Commit message (Collapse)AuthorAgeFilesLines
* NSS: Fix netgroup midpoint cache refresh1.9.2-35Jakub Hrozek2012-12-073-3/+3
| | | | | | | | The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* MEMBEROF: Keep inherited ghost users around on modify operation1.9.2-34Jakub Hrozek2012-12-062-34/+637
| | | | | | | | | | | | | It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.
* MEMBEROF: Implement the modify operation for ghost usersJakub Hrozek2012-12-062-36/+715
| | | | | | | Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.
* MEMBEROF: Split the add ghost operation into a separate functionJakub Hrozek2012-12-061-17/+73
| | | | This new function will be reused by the modify operation later
* MEMBEROF: Split the del ghost attribute op into a reusable functionJakub Hrozek2012-12-061-12/+22
| | | | This new function is going to be reused by the modify operation
* MEMBEROF: split processing the member modify into a separate functionJakub Hrozek2012-12-061-47/+73
| | | | This will allow to process ghost users in a similar fashion
* MEMBEROF: Implement delete operation for ghost usersJakub Hrozek2012-12-062-7/+362
| | | | | | | | | | | | | | | | | The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.
* TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek2012-12-061-0/+248
* MEMBEROF: Do not add the ghost attribute to selfJakub Hrozek2012-12-062-13/+87
| | | | | | | | | | | | When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
* Always append rctx as private data1.9.2-33Simo Sorce2012-12-061-1/+1
| | | | This is used for the new calls back from the data provider.
* Add backchannel NSS provider query on initgr callsSimo Sorce2012-12-061-0/+165
| | | | | | | | | This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
* Hook for mmap cache update on initgroup callsSimo Sorce2012-12-064-0/+148
| | | | | This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
* Hook to perform a mmap cache update from sssd_nssSimo Sorce2012-12-064-0/+124
| | | | | This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
* mmap cache: public functions to invalidate recordsSimo Sorce2012-12-062-0/+135
| | | | | | These functions can be called from the nss responder to invalidate records that have ceased to exist or that need to be refreshed the first time an application needs them.
* Missing parameter in DEBUG message.Michal Zidek2012-12-061-1/+2
* Dereference after null check in sss_idmap_sid_to_unixMichal Zidek2012-12-061-1/+5
| | | |
* warn user if password is about to expirePavel Březina2012-12-061-3/+4
| | | | | | | | | | | | | | If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
* RESOLV: return ENOENT if the address list is emptyJakub Hrozek2012-12-061-0/+8
* IPA: Handle bad results from c-ares lookupStephen Gallagher2012-12-061-1/+11
| | | | | | | | | In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
* avoid versioning libsss_sudoPavel Březina2012-12-061-3/+4
* Monitor quit when not exists no process no stopsAriel O. Barria2012-11-281-1/+3
| | | |
* Null pointer dereferenced.Michal Zidek2012-11-281-96/+100
| | | |
* idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek2012-11-286-80/+125
| | | | | | | | When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects.
* do not default fullname to gecos when schema = adPavel Březina2012-11-281-0/+14
| | | | | | | | | When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
* Uninitialized pointer readMichal Zidek2012-11-281-1/+1
| | | |
* fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina2012-11-271-1/+1
| | | | | | | | IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
* debug: print fatal and critical errors if debug level is unresolvedMichal Zidek2012-11-272-7/+4
| | | | | | | If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors.
* SYSDB: Don't operate with aliases same as nameOndrej Kos2012-11-271-0/+6
| | | | | | | fixes When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.
* LDAP: fix uninitialized variableOndrej Kos2012-11-271-1/+1
| | | | initialized variable, was causing build warning
* MONITOR: Fix off-by-one error in add_string_to_listJakub Hrozek2012-11-211-1/+4
| | | | | We need to allocate num_services+2 - one extra space for the new service and one for NULL.
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-2111-27/+91
| | | | | | | | | | | | | | | | | This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* SYSDB: Use the add_string convenience functions for managing ghost user ↵Jakub Hrozek2012-11-211-24/+9
| | | | | | | attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.
* KRB5: Work around const warning for krb5 releases older than 1.11Sumit Bose2012-11-201-1/+1
* backend: add PAC to the list of known clientsPavel Březina2012-11-201-0/+2
* Disable canonicalization during password changesSumit Bose2012-11-201-2/+43
| | | | | | | | | | | | | | | If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in and also done by the kpasswd utility. Fixes:
* Fix compare_principal_realm() checkSumit Bose2012-11-202-9/+9
| | | | | In case of a short UPN compare_principal_realm() erroneously returns an error.
* Just use the service name with krb5_get_init_creds_password()Sumit Bose2012-11-201-24/+2
| | | | | | | | | Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
* LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek2012-11-202-4/+21
* LDAP: Checking the principal should not be considered fatalJakub Hrozek2012-11-201-6/+10
| | | | | | | | | | | | | | The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
* LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek2012-11-204-91/+95
| | | | | The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
* MAN: document the ldap_sasl_realm optionJakub Hrozek2012-11-201-0/+13
| | | | The option was completely undocumented.
* Restart services with a delay in case they are restarted too oftenJakub Hrozek2012-11-201-14/+59
| | | | | | | | | | | | In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc..
* LDAP: Expire even non authenticated connectionsJakub Hrozek2012-11-191-8/+11
| | | | | | | The connections request was terminated before setting the expiry timeout in case no authentication was set.
* Handle conversion to fully qualified usernamesSimo Sorce2012-11-193-1/+98
| | | | | | | In subdomains we have to use fully qualified usernames. Unfortunately we have no other good option than simply removing caches for users of subdomains. This is because the memberof plugin does not support the rename operation.
* Do not save HBAC rules in subdomain subtreeSumit Bose2012-11-193-16/+32
| | | | | | | | | | | | | | Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-1910-35/+167
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* Simplify writing db update functionsSimo Sorce2012-11-191-421/+192
| | | | | | Add functions to automate setting versions numbers in the db, also decrease chances of error in copying and pasting code, by setting the version number only once when we commence the upgrade.
* LDAP: Refactor saving ghost usersJakub Hrozek2012-11-191-88/+99
* LDAP: Better debug logging when saving groupsStephen Gallagher2012-11-191-11/+75
* LDAP: use the correct memory contextJakub Hrozek2012-11-191-1/+1
| | | | | The element being reallocated is part of the "group_attrs" array, not attrs.