summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* LDAP: Fix saving empty groupsJakub Hrozek2012-11-191-2/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
* LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek2012-11-191-1/+1
| | | | | | Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
* SERVER: Check the return value of waitpidJakub Hrozek2012-11-191-11/+27
| | | | | | | We should at least print an error message and error out if waitpid() fails. https://fedorahosted.org/sssd/ticket/1651
* Display more information on DB version crashOndrej Kos2012-11-197-2/+70
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.
* sudo: store rules with no sudoHost attributePavel Březina2012-11-191-0/+7
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1640 Normal rules requires that sudoHost attribute is present. But this attribute is not mandatory for a special rule named cn=defaults. This patch modifies filter so that we store even rules that doesn't have sudoHost attribute specified. SUDO will then decide whether it is allowed or not.
* SUDO: Remove unused variableStephen Gallagher2012-11-191-1/+0
| | | | Eliminates a compiler warning
* SUDO: Fix wrong variable checkJakub Hrozek2012-11-191-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1650
* Include the auth_utils.h header in the distributionJakub Hrozek2012-11-151-0/+1
|
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2012-11-153-18/+56
|
* SYSDB: Do not touch the member attribute during conversion to ghost usersJakub Hrozek2012-11-151-11/+0
| | | | | | | | | We attempted to delete the member attributes of groups that contained a particular user during the sysdb upgrade, but obviously, this cannot work for nested groups as the member attribute is present for direct parents only. As a result, we were getting failures during the upgrade. https://fedorahosted.org/sssd/ticket/1631
* Only build extract_and_send_pac on platforms that support itJakub Hrozek2012-11-154-104/+138
|
* KRB5: Rename variable to avoid shadowing a global declarationJakub Hrozek2012-11-141-4/+4
| | | | | | | src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’: src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’ shadows a global declaration /usr/include/libgen.h:27: warning: shadowed declaration is here
* sudo: print how many rules we are refreshing or returningPavel Březina2012-11-141-3/+4
|
* sudo: do not send domain name with usernamePavel Březina2012-11-145-22/+11
| | | | | | | | This caused troubles with subdomain users and it is not really necessary. This patch does not change the protocol itself, that should be done on the earliest possible occasion. Part of https://fedorahosted.org/sssd/ticket/1616
* sudo: support users from subdomainsPavel Březina2012-11-144-60/+214
| | | | https://fedorahosted.org/sssd/ticket/1616
* use tmp_ctx in sudosrv_get_sudorules_from_cache()Pavel Březina2012-11-141-8/+20
|
* sudo: fix missing parameter in two debug messagesPavel Březina2012-11-141-3/+3
|
* subdomains: check request type on one place onlyPavel Březina2012-11-141-6/+0
| | | | The check is now held only in ipa_get_subdomain_account_info_send().
* Run IPA subdomain provider if IPA ID provider is configuredSumit Bose2012-11-144-7/+101
| | | | | | | | | | | | | | | | | | | | | | | | To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
* Always start PAC responder if IPA ID provider is configuredSumit Bose2012-11-143-0/+84
| | | | | | | | Since the PAC responder is used during the authentication of users from trusted realms it is started automatically if the IPA ID provider is configured for a domain to simplify the configuration. Fixes https://fedorahosted.org/sssd/ticket/1613
* Add string_in_list() and add_string_to_list() with testsSumit Bose2012-11-143-0/+152
| | | | | | | | string_in_list() and add_string_to_list() are two utilities for NULL terminated strings arrays. add_string_to_list() adds a new string to an existing list or creates a new one with the strings as only item if there is not list. string_in_list() checks if a given string is in the list. It can be used case sensitive or in-sensitive.
* Store the original group DN in the subdomain user objectSumit Bose2012-11-121-26/+58
| | | | | | | | | | | For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
* Get lists of GIDs to be added and deleted and use themSumit Bose2012-11-121-3/+89
| | | | | | | Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
* Add pac_user_get_grp_info() to read current group membershipsSumit Bose2012-11-122-0/+107
| | | | | | | | | | | | To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
* Add diff_gid_lists() with testSumit Bose2012-11-123-2/+279
| | | | | | | | This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
* Do not remove a group if it has members from subdomainsSumit Bose2012-11-121-4/+15
| | | | | | | Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
* Clarify debug message about initgroups and subdomainsSumit Bose2012-11-121-0/+7
| | | | | | | | | | | | | | | | The initgroups request is not handled by the IPA provider for subdomain users on purpose because the group membership information is not available on the IPA server but will be directly written to the cache when the PAC of the user is processed. The old generic debug message "Invalid sub-domain request type" might be misleading. This patch adds a specific message for the initgroups case "Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache." and increase the debug level so that typically this message is not shown anymore because it is expected behaviour. Fixes https://fedorahosted.org/sssd/ticket/1610
* sss_dp_get_domains_send(): handle subreq error correctlyPavel Březina2012-11-121-1/+2
| | | | | | | If force is true, ret may stay uninitialized and if ret == 0 after the subrequest is send, we will go to immediate label. Data provider request is sent, but the answer is never processed. This prohibited subdomain from working correctly.
* util_lock.c: sss_br_lock_file accepted invalid parameter valueMichal Zidek2012-11-112-3/+7
| | | | | | Return EINVAL if number of tries is <= 0. Also the parameter retries was renamed to num_tries, so it is more obvious that it also includes the first try.
* SSSDConfig: Locate the force_timeout option in the correct sectionsStephen Gallagher2012-11-112-1/+4
|
* MAN: Specify the correct location for the force_timeout optionStephen Gallagher2012-11-111-16/+32
|
* Monitor: Better debugging for ping timeoutsStephen Gallagher2012-11-111-0/+8
|
* sss_cache: Remove fastcache even if sssd is not running.Michal Zidek2012-11-064-23/+175
| | | | https://fedorahosted.org/sssd/ticket/1584
* util: Added new file util_lock.cMichal Zidek2012-11-063-1/+89
|
* RPMS: Move sss_cache tool to main packageStephen Gallagher2012-11-061-3/+6
| | | | https://fedorahosted.org/sssd/ticket/1481
* sss_cache: Multiple domains not handled properlyMichal Zidek2012-11-061-35/+37
| | | | | | | | | | When working with multiple domains and no matching objects for deletion were found in the first domain, the other domains were not searched at all. Also the ERROR message informing about object not found (the one printed for each domain) was changed to DEBUG message.
* create pid file immediately after fork againPavel Březina2012-11-061-25/+4
| | | | | | | | | | | | Related to https://fedorahosted.org/sssd/ticket/1357 We realized that sysv and systemd does not use pid file existence as a notification of finished initialization. Therefore, we create the pid file in server_setup() again. We are removing check_file() from monitor main(), it is handled by server_setup() during pid file creation. This check was previously included in e7dd2a5102ba6cfd28be6eccdd62768e9758d9f4.
* exit original process after sssd is initializedPavel Březina2012-11-063-2/+56
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1357 Neither systemd or our init script use pid file as a notification that sssd is finished initializing. They will continue starting up next service right after the original (not daemonized) sssd process is terminated. If any of the responders fail to start, we will never terminate the original process via signal and "service sssd start" will hang. Thus we take this as an error and terminate the daemon with a non-zero value. This will also terminate the original process and init script or systemd will print failure.
* make monitor_quit() usable outside signal handlerPavel Březina2012-11-061-14/+26
|
* fix indendation, coding style and debug levels in server.cPavel Březina2012-11-061-110/+114
|
* add SSSDBG_IMPORTANT_INFO macroPavel Březina2012-11-061-0/+1
| | | | | | | We currently have only SSSDBG_FATAL_FAILURE macro that corresponds to original debug level 0. But there are several level 0 messages that are not actually failures but an important information. We should use this new macro to represent them.
* LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek2012-11-061-1/+1
| | | | | | | | The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
* PAM: Do not leak fd after SELinux context file is writtenJakub Hrozek2012-11-051-0/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.
* Monitor: read the correct SIGKILL timeout for providers, tooJakub Hrozek2012-11-051-33/+41
| | | | https://fedorahosted.org/sssd/ticket/1602
* authconfig: allow chpass_provider = proxyPavel Březina2012-11-052-1/+4
| | | | https://fedorahosted.org/sssd/ticket/1611
* Free the internal DP requestJakub Hrozek2012-11-051-0/+8
|
* Make sub-domains case-insensitiveSumit Bose2012-11-052-3/+24
| | | | | | | | | | Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.
* sss_parse_name_for_domains: always return the canonical domain nameSumit Bose2012-11-051-2/+7
| | | | | | Domains may have a flat or short name to save some keystrokes when typing fully qualified user names. Internally sssd will always use the canonical name to allow consistent processing.
* krb5_auth: update with correct UPN if neededSumit Bose2012-11-053-0/+133
| | | | | | | | | The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
* Use find_or_guess_upn() where neededSumit Bose2012-11-056-36/+52
|
generated by cgit (git 2.34.1) at 2024-04-24 03:59:06 +0000