summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add domain option to sysdb_get/netgr/attrs() fnsSimo Sorce2013-01-154-7/+11
|
* Pass domain to sysdb_enum<pw/gr>ebt() functionsSimo Sorce2013-01-154-7/+13
|
* Pass domain to sysdb_get<pwu/grg><id() functionsSimo Sorce2013-01-155-8/+14
|
* Pass domain to sysdb_get<pw/gr>nam() functionsSimo Sorce2013-01-1511-85/+78
| | | | | | Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.
* Upgrade DB and move ranges into top level objectSimo Sorce2013-01-153-1/+124
|
* Move range objects into their own top-level tree.Simo Sorce2013-01-152-10/+6
| | | | | | | | | | | Storing ranges for multiple domains under any specific domain is somewhat aritrary and unnecessary. Put ranges under cn=ranges,cn=sysdb, without involving any specific domain subtree. This allows us to avoid using sysdb->domain in ranges functions. Also storing other subdomains data under the parent domain tree felt wrong, all other domain specific data is under their own subtree. Moving this data in its own place seems a better solution.
* Make sysdb_custom_subtree_dn() require a domain.Simo Sorce2013-01-158-12/+19
|
* Make sysdb_custom_dn() require a domain.Simo Sorce2013-01-156-10/+20
|
* Make sysdb_domain_dn() require a domain.Simo Sorce2013-01-156-7/+10
|
* Make sysdb_netgroup_base_dn() require a domain.Simo Sorce2013-01-153-5/+9
|
* Make sysdb_netgroup_dn() require a domain explictly.Simo Sorce2013-01-154-9/+11
|
* Make sysdb_group_dn() require a domain explictly.Simo Sorce2013-01-156-18/+20
|
* Make sysdb_user_dn() require a domain explictly.Simo Sorce2013-01-156-15/+17
|
* Remove the sysdb_ctx_get_domain() function.Simo Sorce2013-01-155-19/+16
| | | | | We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).
* Refactor single domain initializationSimo Sorce2013-01-1512-60/+60
| | | | | Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.
* Refactor sysdb initializationSimo Sorce2013-01-156-170/+25
| | | | | | | | | | | | Change the way sysdbs are initialized. Make callers responsible for providing the list of domains. Remove the returned array of sysdb contexts, it was used only by sss_cache and not really necessary there either as that tool can easily iterate the domains. Make sysdb ctx children of their respective domains. Neither sysdb context nor domains are ever freed until a program is done so there shouldn't be any memory hierarchy issue. As plus we simplify the code by removing a destructor and a setter function.
* The Big sysdb/domain split-up!Simo Sorce2013-01-151-1/+1
| | | | | | | This commit is the first of a complex work of untangling domain and sysdb. It turns out the idea of keeping a reference to the domain within the sysdb was a poor one so we need to split the domain out and change all functions that needs one to get it explicitly from their callers.
* Use new sysdb_search_service() in sss_cacheSimo Sorce2013-01-141-35/+4
| | | | Also fixes https://fedorahosted.org/sssd/ticket/1754
* let ldap_backup_chpass_uri workPavel Březina2013-01-141-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1760
* Fix LDAP authentication - invalid password lengthPavel Březina2013-01-141-1/+1
| | | | | | sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
* Change pam data auth tokens.Simo Sorce2013-01-1021-473/+533
| | | | Use the new authtok abstraction and interfaces throught the code.
* Add authtok utility functions.Simo Sorce2013-01-103-0/+384
| | | | | | These functions allow handling of auth tokens in a completely opaque way, with clear semantics and accessor fucntions that guarantee consistency, proper access to data and error conditions.
* Add function to safely wipe memory.Simo Sorce2013-01-102-0/+18
| | | | | This is useful for wiping passwords, as it prevents the compiler from optimizing out a memset to zero before a free()
* Code can only check for cached passwordsSimo Sorce2013-01-105-36/+45
| | | | | Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
* Fix sdap reinit.Simo Sorce2013-01-101-82/+89
| | | | | | | | | | | | | | | | This set of functions had a few important issues: 1. the base_dn was always NULL, as the base array was never actually used to construct any DN. This means each function searched the whole database multiple times. It would try to remove SYSDB_USN from all database entries 3 times. Then it would try to find non updated entries another 3 times and delete them, arguably find empty results the last 2 times. 2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it should not be used anywhere but within sysdb. Do this by using existing functions instead of using ldb calls directly. This is important to keep sysdb as conistent and self-contained as possible.
* Use sysdb_search_service() for all svc queriesSimo Sorce2013-01-102-78/+56
|
* Add sysdb_search_service() helper functionSimo Sorce2013-01-102-0/+63
|
* AD: Add user as a direct member of his primary groupJakub Hrozek2013-01-091-8/+109
| | | | | | | | | | | | In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
* AD: replace GID/UID, do not add another oneJakub Hrozek2013-01-094-7/+41
| | | | | | | The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
* Revert "Add a default section to a switch-statement"Simo Sorce2013-01-091-12/+8
| | | | | | | This reverts commit d698499602461b98fd56f2d550f80c6cb25f12a9. And adds the correct fix. Also makes the function static,as it is used nowehere else.
* Add a default section to a switch-statementSumit Bose2013-01-091-0/+3
| | | | | Besides adding the missing default this patch suppresses a compiler warning about ret being uninitialized.
* Remove dead netgroup functionsSimo Sorce2013-01-083-419/+0
|
* Remove unhelpful vtable from sss_cacheSimo Sorce2013-01-081-24/+30
| | | | | | | | | Using a vtable like this has various drawacks, including the fact prototypes are not checked by the compiler so the code could silently break and still compile fine (in fact I found this out changing one of the prototypes). A switch statement is also better because it catches if the enum changed and won't risk allowing to access the table out of bounds.
* IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek2013-01-083-4/+6
| | | | It is not a map, but a default context. The name should reflect that.
* SELINUX: Process maps even when offlineJakub Hrozek2013-01-081-226/+429
| | | | | Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
* SYSDB: Split a function to read all SELinux mapsJakub Hrozek2013-01-082-23/+49
|
* SYSDB: Remove duplicate selinux definesJakub Hrozek2013-01-083-5/+2
|
* Refactor gid handling in the PAC responderSumit Bose2013-01-084-105/+238
| | | | | | Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
* PAC responder: check if existing user differsSumit Bose2013-01-083-13/+64
| | | | | | If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
* Add tests for get_gids_from_pac()Sumit Bose2013-01-082-0/+257
|
* Use hash table to collect GIDs from PAC to avoid dupsSumit Bose2013-01-081-18/+86
| | | | | | | To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
* Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXISTSumit Bose2013-01-081-0/+1
| | | | | | | | Currently only the LDB error code indicating that an entry already exists is translated to EEXIST. To make debugging easier and return a better indication of the reason for an error in the logs this patch translates the LDB error code for an already existing attribute or value to EEXIST as well.
* Read remote groups from PACSumit Bose2013-01-081-3/+52
| | | | | | | Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
* Remote groups do not have an original DN attributeSumit Bose2013-01-081-40/+34
| | | | | | | Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
* Save domain and GID for groups from the configured domainSumit Bose2013-01-083-17/+47
| | | | | | | | | | Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.
* Always get user data from PACSumit Bose2013-01-081-7/+7
| | | | | | | Currently some user specific data from the PAC is only read when the user is not already in the cache. Since some of this information is needed later on, e.g. the domain SID the user belongs to, with this patch the data is read always from the PAC.
* Update domain ID for local domain as wellSumit Bose2013-01-081-2/+14
| | | | | | | Currently only the flat name of the configured domain is updated if it is not already set. This patch updates the domain ID as well. This is typically the case when trust support is enabled on the server side while sssd is running.
* IDMAP: add sss_idmap_smb_sid_to_unix()Sumit Bose2013-01-082-0/+39
| | | | | To avoid a conversion on the caller side a new call is added to libsss_idmap which converts a Samba dom_sid structure to a Posix ID.
* Add find_domain_by_id()Sumit Bose2013-01-083-0/+91
| | | | | | | Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
* Use struct pac_grp instead of gid_t for groups from PACSumit Bose2013-01-084-26/+36
| | | | | To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.