clients expects that the extdom plugin delivers the default view data for a given user this patch adds the public SSH key to the list of returned attributes of the getorigbyname request so that it can be send back to the clients. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Since the IPA clients expects that the extdom plugin delivers the
default view data for a given user this patch adds the public SSH key to
the list of returned attributes of the getorigbyname request so that it
can be send back to the clients.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Views: apply user SSH public key override 2014-11-05T14:26:36+00:00 Sumit Bose sbose@redhat.com 2014-10-16T11:17:37+00:00 ab355eced46b5f488ed62a79a7f2e5ac2b6a574c With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
With this patch the SSH public key override attribute is read from the
FreeIPA server and saved in the cache with the other override data.

Since it is possible to have multiple public SSH keys this override
value does not replace any other data but will be added to existing
values.

Fixes https://fedorahosted.org/sssd/ticket/2454

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sysdb_add_overrides_to_object: add new parameter and multi-value support 2014-11-05T14:26:32+00:00 Sumit Bose sbose@redhat.com 2014-10-27T14:11:08+00:00 1a9f66352070d71a6b998c5afbc268ba6fddc51c With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
With the new parameter an attribute list other than the default one can
be used.

Override attributes with multiple values (e.g. SSH public keys) are now
supported as well.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
nss: return user_attributes in origbyname request 2014-11-05T14:21:01+00:00 Sumit Bose sbose@redhat.com 2014-10-24T09:30:33+00:00 e4549c5364461644723361d688badde7fe137a25 To allow IPA clients to offer special attributes of AD users form trusted domain the extdom plugin on the IPA server must send them to the clients. The extdom plugin already uses sss_nss_getorigbyname() to get attributes like the SID and the user principal name. This patch adds the attributes given by the NSS/IFP user_attributes option to the list of attributes returned by sss_nss_getorigbyname(). Fixes https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
To allow IPA clients to offer special attributes of AD users form
trusted domain the extdom plugin on the IPA server must send them to the
clients. The extdom plugin already uses sss_nss_getorigbyname() to get
attributes like the SID and the user principal name. This patch adds the
attributes given by the NSS/IFP user_attributes option to the list of
attributes returned by sss_nss_getorigbyname().

Fixes https://fedorahosted.org/sssd/ticket/2464

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
nss: parse user_attributes option 2014-11-05T14:20:51+00:00 Sumit Bose sbose@redhat.com 2014-10-28T18:42:47+00:00 166ddd0dfbda28b1c6773f386bb7ff88914af91a Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>