sssd.git/src, branch 1.9.2-88 sssd with jhrozek's patches Fix simple access group control in case-insensitive domains 2013-04-15T13:16:10+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-11T07:18:56+00:00 f66b1e7157f606cccad909f67daec29d7c87a41d https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case. 
https://fedorahosted.org/sssd/ticket/1880

In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
ldap: Fallback option for rfc2307 schema 2013-04-15T13:15:54+00:00 Simo Sorce simo@redhat.com 2013-03-15T19:27:31+00:00 2d654a45796b1c50a3c2368ba2aa78412073171d Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020 
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.

Disabled by default as it violates identity domain separation.

Ticket:
https://fedorahosted.org/sssd/ticket/1020
Resolve GIDs in the simple access provider 2013-04-15T13:15:48+00:00 Jakub Hrozek jhrozek@redhat.com 2013-02-23T09:44:54+00:00 5925e134b87e79e60177b5861ec2a67b659aaa27 Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX 
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.

Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
Do not compile main() in DP if UNIT_TESTING is defined 2013-04-15T13:15:43+00:00 Jakub Hrozek jhrozek@redhat.com 2013-03-04T15:37:04+00:00 deb9c70038fe998c81939d784262147709d3fe09 The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function 
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.

If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
Add unit tests for simple access test by groups 2013-04-15T13:15:36+00:00 Jakub Hrozek jhrozek@redhat.com 2013-03-03T20:43:44+00:00 d7f1374c1722c994a103245c125dc131298fb6f5 I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too. 
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
Provide a be_get_account_info_send function 2013-04-15T13:15:26+00:00 Jakub Hrozek jhrozek@redhat.com 2013-02-22T10:01:38+00:00 93515fb9b024efa897dc1442f4641b4a917e649d In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function. 
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.

This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.

A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
Don't treat 0 as default for pam_pwd_expiration warning 2013-03-01T15:45:22+00:00 Jakub Hrozek jhrozek@redhat.com 2013-02-28T13:24:59+00:00 3a19ea73ed6184aef4860270c08db975a9f7b532 






Fix the krb5 password expiration warning
2013-02-22T10:05:58+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-02-14T09:13:59+00:00

e8efc8cc12d2b5d74e92e772c23f13cb09cc5dfb

https://fedorahosted.org/sssd/ticket/1808





https://fedorahosted.org/sssd/ticket/1808







nested groups: fix group lookup hangs if member dn is incorrect
2013-01-30T12:53:29+00:00

Pavel Březina
pbrezina@redhat.com

2013-01-28T09:56:56+00:00

0902a4dc44a2860483f944aa34a1b07cdcfe4ee5

https://fedorahosted.org/sssd/ticket/1783

When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.





https://fedorahosted.org/sssd/ticket/1783

When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.







SYSDB: Expire group if adding ghost users fails with EEXIST
2013-01-23T16:35:05+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-01-23T16:17:55+00:00

94b6d396c55da8181cbc3b515dc8945e64b2bc9b