sssd.git/src, branch memberof

memberof: Use fqname instead of name

2015-05-05T14:11:16+00:00

SDAP: Fix id mapping with disabled subdomains

2015-05-05T13:47:20+00:00

If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.

However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.

[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
        Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
        Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
        calling ldap_search_ext with
                        [(&(sAMAccountName=hdpadmin)(objectclass=user)
                           (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
                        [DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users

Resolves:
https://fedorahosted.org/sssd/ticket/2635

Reviewed-by: Pavel Březina

sss_nss_idmap-tests: Use different prepared buffers for big endian

2015-05-04T11:55:02+00:00

We get error EBADMSG instead of EOK due to endianess issue

[==========] Running 2 test(s).
[ RUN      ] test_getsidbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:108: error: Failure!

[  FAILED  ] test_getsidbyname
[ RUN      ] test_getorigbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:127: error: Failure!

[  FAILED  ] test_getorigbyname

Reviewed-by: Sumit Bose

GPO: Do not ignore missing attrs for GPOs

2015-04-30T06:47:00+00:00

We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629

Reviewed-by: Stephen Gallagher

autofs: fix 'Cannot allocate memory' with FQDNs

2015-04-30T06:24:57+00:00

https://fedorahosted.org/sssd/ticket/2643

Reviewed-by: Jakub Hrozek

IPA: fix segfault in ipa_s2n_exop

2015-04-29T15:09:04+00:00

can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U  -l.

Reviewed-by: Sumit Bose

IPA: allow initgroups by SID for AD users

2015-04-29T09:33:22+00:00

If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek

simple-access-provider: make user grp res more robust

2015-04-28T09:58:53+00:00

Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek

IPA: check ghosts in groups found by uuid as well

2015-04-27T13:42:39+00:00

With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.

Resolves https://fedorahosted.org/sssd/ticket/2631

Reviewed-by: Jakub Hrozek

IPA: use sysdb_attrs_add_string_safe to add group member

2015-04-27T13:41:21+00:00

The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.

Reviewed-by: Jakub Hrozek