sssd.git/src/util, branch sid_index sssd with jhrozek's patches UTIL: Inherit ignore_group_members 2015-06-08T10:55:29+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-28T15:04:51+00:00 27d8524cf635d61d93c71539709a30e1205dcaf1 Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44) 
Resolves:
    https://fedorahosted.org/sssd/ticket/2644

Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
    subdomain_inherit = ignore_group_members
in the domain section.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
SELINUX: Avoid disconnecting disconnected handle 2015-05-11T08:02:23+00:00 Jakub Hrozek jhrozek@redhat.com 2015-05-06T06:40:12+00:00 2ed3ac5190cd8f92d671e00837a360bd92cf150c Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07) 
Resolves:
    https://fedorahosted.org/sssd/ticket/2649

libsemanage is very strict about its API usage and actually doesn't
allow disconnecting a handle that is not connected. The unpatched code
would fail with:

    selinux_child: handle.c:231: semanage_disconnect: Assertion `sh !=
    ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect !=
    ((void *)0)' failed.

If semanage_connect() failed.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07)
IPA: do not add domain name unconditionally 2015-05-06T08:40:13+00:00 Sumit Bose sbose@redhat.com 2015-04-17T16:22:10+00:00 226224c91971247f60a86d9c46dd1402f5c29e8a Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a) 
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.

Resolves https://fedorahosted.org/sssd/ticket/2647

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a)
simple-access-provider: make user grp res more robust 2015-04-28T10:01:44+00:00 Pavel Reichl preichl@redhat.com 2015-04-20T15:33:29+00:00 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511) 
Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
selinux: Only call semanage if the context actually changes 2015-04-14T18:06:09+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-09T20:18:35+00:00 4d31f2c294db6090047e4d5348322b32ea0aaac1 https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161) 
https://fedorahosted.org/sssd/ticket/2624

Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.

Adds talloc dependency to libsss_semanage.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161)
selinux: Begin and end the transaction on the same nesting level 2015-04-14T18:06:09+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-10T09:06:44+00:00 9c695e3a82fe5903b36b2d514b3284efeadc908c Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54) 
Transaction should be started and commited on the same code nesting or
abstraction level. Also, transactions are really costly with libselinux
and splitting them from initialization will make init function reusable
by read-only libsemanage functions.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54)
selinux: Disconnect before closing the handle 2015-04-14T18:06:09+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-10T08:55:22+00:00 816d3cc041e276b138057aacb81d1a2bfb25add6 libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465) 
libsemanage documentation says:
~~~~
be sure that a semanage_disconnect() was previously called if the handle
was connected.
~~~~

Otherwise we get a memory leak.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465)
IPA: Use custom error codes when validating HBAC rules 2015-03-24T20:32:19+00:00 Jakub Hrozek jhrozek@redhat.com 2015-03-16T09:35:59+00:00 319f9710185929186778814b48f2227359d4f8f4 https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 1243e093fd31c5660adf1bb3dd477d6935a755be) 
https://fedorahosted.org/sssd/ticket/2603

Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1243e093fd31c5660adf1bb3dd477d6935a755be)
sdap: properly handle binary objectGuid attribute 2015-03-24T19:33:20+00:00 Sumit Bose sbose@redhat.com 2015-02-17T03:41:21+00:00 4619742836ec22edf8f9d274d928bc896c5b0883 Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.

This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.

Resolves https://fedorahosted.org/sssd/ticket/2588

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
test: Check ERR_LAST 2015-03-13T08:39:07+00:00 Michal Zidek mzidek@redhat.com 2015-03-10T17:38:10+00:00 c82b150d9599e212a71996d3f987f9b236833fe4 Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Check if number of error codes and messages is the same.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>