| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
|
|
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
When a subdomain user logs in, the username the account request receives
is a FQDN. This hackish patch parses the FQDN and only uses the name to
search the LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
|
|
|
| |
This patch fixes few format string warnings in the file test_utils.c
src/tests/cmocka/test_utils.c:54:56:
warning: format specifies type 'unsigned int' but the
argument has type 'size_t' (aka 'unsigned long') [-Wformat]
|
|
|
|
|
| |
In case the entry was deleted from the server, the search didn't notice
and kept returning the cached data.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104
|
|
|
|
|
|
|
| |
We had a hard coded value of Global Catalog port (3268).
Informations from SRV record was ignored.
This patch prefer port number from SRV record and hard coded value is used only
as a fall back if port number was not initialized.
|
|
|
|
|
|
|
|
|
|
| |
If the forest root of a trusted forest is managing POSIX IDs for its
users and groups the same is assumed for all member domains in the
forest which do not have explicitly have an idrange set.
To reflect this SSSD will create the matching ranges automatically.
Fixes https://fedorahosted.org/sssd/ticket/2101
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
| |
|
| |
|
|
|
|
|
| |
be_ptask_destroy was unreachable since sdom is not present
in the list of sdap domains any more.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2123
Previously, the subdomains were always unbound even if the administrator
limited the ranges with min_id/max_id. This could have posed problems
when running programs that scan the whole ID space, such as "groupadd
-r".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2030
|
|
|
|
|
|
|
|
|
| |
Currently online callbacks are only executed if the backend was offline
before. This patch add a new class of callback which are always called
if the backend gets a request to go online.
They can be used e.g. to reset timeouts until a more sophisticated method
(OpenLMI, sssctl) is available.
|
| |
|
| |
|
|
|
|
|
| |
When running in IPA server mode, the IPA sites should be ignored and the
SSSD should only connect to the local server.
|
| |
|
|
|
|
|
|
| |
I find it more readable to include headers from outside the sssd tree
with <foo.h>, not "foo.h". The latter should be used for in-tree headers
only.
|
|
|
|
|
| |
Parameter mem_ctx was unused in static function
get_password_migration_flag_recv
|
|
|
|
|
|
|
| |
In function create_empty_cred, krb5_creds was aloocated using calloc,
but krb5_free_creds was used to remove this creds in done section.
Therefore clang static analyzer repoted this as warning:
Potential leak of memory pointed to by 'cred'
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD provider downloads domain information and initalizes ID mapping
during subdomains request. This information is necessary to lookup
objects without POSIX attributes.
We need to make sure that we postpone all responder requests until
ID mapping is initialized in the provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2092
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Added functions to check if given IP address is a special address
(broadcast, multicast...).
|
|
|
|
|
|
|
|
|
| |
Variable kr->creds is initialized in function krb5_get_init_creds_password.
It does not make sense to check kr->creds for null, because we have already
checked return value of function krb5_get_init_creds_password.
Resolves:
https://fedorahosted.org/sssd/ticket/2112
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we relied on the fact that external ID mapping is used as
default fallback in case of an error and did not properly add subdomains
with external ID mapping to the idmap library. If debugging is enabled
this leads to irritating debug messages for every user or group lookup.
With this patch this subdomains are added to the idmap library.
Fixes https://fedorahosted.org/sssd/ticket/2105
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If POSIX IDs are managed externally e.g. by AD it might be possible that
the IDs are centrally manages for the whole forest. Hence there might
not be a single ID range for each member domain in the forest but only a
single ID range for the whole forest. This means that we have to allow
collisions if ID ranges in this case.
Unit tests are added to make sure that the collisions are only allowed
for external mappings.
|
| |
|
| |
|
|
|
|
|
|
|
| |
If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack.
|
|
|
|
|
| |
According to asprintf(3) the content off errmsg is undefined
on error, lets set it to NULL.
|
| |
|
|
|
|
|
|
|
|
| |
In some cases, local boolean variable "do_update" could be used
without proper initialisation.
Clang static analyser warning: "Assigned value is garbage or undefined"
It was not a big problem, because non-zero value for boolean variable mean
true.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1534
|
|
|
|
|
|
| |
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the
refsect might help us if we ever generate other formats from XML and
certainly wouldn't hurt.
|
|
|
|
|
|
|
| |
Supporting the latest INI release brought an incompatible change. Lines
beginning with a whitespace were treated as continuation of the previous
line. This patch reverts to ignoring the whitespace as we did previously
so that the existing configurations keep working.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2116
|
| |
|
|
|
|
|
|
| |
Many lines in debug_levels.xml violated our line-length conventsions.
This patch provides no functional changes, it simply brings those lines
into compliance.
|
|
|
|
|
|
|
| |
Originally, we planned to deprecate the decimal values for the debug
levels, but that has proven to be too difficult for most users to
understand. Instead, we will document both the simple decimal and
complex bitmask values and recommend the use of the decimal values.
|