summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* sudo: sanitize filter valuesrhel-6.8Pavel Březina2015-08-311-2/+13
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150)
* SDAP: Remove user from cache for missing user in LDAPrhel-6.7Lukas Slebodnik2015-06-221-21/+26
| | | | | | | | | | | | | Function sysdb_get_real_name overrode reurned code LDAP and thus user was not removed from cache after removing it from LDAP. This patch also do not try to set initgroups flag if user does not exist. It reduce some error message. Resolves: https://fedorahosted.org/sssd/ticket/2681 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
* subdomains: Inherit cleanup period and tokengroup settings from parent domainJakub Hrozek2015-06-086-0/+239
| | | | | | | | | | | | | Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650) (cherry picked from commit 602eb710c62c192060debad3062f13677ec3b105)
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-082-0/+13
| | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44) (cherry picked from commit 27d8524cf635d61d93c71539709a30e1205dcaf1)
* SDAP: Add sdap_copy_map_entryJakub Hrozek2015-06-083-0/+104
| | | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 12089241f6a6eabf4f0c95669e5fc2bb3b503c06) (cherry picked from commit 155e6c7223b732bfcb2984aa79462f60c092bba8)
* DP: Add a function to inherit DP options, if setJakub Hrozek2015-06-083-8/+181
| | | | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2644 Adds a utility function that checks if a DP option is present in the subdomain_inherit list. If it is, then the option is set from source to destination dp_option array. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit b3d110fbc424a03674a6e50e489a7cbab9702f0b) (cherry picked from commit 37a84884634e6e969c3617dac7fa1e463f42177b)
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-086-3/+40
| | | | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8) (cherry picked from commit da2d33f81746a9bf8abd97becaf17005e4f89d2c)
* ldap: use proper sysdb name in groups_by_user_done()Sumit Bose2015-06-031-3/+12
| | | | | | | | | | | | | | | | | In a recent change set_initgroups_expire_attribute() was added to groups_by_user_done() to make sure that the initgroups timeout is only added to the user object until all groups added to the cache. This change (and the original code in groups_by_user_done() as well) didn't took sub-domain users into account where the name in sysdb might different form the original request and the domain is not the configured domain. This patch tries to ensure that the right name and domain are used. https://fedorahosted.org/sssd/ticket/2663 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit d0b7e5fcfca7d0db9e3d19be7b51f34d03d3d720)
* Skip enumeration requests in IPA and AD providers as wellJakub Hrozek2015-06-024-29/+32
| | | | | | | | | | | | | | | Checking the enum request in the underlying LDAP provider to skip it might be too late as the richer IPA or AD providers depend on having a useful result when the sdap request finishes. Move the enumeration check earlier instead and allow directly in the IPA or AD handler. Related: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 40bc389bc79bc41429b5a92d5ce75955f8eefaf5)
* DP: Set extra_value to NULL for enum requestsJakub Hrozek2015-06-021-1/+2
| | | | | | | | | | | | | Some providers, notably IPA, rely on extra_value to be either a useful value or NULL. In enumeration, however, extra_value was random. Set the extra_value pointer explicitly to NULL to make it clear that it's not used for enumeration and also use talloc_zero as future-proof. Resolves: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit d9296ba018228ac6a19f710b8bb9044c4ea9ab5b)
* Download complete groups if ignore_group_members is set with tokengroupsJakub Hrozek2015-05-311-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 When tokenGroups are enabled, we save groups using their SID as the RDN attribute during initgroups() and later, if the groups is requested and saved again with the full name, remove the original and save the new group entry. Saving the new group entry would break if ignore_group_members is also set, because the new group entry would lack the "member" attribute, so the member/memberof links between the new group and the user entry wouldn't be established again. This patch changes the initgroups processing so that the full group object is fetched when initgroups is enabled but together with ignore_group_members. This solution imposes some performance impact, because instead of one search for tokenGroups we also need to resolve the groups. The more systematic solution would be to get rid of removing the group entry as described in https://fedorahosted.org/sssd/ticket/2656 To reproduce the bug, set: ignore_group_members = True with a backend that uses: id_provider = ad Then run: $ id aduser@ad_domain.com $ id aduser@ad_domain.com Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
* MAN: refresh_expired_interval also supports users and groupsJakub Hrozek2015-05-311-2/+2
| | | | | | Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 5c2f80ef0b6ace6b331bcf99e5e5c7d73cfb92c6)
* SDAP: Remove unnecessary argument from sdap_save_userLukas Slebodnik2015-05-254-6/+3
| | | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit dca741129d221558a4325479aefc617240f1ab08) (cherry picked from commit cd4e7846b8b1695956977e19a478198595946c4c)
* SDAP: Set initgroups expire attribute at the endLukas Slebodnik2015-05-252-9/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Initgrups consisted of two main steps: 1. store user to cache 2. store all user groups to cache. Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step. So in case of epmty cache and parallel initgroups request in responders there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were not cached. Therefore sometime responder could return zero supplementary groups. This patch moves the setting of initgroups expire attribute from 1st step to the end of 2nd step. In case of parallel initgroups requests in responder there are two other ways how we could get correct results even thought there was a bug. a) Time between two request was too small. User was not stored in cache yet and 2nd request waited for response from DP. b) Time between two request was big enough. All users groups were successfully stored in cache and 2nd request returned correct results. Resolves: https://fedorahosted.org/sssd/ticket/2634 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d0cc678d20d8bde829450eb50bec1b7397cea3e1) (cherry picked from commit 9ae6567a573c05ba59d1138cfda94b44732019e8)
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRELukas Slebodnik2015-05-252-3/+102
| | | | | | | | | | When SYSDB_INITGR_EXPIRE had default value (0) then value of SYSDB_CACHE_EXPIRE was used as initgroups expire attribute. The right apoach is already used in responder_cache_req.c Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit fd60528321fd52720222ec35b895ade54cccb48d) (cherry picked from commit 521eb7ca65040c009bc4885ba8d6c8ad257bc0f1)
* test_nss_srv: Use right function for storing time_tLukas Slebodnik2015-05-251-4/+4
| | | | | | | | | The size of time_t can be 8 bytes on some platforms. It is because of year 2038 problem. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 390de028b3130ae564059101c662fe74e0e85a45) (cherry picked from commit 21431d90b19068e86b2b8550667cb80c6475e27b)
* Add unit tests for initgroupsJakub Hrozek2015-05-251-0/+346
| | | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit aa648535f445e7a95bf6dedc7c43bb5f94ab7354) (cherry picked from commit c3d7e06590b0755902c544897fab0951aba923e5)
* tests: Add a getpwnam-by-UPN testJakub Hrozek2015-05-251-0/+97
| | | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 84a4c4fcc93b3dcc70604817a05f7943606ff596) (cherry picked from commit 17f2f1caa26b1bdb213e166bcd77d2f237965d56)
* tests: ncache_hit must be an int to test UPNsJakub Hrozek2015-05-251-9/+9
| | | | | | | | | | In order to detect faulty cases where negcache would be checked twice, we need to convert the ncache_hit to integer and check exact amounts of hits. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 9cc2223e0bc0478c1b47a47fd71bba7e7129492d) (cherry picked from commit eb6be4e9c1bafcf86822f9300d4c79f9299e015a)
* negcache: Soften condition for expired entriesLukas Slebodnik2015-05-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Type of timestamp for entries in negative cache is time_t which is number of *seconds* that have elapsed since 1 January 1970. The condition for ttl was to strict so entry could be valid from "ttl-1" to ttl e.g. * ttl is 1 second * entry was stored to negative cache at 1432120871.999639 stored_timestamp = 1432120871 * entry was tested few miliseconds later 1432120872.001293 current_time = 1432120872 Entry was marked as expired becuase result of condition was false stored_timestamp + ttl < current_time 1432120871 + 1 < 1432120872 This is a reason why ./test-negcache sometime fails. It's quite easily reproducible on slow machine or when valgrind was used. sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 75e4a7753c44e9f2a7a65fad77d95e394f81c125) (cherry picked from commit be4569c92c2de86a71232e3f4b94caa1b13281e4)
* SDAP: Fix id mapping with disabled subdomainsLukas Slebodnik2015-05-251-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If subdomains are disabled "subdomain_provider = none" then auto-discovery discovery of domain SID is disabled. It is possible to configure options ldap_idmap_default_domain{,_sid} and id mapping should work. However value of option ldap_idmap_default_domain_sid was not assigned to sss_domain_info for main domain. It was only used for initialisation of sdap_idmap_ctx. As a result of this bug posix attributes were used in ldap filter and id mapping worked just for users with posix attributes. [be_get_account_info] (0x0100): Got request for [0x1001][1][name=user] [be_req_set_domain] (0x0400): Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=EXAMPLE,DC=TEST] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=hdpadmin)(objectclass=user) (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] [DC=EXAMPLE,DC=TEST]. [sdap_search_user_process] (0x0400): Search for users, returned 0 results. [sdap_get_users_done] (0x0040): Failed to retrieve users Resolves: https://fedorahosted.org/sssd/ticket/2635 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 21687d1d553579e81aa43bfa20f2e70fb39e8461) (cherry picked from commit 2bf32678c96304d04e69813fd6d317d981ad2c41)
* IPA: do not fail if view name lookup failed on older versionsSumit Bose2015-05-151-1/+8
| | | | | | | | | | | | | | Depending on the version 389ds return a different error code if the search for the view name failed because our dereference attribute ipaAssignedIDView is not known. Newer version return LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is returned as EIO. In both cases we have to assume that the server is not view aware and keep the view name unset. Resolves https://fedorahosted.org/sssd/ticket/2650 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SELINUX: Avoid disconnecting disconnected handleJakub Hrozek2015-05-151-2/+7
| | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07)
* IPA: allow initgroups by UUID for FreeIPA usersSumit Bose2015-05-067-28/+64
| | | | | | | | | | | | | If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 0f9c28eb52d2b45c8a97f709308dc11377831b8c) (cherry picked from commit 3b00bcd8b6d53d33207005c4e7a631b6a241d300)
* NSS: check for overrides before calling backendSumit Bose2015-05-061-5/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the flag that the input data in a user or group lookup request might be an override value is only set if no cached entry was found. If the cached entry of an object with overrides is expired and a request with the override value as input is processed the flag is not set and the backend might not be able to find the right entry on the server. Typically this should not happen because of mid-point refreshes. To reproduce this create a FreeIPA user and override the login name for a specific view. On a client which has this view applied call getent passwd overridename sss_cache -E getent passwd overridename The second getent command will still show the right output but in the logs a [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed message can be found for the second request. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f) (cherry picked from commit a4a447b7bf394ded65c8ae872832e7cd135425d1)
* IPA: do not add domain name unconditionallySumit Bose2015-05-063-1/+4
| | | | | | | | | | | | | Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a) (cherry picked from commit 226224c91971247f60a86d9c46dd1402f5c29e8a)
* IPA: search for overrides during initgroups in sever modeSumit Bose2015-05-061-0/+69
| | | | | | | | | | | | After the group memberships of a user from a trusted domain are read it must be checked if there are overrides for the discovered groups to be able to return the right gid or name to the caller. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a) (cherry picked from commit eaf656843831d579f30f94154d88aba2201c1712)
* IPA: enhance ipa_initgr_get_overrides_send()Sumit Bose2015-05-063-17/+61
| | | | | | | | | | | This patch makes ipa_initgr_get_overrides_send() public and add support to search overrides by UUID or by SID. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 145578006684481434ced78461ab8d1c3570f478) (cherry picked from commit 58a19d50888b1a7da0ee78b49e7d3dcbebc8614d)
* IPA: update initgr expire timestamp conditionallySumit Bose2015-05-061-8/+11
| | | | | | | | | | | | | | | | | Newer versions of the extdom plugin return the full list of group-memberships during user lookups. As a result the lifetime of the group-membership data is updates in those cases. But if the user is not looked up directly but is resolved as a group member during a group lookup SSSD does not resolve all group-membership of the user to avoid deep recursion and eventually a complete enumeration of the user and group base. In this case the lifetime of the group-memberships should not be updated because it might be incomplete. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843) (cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a)
* IPA: do initgroups if extdom exop supports itSumit Bose2015-05-063-10/+21
| | | | | | | | | | | | | | | | Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727) (cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
* autofs: fix 'Cannot allocate memory' with FQDNsAron Parsons2015-04-301-9/+0
| | | | | | | | https://fedorahosted.org/sssd/ticket/2643 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4df706219e64527209f12ad0c7814ee1be979c07) (cherry picked from commit 8f57c6765b10de36582ef1dbee32d75452451a94)
* GPO: Do not ignore missing attrs for GPOsLukas Slebodnik2015-04-301-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | We don't want to skip over a GPO that might properly be denying users. [sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD [sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq]. [sssd[be[a.foo.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'lzb.hq' [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000): Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com [sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040): no attrs found for GPO; try next GPO. Resolves: https://fedorahosted.org/sssd/ticket/2629 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 03e5f1528184a558fd990e66f083157b404dce08) (cherry picked from commit 7c8c34c1ad152892f93d8e01336258bfd0bc35b9)
* IPA: fix segfault in ipa_s2n_exopAron Parsons2015-04-291-1/+1
| | | | | | | | | can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c520f40d1a2d77cf1d413451b5682297733521ed)
* IPA: allow initgroups by SID for AD usersSumit Bose2015-04-296-11/+56
| | | | | | | | | | | | If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit f70a1adbfc30b9acc302027439fb8157e0c6ea2a)
* simple-access-provider: make user grp res more robustPavel Reichl2015-04-283-4/+24
| | | | | | | | | | | Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511) (cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a)
* IPA: check ghosts in groups found by uuid as wellSumit Bose2015-04-271-9/+12
| | | | | | | | | | | | | | With views and overrides groups are not allowed to have ghost members anymore because the name of a member might be overridden. To achieve this ghost members are looked up and resolved later during group lookups. Currently this is only done for group lookups by name but should happen as well if the group is looked up by uuid. Resolves https://fedorahosted.org/sssd/ticket/2631 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 605dc7fcc848dffb7c9d270c864c70e6dff1242e) (cherry picked from commit 1b2119aab14a4ea3ca6de0d29a661b2825bfec8d)
* IPA: use sysdb_attrs_add_string_safe to add group memberSumit Bose2015-04-271-2/+3
| | | | | | | | | | The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 625cff0b0938538e51fdd3b2d985e6082b492ea5) (cherry picked from commit 7752046aea558e4fbf057d4efc9aea1a61b1e009)
* IPA: do not try to save override data for the default viewSumit Bose2015-04-271-5/+10
| | | | | | | | | | | | For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2ab9a4538eb2e1a255e645f7efdcfd6bb722d265) (cherry picked from commit 3453e4734d2f7738034af61edb7d33c0c7095d8a)
* Option filter_users had no effect for retrieving sudo rulesAdam Tkac2015-04-233-0/+39
| | | | | | | | | | | Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 2a25713afc6beefb11a799903a43f695c5d7a4f9) (cherry picked from commit d008c239c62ab6a467559156d5df854b099e4422)
* AD GPO: Always look up GPOs from machine domainStephen Gallagher2015-04-151-21/+33
| | | | | | | | | | | | | | | | When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 475d986b534c5e0dfdb8e2348ab89b13fd4874aa) (cherry picked from commit b025f8a22cab47ac1f705a872917e3da0799fdd9)
* AD: Always get domain-specific ID connectionStephen Gallagher2015-04-152-11/+8
| | | | | | | | | | | | | | | | | | ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e2bd4f8a41b72aea0712ad21ad02ccebb707f536) (cherry picked from commit 89a706acf3131bbe8c0aefa9c740dd44e892754f)
* AD: Clean up ad_access_gpoStephen Gallagher2015-04-151-7/+5
| | | | | | | | Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d9079aa05eb8aacb488992fdce328c1abadd08d8) (cherry picked from commit d7efa39ab732fb034f51501cb2b1b8d3b1716979)
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-154-4/+109
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161) (cherry picked from commit 4d31f2c294db6090047e4d5348322b32ea0aaac1)
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-151-6/+14
| | | | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54) (cherry picked from commit 9c695e3a82fe5903b36b2d514b3284efeadc908c)
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-151-3/+10
| | | | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465) (cherry picked from commit 816d3cc041e276b138057aacb81d1a2bfb25add6)
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-141-0/+12
| | | | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483) (cherry picked from commit 49895bb18508a4f4b83b99d9875e99e17c81285b)
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-145-47/+101
| | | | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61) (cherry picked from commit bdd031d274659263db5f28408d8b75c63d3485a0)
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-141-7/+0
| | | | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908) (cherry picked from commit cf7047634308c431f4cfbff1d88564668d2a33c7)
* enumeration: fix talloc contextPavel Březina2015-04-142-2/+2
| | | | | | | | | | | | | | | | If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 725bb2a9901c4f673b107ed179f5d68ec443ca63) (cherry picked from commit 81bb9be1ae0b2a4ebe960f136a52576abcdfbbac)
* memberof: Do not create request with 0 attribute valuesLukas Slebodnik2015-04-141-0/+6
| | | | | | | | | | | | | | | | | [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Constraint violation](19) [attribute 'ghost': attribute on 'name=Escalation,cn=groups,cn=LDAP,cn=sysdb' specified, but with 0 values (illegal)] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [Constraint violation] [sysdb_set_entry_attr] (0x0040): Error: 14 (Bad address) [sdap_store_group_with_gid] (0x0040): Could not store group Escalation [sdap_save_group] (0x0080): Could not store group with GID: [Bad address] [sdap_save_group] (0x0080): Failed to save group [Escalation]: [Bad address] [sdap_save_groups] (0x0040): Failed to store group 1. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 999c87114479f230c840a5c020e107c45b29fd56) (cherry picked from commit cbab37e665d948278a491733e3993ac62beb0427)
generated by cgit (git 2.34.1) at 2024-04-23 12:58:12 +0000