| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Since a view applies to the whole domain-subdomain tree the view data is
copied from the parent the new created domains.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To let the responders know which view is applied and to make view
handling more efficiently especially when no view is applied/available
two new member are added to the sss_domain_info struct.
view_name is the name of the view if available. has_views is only true
if the client has a specific view applied, i.e. it is false for the case
when there are no views at all (e.g. plain LDAP provider) or the client
has the FreeIPA default view. This allows the responders to easily
bypass any view related code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2361
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to only generate the [capaths] section on the IPA server itself,
when running in a trusted setup. But we also found out that the capaths
are often required to make SSO fully work, so it's better to always
generate them.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the name or the POSIX ID of a user or a group is overridden the
search request for those objects have to check the overide objects first
before looking up the original objects.
This patch adds a new request for the IPA sub-domain users which checks
the overrides first if
- SSSD is running in ipa-server-mode and a name or a POSIX ID is
searched, since we do not override the SIDs we can skip the search in
the override tree here
- if the responder indicates it has not found the corresponding object
in the cache and the input might be an override name or ID and not the
original one of an object.
If an override object was found the SID is extracted from the anchor
attribute and the original object is search by its SID. If no override
object was found the original object is search with the original input
and finally it is checked if an override object exits for the found
object.
Relates to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the IPA provider will check if overrides exists for the
given view during the lookup of users and groups from trusted domains.
In ipa-server-mode the default view is automatically applied and written
to the cache. On IPA clients which use the extdom plugin for user and
group lookups the override data is saved separately and the original
object and the override data are linked with DN attributes for faster
reference.
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The default view is special in the sense that it is the baseline for
every other view and that it always applies even if there is no view
defined. To avoid useless additional processing the default view
overrides are written directly to the corresponding cached object.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_attrs_add_val_safe() works like sysdb_attrs_add_val() but checks
if the attribute value to add already exists. In this case the value
list is not changed. This is useful if values are added from different
sources at different times to avoid LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS
errors from ldb_modify() later on.
sysdb_attrs_add_string_safe() does the same for string arguments
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of
the nss responder to libsss_nss_idmap.
The main use case for this new call is to replace sss_nss_getsidbyname()
in the extdom plugin on the FreeIPA server to get more information about
the given object than just the SID which is not available with the
default POSIX interfaces.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new request to the nss responder which follows the
same flow as a SSS_NSSGETSIDBYNAME request but returns more data than
just the SID. The data is returned as pairs of \0-terminated strings
where the first string is the sysdb attribute name and the second the
corresponding value.
The main use case is on the FreeIPA server to make additional user and
group data available to the extdom plugin which then send this data to
SSSD running on FreeIPA clients.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
deny_size and allow_size were initialized in function
parse_policy_setting_value (output argument).
If function parse_policy_setting_value fails then output arguments
will not initialized and will be used uninitialized in debug macro.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
The variable value could be used uninitialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2340
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tivoli server does not return an empty response when being asked for the
rootDSE data but an error. In this case the rootDSE lookup in SSSD will
terminate the connection to the server and return a error. But since
errors except timeouts are ignored SSSD will try to continue with the
bind, but since the connection is already terminated this will fail as
well. And this will terminate the whole operation.
Make sure the connection is open before performing bind operation.
Resolves:
https://fedorahosted.org/sssd/ticket/2435
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Separate code for deciding tls usage from sdap_cli_connect_send() to new
function decide_tls_usage().
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd's configure.ac (abridged) contains these lines:
AC_INIT([sssd], ...)
m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
[AC_USE_SYSTEM_EXTENSIONS], [AC_GNU_SOURCE])
AC_CONFIG_AUX_DIR([build])
When turned into configure, this will be emitted:
ac_aux_dir=
for ac_dir in build "$srcdir"/build; do
if test -f "$ac_dir/install-sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install-sh -c"
break
However, with automake commit v1.14.1-36-g7bc5927, this will be emitted
instead:
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
if test -f "$ac_dir/install-sh"; then
ac_aux_dir=$ac_dir
ac_install_sh="$ac_aux_dir/install-sh -c"
break
As configure no longer looks into build/ for install-sh, running
./configure fails:
configure: error: cannot find install-sh, install.sh,
or shtool in "." "./.." "./../.."
I think the error is that someone placed AC_BUILD_AUX_DIR
too late. Move it upwards.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK.
But it was tested for -1.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If function sdap_idmap_sid_to_unix return error code ENOTSUP
then error message will be printed: "Skipping buit-in object"
Processing of sids will continue an variable ret will be overridden with return
code from function sdap_idmap_sid_to_unix, therefore storing EOK to variable
is useless.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
dinfo->sysdb was stored to variable sysdb two times. The first time on line
132 and second time after testing for subdomain on line 143.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Unit testing the utilities to become another user requires the use of
the cwrap libraries. This patch augments our build system with macros to
detect the nss_wrapper and and uid_wrapper libraries.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a warning with some version of gcc (4.9.1, 4.4.7).
In my opinion, variable "a" should be initialized every time if
"maps" is not NULL.
src/providers/ldap/sdap.c: In function 'sdap_parse_entry':
src/providers/ldap/sdap.c:481:56: warning: 'a' may be used uninitialized in
this function [-Wmaybe-uninitialized]
for (ai = a; ai < attrs_num; ai++) {
^
src/providers/ldap/sdap.c:307:9: note: 'a' was declared here
int a, i, ret, ai;
^
CCLD libsss_ldap_common.la
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Just moves code around. There should be a way to use the server.c module
without linking the monitor code.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Name of subdomain users is stored with domain part in the sysdb.
We need to use fully qualified names for those user so we can
look them up.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All request from nss responder, start in domain log with debug message
in function be_get_account_info e.g.
[be_get_account_info] (0x0100): Got request for [4099][1][name=user1]
[be_get_account_info] (0x0100): Got request for [4098][1][name=group1]
[be_get_account_info] (0x0100): Got request for [4097][1][name=user1]
The 1st number is type, which is defined as hexadecimal nuber
in header file src/providers/data_provider.h
#define BE_REQ_USER 0x0001
#define BE_REQ_GROUP 0x0002
#define BE_REQ_INITGROUPS 0x0003
...
This patch changes formatting from decimal representation to hexadecimal;
so you needn't convert it in head while analysing log files.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It was suggested by the Fedora automake maintainer to use the autoconf
macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is
more portable and might actually expand to something else than "mkdir
-p" on some platforms (usually it would be a variant of install.sh)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The sysdb.c should be reserved for utility and setup functions. Search
functions belong to sysdb_search.c Keeping functions in specialized
modules helps to maintain nice dependencies and in overall makes unit
testing easier.
Moreover, the function was not unit tested, which needed fixing.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Several functions in the monitor.c file were not marked as static even
though they were only used inside monitor.c
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.
[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.
Related:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Preserve case of group members in getgrnam
when 'case_sensitive = preserving' is set.
Fixes:
https://fedorahosted.org/sssd/ticket/2453
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|