summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* AD: Search GC by default during access control, fall back to LDAPJakub Hrozek2013-10-253-10/+163
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-254-19/+49
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-254-0/+27
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* LDAP: Parse FQDN into name/domain for subdomain usersJakub Hrozek2013-10-251-1/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 When a subdomain user logs in, the username the account request receives is a FQDN. This hackish patch parses the FQDN and only uses the name to search the LDAP.
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-255-26/+44
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* tests: Use right format string for type size_tLukas Slebodnik2013-10-251-3/+3
| | | | | | | | This patch fixes few format string warnings in the file test_utils.c src/tests/cmocka/test_utils.c:54:56: warning: format specifies type 'unsigned int' but the argument has type 'size_t' (aka 'unsigned long') [-Wformat]
* LDAP: Delete entry by SID if not foundJakub Hrozek2013-10-251-3/+19
| | | | | In case the entry was deleted from the server, the search didn't notice and kept returning the cached data.
* SYSDB: Add sysdb_delete_by_sidJakub Hrozek2013-10-253-0/+65
|
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-253-4/+24
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* AD: Prefer GC port from SRV recordLukas Slebodnik2013-10-251-2/+6
| | | | | | | We had a hard coded value of Global Catalog port (3268). Informations from SRV record was ignored. This patch prefer port number from SRV record and hard coded value is used only as a fall back if port number was not initialized.
* IPA: add trusted domains with missing idrangeSumit Bose2013-10-251-0/+137
| | | | | | | | | | If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-259-2/+24
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()Sumit Bose2013-10-254-5/+115
|
* find_subdomain_by_sid: skip domains with missing domain_idSumit Bose2013-10-253-12/+251
|
* subdomains: first destroy ptask then remove sdomPavel Březina2013-10-241-3/+3
| | | | | be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
* Inherit ID limits of parent domains if setJakub Hrozek2013-10-241-3/+5
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2123 Previously, the subdomains were always unbound even if the administrator limited the ranges with min_id/max_id. This could have posed problems when running programs that scan the whole ID space, such as "groupadd -r".
* sdap_get_generic_ext_send: check if we a re still connectedSumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* IPA: add callback to reset subdomain timeoutsSumit Bose2013-10-221-0/+23
| | | | Fixes https://fedorahosted.org/sssd/ticket/2030
* Add unconditional online callbacksSumit Bose2013-10-224-0/+39
| | | | | | | | | Currently online callbacks are only executed if the backend was offline before. This patch add a new class of callback which are always called if the backend gets a request to go online. They can be used e.g. to reset timeouts until a more sophisticated method (OpenLMI, sssctl) is available.
* UTIL: Move sss_parse_name_for_domains declaration to util.hJakub Hrozek2013-10-222-5/+5
|
* Remove duplicate declarationJakub Hrozek2013-10-221-4/+0
|
* IPA: Do not enable IPA sites in server modeJakub Hrozek2013-10-221-17/+20
| | | | | When running in IPA server mode, the IPA sites should be ignored and the SSSD should only connect to the local server.
* Remove unused constantsJakub Hrozek2013-10-221-3/+0
|
* Include external headers with #include <foo.h>Jakub Hrozek2013-10-2221-50/+66
| | | | | | I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.
* IPA: Remove unused memory context.Lukas Slebodnik2013-10-221-3/+1
| | | | | Parameter mem_ctx was unused in static function get_password_migration_flag_recv
* krb5: Use right function to free data.Lukas Slebodnik2013-10-221-1/+2
| | | | | | | In function create_empty_cred, krb5_creds was aloocated using calloc, but krb5_free_creds was used to remove this creds in done section. Therefore clang static analyzer repoted this as warning: Potential leak of memory pointed to by 'cred'
* PROXY: Fix memory hierarchy when enumerating servicesJakub Hrozek2013-10-211-1/+7
|
* nss: wait for initial subdomains request to finishPavel Březina2013-10-171-0/+14
| | | | | | | | | | | | AD provider downloads domain information and initalizes ID mapping during subdomains request. This information is necessary to lookup objects without POSIX attributes. We need to make sure that we postpone all responder requests until ID mapping is initialized in the provider. Resolves: https://fedorahosted.org/sssd/ticket/2092
* tests: Silence alignment warning in tests.Michal Zidek2013-10-171-5/+9
|
* sdap_async_sudo_hostinfo.c: Use check_ipvX_addrMichal Zidek2013-10-171-38/+24
|
* dyndns: Use check_ipvX_addr functionsMichal Zidek2013-10-171-45/+6
|
* util: Add functions to check if IP addresses is specialMichal Zidek2013-10-173-0/+194
| | | | | Added functions to check if given IP address is a special address (broadcast, multicast...).
* krb5: Remove warning dereference of a null pointerLukas Slebodnik2013-10-171-4/+2
| | | | | | | | | Variable kr->creds is initialized in function krb5_get_init_creds_password. It does not make sense to check kr->creds for null, because we have already checked return value of function krb5_get_init_creds_password. Resolves: https://fedorahosted.org/sssd/ticket/2112
* sdap_idmap: properly handle ranges for external mappingsSumit Bose2013-10-171-24/+44
| | | | | | | | | | | Currently we relied on the fact that external ID mapping is used as default fallback in case of an error and did not properly add subdomains with external ID mapping to the idmap library. If debugging is enabled this leads to irritating debug messages for every user or group lookup. With this patch this subdomains are added to the idmap library. Fixes https://fedorahosted.org/sssd/ticket/2105
* sdap_idmap: add sdap_idmap_get_configured_external_range()Sumit Bose2013-10-171-13/+36
|
* idmap: allow ranges with external mapping to overlapSumit Bose2013-10-172-5/+71
| | | | | | | | | | | If POSIX IDs are managed externally e.g. by AD it might be possible that the IDs are centrally manages for the whole forest. Hence there might not be a single ID range for each member domain in the forest but only a single ID range for the whole forest. This means that we have to allow collisions if ID ranges in this case. Unit tests are added to make sure that the collisions are only allowed for external mappings.
* idmap: fix a memory leak if a collision is detectedSumit Bose2013-10-171-6/+7
|
* idmap: add internal function to free a domain structSumit Bose2013-10-171-4/+15
|
* KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userJakub Hrozek2013-10-172-0/+9
| | | | | | | If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
* dlopen-tests: Check the result of asprintfBenjamin Franzke2013-10-171-1/+2
| | | | | According to asprintf(3) the content off errmsg is undefined on error, lets set it to NULL.
* IPA server mode: properly initialize ext_groupsSumit Bose2013-10-161-1/+2
|
* LDAP: Set default value for dyndns update to falseLukas Slebodnik2013-10-151-1/+1
| | | | | | | | In some cases, local boolean variable "do_update" could be used without proper initialisation. Clang static analyser warning: "Assigned value is garbage or undefined" It was not a big problem, because non-zero value for boolean variable mean true.
* Spec file changes for cifs-utils pluginSumit Bose2013-10-151-0/+25
|
* Add CIFS idmap pluginBenjamin Franzke2013-10-156-0/+396
| | | | https://fedorahosted.org/sssd/ticket/1534
* MAN: Fix refsect-idJakub Hrozek2013-10-115-5/+5
| | | | | | The refsect id was copied from sssd.conf(5) and was wrong. Fixing the refsect might help us if we ever generate other formats from XML and certainly wouldn't hurt.
* INI: Disable line-wrapping functionalityJakub Hrozek2013-10-111-1/+1
| | | | | | | Supporting the latest INI release brought an incompatible change. Lines beginning with a whitespace were treated as continuation of the previous line. This patch reverts to ignoring the whitespace as we did previously so that the existing configurations keep working.
* LDAP: handle SID requests if noexist_delete is setSumit Bose2013-10-101-0/+10
| | | | Fixes https://fedorahosted.org/sssd/ticket/2116
* krb5: fix warning may be used uninitializedLukas Slebodnik2013-10-101-0/+1
|
* MAN: Reflow debug_levels.xmlStephen Gallagher2013-10-071-13/+20
| | | | | | Many lines in debug_levels.xml violated our line-length conventsions. This patch provides no functional changes, it simply brings those lines into compliance.
* MAN: Clarify debug level documentationStephen Gallagher2013-10-071-6/+20
| | | | | | | Originally, we planned to deprecate the decimal values for the debug levels, but that has proven to be too difficult for most users to understand. Instead, we will document both the simple decimal and complex bitmask values and recommend the use of the decimal values.
generated by cgit (git 2.34.1) at 2024-05-25 18:31:00 +0000