| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
A recent fix enabled searching for groups by name in a case-insensitive
domain. This patch adds a unit test to check that behaviour.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently sysdb_search_group_by_name uses an optimization which might
fail in case-insensitive environments. The DN of the group object is
generated with the help of the given name. Since the DN is
case-sensitive a group lookup will fail if different cases are used.
sysdb_search_user_by_name already handles case-insensitive searches well
and sysdb_search_group_by_name should use the same scheme.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
In the uid=0 case (to obtain new free id) only uidNumber and gidNumber
attributes got written, but not the additonal provided attributes like
alias or others.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Preserve timestamps of mock configuration files when customizing them in
CI to avoid unnecessary cache rebuilds. This reduces CI run time.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make needn't be installed by default.
$ contrib/ci/run
install-deps: success 00:16:43 ci-install-deps.log
autoreconf: success 00:00:12 ci-autoreconf.log
DEBUG BUILD: ci-build-debug
configure: success 00:00:13 ci-build-debug/ci-configure.log
make-tests: failure 00:00:01 ci-build-debug/ci-make-tests.log
FAILURE
$ cat ci-build-debug/ci-make-tests.log
Start: Mon Sep 8 09:31:43 CEST 2014
+ make-check-wrap -j 4 check -- true
/tmp/sssd/contrib/ci/make-check-wrap: line 52: make: command not found
End: Mon Sep 8 09:31:44 CEST 2014
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Free sid retrieved with sss_nss_getsidbyname in test_getsidbyname.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Free malloc'd symlink paths in test_symlink and test_follow_symlink
tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Free compiled regular expressions after use in krb5_utils-tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Free hbac_info structs after use in ipa_hbac-tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
We loop over the array of returned controls and set 'ret' based on the
control value. In case multiple controls were returned, the 'ret'
variable might be clobbered with result of a string-to-int conversion.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we cannot know if a SID belongs to a user or a group a lookup
should only fail if the given name is in both the negative cache for the
users and the groups.
Currently if the SID for a group called 'abc' should be looked up and
the negative cache for the users contain an entry for 'abc' the request
fails.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
On failure, the subreq wasn't freed, which was not a big deal given the
parent request would free the subreq anyway, but it's better to follow
the usual pattern.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
|
|
|
|
|
| |
Reported by Coverity
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2431
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
Interface did not change, only the code.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch suppresses the 'git diff' noise after
ifp_iface_generated.c is generated. It simply
changes the file to the same form it is being
automatically generated so that 'git diff' only
shows changes in the code and not the differently
generated ifp_iface_generated.c file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD supporting tokenGroups, do not skip
non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Do not expect objectClass to be posixGroup but rather more general
groupofnames.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
changes from previous patch:
* fixed idmapd.conf example (sss plugin name)
* squahsed the rpm spec into one commit
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1088619
Before permitting user sessions sssd should be running. This also correctly
orders shutdown of sssd after the user sessions.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It is not very likely that realloc will return NULL, but it's better
to be defensive.
src/python/pysss.c:774: var_assigned: Assigning: "groups" = null return value from "realloc".
src/python/pysss.c:788: dereference: Dereferencing a null pointer "groups".
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we query group from subdomain it can contain users from different domains.
All members from subdomain have fully qualified name, but member from main
domain aren't. In function fill_members, we extracted name and domain with
function fill_members. Later, we called function sss_fqname the first time
with queried group domain and the second time with parsed domain.
It caused following error in nss responder:
[fill_members] (0x0040): Failed to generate a fully qualified name for member
[user2_dom1@sssdad_tree.com] of group [group2_dom2@sssdad_tree.com]! Skipping
The test test_nss_getgrnam_mix_dom_fqdn passed, because name of main domain
and name of subdomain had the same length, Therefore there was not problem
in function fill_members with calling sss_fqname with different domains.
This patch also changes name of subdomain to prevent such problems in future.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was an access to uninitialised data in old version of libcheck
when tests were executed in fork mode.
==2842== Syscall param timer_create(evp) points to uninitialised byte(s)
==2842== at 0x977FE72: timer_create@@GLIBC_2.3.3 (timer_create.c:82)
==2842== by 0x4E3647B: srunner_run (in /usr/lib64/libcheck.so.0.0.0)
==2842== by 0x401616: main (refcount-tests.c:233)
==2842== Address 0xffefff460 is on thread 1's stack
This bug is already fixed in check-0.9.14, but we want to execute tests
with valgrind on older platforms. The refcount test had hardcoded
CK_FORK in source code and therefore it could not be overwritten with
environment variable, which we use in CI script.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several requests (deref, ASQ and SD) were using the same tevent
callback. This worked fine for quite some time, because the callback
only used the tevent_req variables. However, a recent patch changed the
shared sdap_get_generic_done so that it also longer uses the 'state'
variable.
At that point, all requsts that re-used the sdap_get_generic_done
request started failing becaus the type of the state variable was
different.
This patch makes sure the callbacks only manipulate their own data
types.
Moreover, sdap_get_generic_ext_done() was renamed because it's not
really a tevent callback.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch amends previous patch 5153e8b9793dea1e212ca08af0f77ea1d023cbb7.
Macro SSS_LDB_SEARCH is used instead of using fuction sss_ldb_search as
a wrapper around ldb_search which could lead to premature expansion of
variadic parameters.
Part of solution for:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
It can be possible to build current master without samba
on rhel5, but the spec file would be very complicated.
It is better to simplify spec file.
Resolves:
https://fedorahosted.org/sssd/ticket/1974
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Add explicit dependency on libcmocka-devel when running on any Red Hat
distros, as it turns out it exists everywhere, if only in EPEL distros,
and even though the spec file doesn't require it.
This makes the contrib/ci/run consider cmocka present on all the
supported distros, so remove the corresponding condition as well.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch prevents problems with user authentication
if gpo is misconfigurated.
[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or
directory) [Internal Error (System error)]
[be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com]
[be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
Reviewed-by: Yassir Elley <yelley@redhat.com>
|
|
|
|
|
|
|
| |
Add libnfsidmap-dev to CI Debian dependency list. This fixes CI builds
on Debian.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The private headers are needed in order to:
nfsidmap_internal.h:
* definition of struct trans_func
* prototype for logger function
cfg.h + queue.h:
* prototype(s) for accessing rpc.idmpad configuration file
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|