Commit message (Collapse)AuthorAgeFilesLines
* sssd_nss: Plug memory leaks1.9.2-55Simo Sorce2012-12-201-2/+11
| | | | | A recent patch introduced a glaring memory leak in the routines that clean up memcache memory on initgroups calls.
* memberof: Prevent unneded failure case1.9.2-54Simo Sorce2012-12-201-2/+7
| | | | | | | | | | When deleting a user we would fail the operation completely if the member attribute was not found on one of the groups it was allegedly member of. Failing in this case is unnecessary, and can cause issues. Found trying to upgrade db versione (and failing) on one of my RHEL machines. Also removed a tray \ in the companion function that removes ghost members, that function needs no changes as it was already ignoring this kind of failure.
* responder_dp: Add timeout to side requets1.9.2-53Simo Sorce2012-12-201-1/+25
| | | | | | | This is an additional proteciont in case the provider misbheaves to avoid having requests pending forever. Fixes:
* SYSDB: More debugging during the conversion to ghost users1.9.2-52Jakub Hrozek2012-12-191-0/+9
| | | | | | | We've been hitting situations where the sysdb conversion failed. Unfortunately, the current code doesn't include enough debugging info to pinpoint the failing entries. This patch adds more DEBUG statements for each processed entry.
* select_principal_from_keytab() do wildcard lookups after specific ones1.9.2-51Sumit Bose2012-12-181-3/+3
| | | | | | | | | | Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.
* select_principal_from_keytab() look for plain input as wellSumit Bose2012-12-181-2/+6
| | | | | | | Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.
* Add responder_sbus.h to noinst_HEADERS1.9.2-50Jakub Hrozek2012-12-181-0/+1
* AUTOFS: Clear enum cache if a request comes in from the sss_cacheJakub Hrozek2012-12-183-0/+31
| | | | | In order for sss_cache to work correctly, we must also signal the autofs responder to invalidate the hash table requests.
* RESPONDERS: Create a common file with service names and versionsJakub Hrozek2012-12-1811-17/+50
| | | | | | | The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
* AUTOFS: remove all maps from hash if request for auto.master comes inJakub Hrozek2012-12-182-3/+59
| | | | | | | | | | When a request for auto.master comes in, we need to remove all the maps from the lookup hash table. We can't simply delete the maps, because another request might be processing them, so instead the maps are removed from the hash table, effectively becoming orphaned. The maps will get freed when the timed destructor is invoked.
* AUTOFS: allow removing entries from hash tableJakub Hrozek2012-12-183-1/+32
| | | | | | | | | There is a timed desctructor in the autofs responder that, when the entry timeout passes, removes the autofs map from the hash table while the map is freed. This patch adds a hash delete callback so that if the map is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
* DP: invalidate all cached maps if a request for auto.master comes inJakub Hrozek2012-12-183-0/+16
| | | | | | If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps
* SYSDB: Add API to invalidate all map objectsJakub Hrozek2012-12-182-0/+94
| | | | This sysdb API will be used later to invalidate the autofs maps
* SYSDB: fix copy-n-paste errorJakub Hrozek2012-12-181-1/+1
* sudo: do full refresh when data provider is back online1.9.2-49Pavel Březina2012-12-182-7/+75
| | | | | | | | Add a online callback if the first full refresh fails due to the provider beeing offline so we can perform the refresh as soon as possible.
* sudo: schedule another full refresh in short interval if the first failsPavel Březina2012-12-182-0/+28
| | | | | | | If the first full refresh of sudo rules fails because the data provider is offline, we will schedule another one in 2, 4, ... minutes.
* check dp error in sdap_sudo_full_refresh_done()Pavel Březina2012-12-181-3/+8
| | | |
* add sdap_sudo_schedule_refresh()Pavel Březina2012-12-182-43/+77
| | | | Reduces amount of code duplication.
* try primary server after retry_timeout + 1 seconds when switching to backup1.9.2-48Pavel Březina2012-12-184-2/+14
| | | | | | | | | | | | | | The problem is when we are about to reset the server status, we don't get through the timeout (30 seconds) because the "switch to primary server" task is scheduled 30 seconds after fall back to a backup server. Thus the server status remains "not working" and is resetted after another 30 seconds. We need to make sure that the server status is tried after the timeout period. retry_timeout is currently hardcoded to 30, thus the change in man page.
* RESOLV: Do not steal the resulting hostent on errorJakub Hrozek2012-12-181-2/+3
| | | |
* MEMBEROF: silence compilation warningsJakub Hrozek2012-12-181-15/+15
| | | | | | | | | | | | src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’: src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’: src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’: src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration /usr/include/string.h:489: warning: shadowed declaration is here
* PROXY: fix groups caching1.9.2-47Ondrej Kos2012-12-171-0/+6
| | | | | | Properly react on deleting group which was not found in sysdb.
* let ldap_chpass_uri failover work when using same hostname1.9.2-46Pavel Březina2012-12-151-11/+4
| | | | | | | | | We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
* sssd_pam: Cleanup requests cache on sbus reconect1.9.2-45Simo Sorce2012-12-141-1/+4
| | | | | | | | | The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes:
* tools: sss_userdel and groupdel remove entries from memory cache1.9.2-44Michal Zidek2012-12-143-0/+55
| | | |
* sssd_nss: Remove entries from memory cache if not found in sysdbMichal Zidek2012-12-141-0/+23
| | | | | Functions nss_cmd_getXXnam remove entries from memory cache if not found in sysdb cache of a local domain.
* sudo: include primary group in user group list1.9.2-43Pavel Březina2012-12-141-1/+41
| | | |
* sysdb_get_sudo_user_info() initialize attrs on declarationPavel Březina2012-12-141-4/+3
* SUDO: strdup the input variable1.9.2-42Jakub Hrozek2012-12-141-1/+1
| | | |
* sudo manpage: clarify that sudoHost may contain wildcards and not regular ↵1.9.2-41Pavel Březina2012-12-142-2/+2
| | | | | | expression
* let krb5_kpasswd failover work1.9.2-40Pavel Březina2012-12-141-3/+4
| | | | | | | Bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
* NSS: Fix the error handler in sss_mc_create_fileJakub Hrozek2012-12-141-10/+16
| | | | | | | The function is short enough so that we can simply stick with return and release resources before returning as appropriate.
* sudo: don't get stuck in rules and smart refresh when offline1.9.2-39Pavel Březina2012-12-141-4/+14
| | | | | | | | | | | | | | | | | | The problem was in following code: if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) { tevent_req_error(req, ret); return; } In situation when data provider error occurs (e.g. when offline), ret == EOK but dp_error != DP_ERR_OK and we take the true branch. This results in calling tevent_req_error(req, EOK). Unfortunately, with EOK tevent_req_error only returns false, but does not trigger callback and this tevent request hangs forever, because no tevent_req_done(req) is called.
* MEMBEROF: Fix copy-n-paste errorJakub Hrozek2012-12-141-1/+1
| | | |
* LDAP: remove dead assignmentJakub Hrozek2012-12-141-1/+0
* SYSDB: Move misplaced assignmentJakub Hrozek2012-12-141-2/+1
* PAC: check the return value of diff_git_listsJakub Hrozek2012-12-141-0/+4
* PROXY: fix negative cache1.9.2-38Ondrej Kos2012-12-141-20/+24
| | | | | | | | The PROXY provider wasn't storing credentials to negative cache due to bad return value. This was delegated from attempt to delete these credentials from local cache. Therefore ENOENT is replaced as EOK.
* MAN: Move ssh_known_hosts_timeout documentation to the correct sectionJan Cholasta2012-12-141-12/+12
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthreadTimo Aaltonen2012-12-141-0/+2
| | | | | | | | There used to be an overlinked dependency that's gone now, so to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS. v2: Fix sss_ssh_authorizedkeys linking as well.
* LDAP: Continue adjusting group membership even if there is nothing to add1.9.2-37Jakub Hrozek2012-12-071-2/+1
| | | |
* do not crash when id_provider is not set1.9.2-36Pavel Březina2012-12-071-0/+6
| | | |
* NSS: Fix netgroup midpoint cache refresh1.9.2-35Jakub Hrozek2012-12-073-3/+3
| | | | | | | | The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* MEMBEROF: Keep inherited ghost users around on modify operation1.9.2-34Jakub Hrozek2012-12-062-34/+637
| | | | | | | | | | | | | It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.
* MEMBEROF: Implement the modify operation for ghost usersJakub Hrozek2012-12-062-36/+715
| | | | | | | Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.
* MEMBEROF: Split the add ghost operation into a separate functionJakub Hrozek2012-12-061-17/+73
| | | | This new function will be reused by the modify operation later
* MEMBEROF: Split the del ghost attribute op into a reusable functionJakub Hrozek2012-12-061-12/+22
| | | | This new function is going to be reused by the modify operation
* MEMBEROF: split processing the member modify into a separate functionJakub Hrozek2012-12-061-47/+73
| | | | This will allow to process ghost users in a similar fashion
* MEMBEROF: Implement delete operation for ghost usersJakub Hrozek2012-12-062-7/+362
| | | | | | | | | | | | | | | | | The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.
* TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek2012-12-061-0/+248