sssd.git/src, branch review-negcache sssd with jhrozek's patches nss: use negative cache for sid-by-id requests 2015-07-27T17:01:26+00:00 Sumit Bose sbose@redhat.com 2015-07-22T13:34:32+00:00 da0eef19ac7b06ef84e29d0ee1506981eafda68e Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731 
Since requests by ID are not assized to a specific domain SSSD might
check the ID in domains where the ID does not exists even if the ID is
already in the sysdb cache of the right domain. For requests where
already a memory cache is available like e.g. getpwuid() and getgrgid()
this has no negative impact because the requests are answered directly
from the cache most of the time without hitting SSSD. As long as there
is no use-case which does not use the memory cache those requests do not
need an update.

But for request like sid-by-id where currently no memory cache is
available there are quite some additional costs especially for trusted
domains.

Resolves https://fedorahosted.org/sssd/ticket/2731
negcache: allow domain name for UID and GID 2015-07-27T17:01:26+00:00 Sumit Bose sbose@redhat.com 2015-07-22T12:21:52+00:00 2bffccf990b08fb8ce1c72a0a5092053c8a06e12 Related to https://fedorahosted.org/sssd/ticket/2731 
Related to https://fedorahosted.org/sssd/ticket/2731
AD: Handle cases where no GPOs apply 2015-07-26T18:33:07+00:00 Stephen Gallagher sgallagh@redhat.com 2015-07-20T13:29:19+00:00 7c18b65dbdeb584a946c055f2db3814544b17232 It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.

We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration

We also need to delete the result object from the cache to ensure that
offline operation will also grant access.

Resolves:
https://fedorahosted.org/sssd/ticket/2713

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
intg: Invalidate memory cache before removing files 2015-07-24T14:54:02+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-07-24T10:31:42+00:00 eabc1732ef91548616a699b7e9f8d30e5e7b8dd3 Workaround for: https://fedorahosted.org/sssd/ticket/2726 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Workaround for:
https://fedorahosted.org/sssd/ticket/2726

Reviewed-by: Michal Židek <mzidek@redhat.com>
DYNDNS: support for dualstack 2015-07-24T07:30:41+00:00 Pavel Reichl preichl@redhat.com 2015-07-14T13:56:59+00:00 b0a8ed519554f8896e35812e0759862c33f157fe When dyndns_iface option was not used, address of connection to LDAP was used. This patch proposes following change: * Interface containing address of connection is found. * All A and AAAA addresses of this interface are collected. * Collected addresses are sent during DDNS update. * Function sss_iface_addr_add() is removed. Resolves: https://fedorahosted.org/sssd/ticket/2558 
When dyndns_iface option was not used, address of connection to LDAP
was used. This patch proposes following change:
  * Interface containing address of connection is found.
  * All A and AAAA addresses of this interface are collected.
  * Collected addresses are sent during DDNS update.
  * Function sss_iface_addr_add() is removed.

Resolves:
https://fedorahosted.org/sssd/ticket/2558
TESTS: dyndns tests support AAAA addresses 2015-07-24T07:30:41+00:00 Pavel Reichl preichl@redhat.com 2015-07-15T14:58:38+00:00 1112e84494bcfd0f658e073d25f15ed877d047aa Resolves: https://fedorahosted.org/sssd/ticket/2558 
Resolves:
https://fedorahosted.org/sssd/ticket/2558
DYNDNS: special value '*' for dyndns_iface option 2015-07-24T07:30:41+00:00 Pavel Reichl preichl@redhat.com 2015-07-14T08:21:34+00:00 0a26e92fb2a4dd9704a0578f90241997e2aed269 Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update. 
Option dyndns_iface has now special value '*' which implies that IPs
from add interfaces should be sent during DDNS update.
DYNDNS: support mult. interfaces for dyndns_iface opt 2015-07-24T07:30:41+00:00 Pavel Reichl preichl@redhat.com 2015-07-08T13:08:03+00:00 038b9ba28a618e3e553803da632116a040b94034 Resolves: https://fedorahosted.org/sssd/ticket/2549 
Resolves:
https://fedorahosted.org/sssd/ticket/2549
DYNDNS: sss_iface_addr_list_get return ENOENT 2015-07-24T07:30:41+00:00 Pavel Reichl preichl@redhat.com 2015-07-08T13:01:24+00:00 aa3fd6fde3888c0e333cad852ae5b4f671d55f58 If none of eligible interfaces matches ifname then ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2549 
If none of eligible interfaces matches ifname then ENOENT is returned.

Resolves:
https://fedorahosted.org/sssd/ticket/2549
Fix minor typos 2015-07-23T09:10:16+00:00 Yuri Chornoivan yurchor@ukr.net 2015-06-26T05:52:12+00:00 f91029dd8d7dbc026a5c73e222926db957240cb4 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>