summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Handle cases where UID is -1rhel5.10Stephen Gallagher2015-03-191-6/+1
| | | | | | | | Also removes an unnecessary range check (since it's already handled by strtoint32() https://fedorahosted.org/sssd/ticket/1216 (cherry picked from commit f5df473c0234bf4b701a29f4feb61ad52f70b236)
* IPA: Do not download or store the member attribute of host groupssssd-1.5.1-70Jakub Hrozek2013-06-271-5/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
* Quit monitor when there's no more processes to stopOndrej Kos2013-06-251-1/+3
|
* exit original process after sssd is initializedOndrej Kos2013-06-253-4/+73
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1357 Neither systemd or our init script use pid file as a notification that sssd is finished initializing. They will continue starting up next service right after the original (not daemonized) sssd process is terminated. If any of the responders fail to start, we will never terminate the original process via signal and "service sssd start" will hang. Thus we take this as an error and terminate the daemon with a non-zero value. This will also terminate the original process and init script or systemd will print failure.
* make monitor_quit() usable outside signal handlerOndrej Kos2013-06-251-14/+26
|
* monitor: Add forgotten breakJakub Hrozek2013-06-251-0/+1
|
* Set cloexec flag for log filesJakub Hrozek2013-05-161-0/+11
| | | | | | | | https://fedorahosted.org/sssd/ticket/1708 The services kept the fd to /var/log/sssd/sssd.log open. I don't think there's any point in keeping the logfiles open after exec-ing for the child, so I set the CLOEXEC flag.
* TOOLS: Compile on old platforms such as RHEL5Ondrej Kos2013-05-162-39/+148
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* TOOLS: Use file descriptor to avoid races when creating a home directoryOndrej Kos2013-05-165-380/+378
| | | | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* UTIL: Add function for atomic I/OOndrej Kos2013-05-164-0/+103
|
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-05-161-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* Add new debug level macrosOndrej Kos2013-05-161-0/+18
|
* SSSD leaks memory when following referralsJakub Hrozek2013-05-161-0/+1
|
* Restart services with a delay in case they are restarted too oftenJakub Hrozek2013-05-161-13/+59
| | | | | | | | | | | | In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
* LDAP: Only use paging control on requests for multiple entriesJakub Hrozek2013-05-1611-39/+82
| | | | | | | | The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results.
* Allocate PAM DP request data on responder contextJakub Hrozek2013-05-163-5/+54
|
* Add common SIGCHLD handling for providerssssd-1.5.1-60.el5Ondrej Kos2013-02-265-8/+259
| | | | | backport of https://fedorahosted.org/sssd/changeset/6a9bdb6289bb374d203861cef16f312185725cbc
* MONITOR: use sigchld handler for monitoring SSSD servicesOndrej Kos2013-02-262-178/+152
| | | | | backport of https://fedorahosted.org/sssd/changeset/20e53344fbdfa215ff7633630feb10458a0274b9
* Cancel ping-check if service goes awayOndrej Kos2013-02-261-1/+15
| | | | | backport of https://fedorahosted.org/sssd/changeset/4134936f56911686e908dbd6bc9634767f399e3d
* sssd_pam: Cleanup requests cache on sbus reconectsssd-1.5.1-59.el5Simo Sorce2013-02-261-1/+4
| | | | | | | | | The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes: https://fedorahosted.org/sssd/ticket/1655
* IPA: Initialize hbac_ctx to NULLsssd-1.5.1-58.el5Stephen Gallagher2012-08-221-1/+1
|
* Add ipa_hbac_support_srchost option to IPA providersssd-1.5.1-57.el5Jan Zeleny2012-08-179-52/+412
| | | | | don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
* SYSDB: Make sysdb_attrs_get_el_int() publicStephen Gallagher2012-08-172-7/+9
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Process all groups from a single nesting levelJakub Hrozek2012-08-171-5/+18
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* RESPONDERS: Make the fd_limit setting configurablesssd-1.5.1-54.elfsssd-1.5.1-54.el5Stephen Gallagher2012-06-228-4/+64
| | | | | | | | | | This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197
* DP: Reorganize memory hierarchy of requestsStephen Gallagher2012-06-221-15/+100
| | | | | | | | | | | | | This function alters the memory hierarchy of the be_req to ensure memory safety during shutdown. It creates a spy on the be_cli object so that it will free the be_req if the client is freed. It is generally allocated atop the private data context for the appropriate back-end against which it is being filed. https://fedorahosted.org/sssd/ticket/1226
* HBAC: create empty groups with one NULL elementJakub Hrozek2012-06-221-16/+15
| | | | https://fedorahosted.org/sssd/ticket/1130
* Add support for terminating idle connectionsStephen Gallagher2012-06-223-92/+147
| | | | | | | | | | | | | | | | | | | | | | | | | Converge accept_fd_handler and accept_priv_fd_handler These two functions were almost identical. Better to maintain them as a single function. Set return errno to the value prior to calling close(). Log message if close() fails in destructor. Do not send SIGPIPE on disconnection Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it. Add support for terminating idle connections Conflicts: src/responder/common/responder.h src/responder/common/responder_common.c
* IPA: Check nsAccountLock during PAM_ACCT_MGMTStephen Gallagher2012-06-227-13/+87
| | | | | | | | | | | | | | LDAP: Make sdap_access_send/recv public We want to consume this in the IPA provider. IPA: Check nsAccountLock during PAM_ACCT_MGMT https://fedorahosted.org/sssd/ticket/1227 Conflicts: src/providers/ipa/ipa_access.h src/providers/ipa/ipa_init.c
* Steal result onto mem_ctx in sdap_initgr_nested_get_direct_parentsJakub Hrozek2012-06-141-2/+1
|
* Try all KDCs when getting TGT for LDAPsssd-1.5.1-52.el5Jakub Hrozek2012-06-041-15/+16
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Only do one cycle when resolving a serverJakub Hrozek2012-06-0411-64/+170
| | | | | | | | | | | | | | | Rename fo_get_server_name to fo_get_server_str_name fo_get_server_name() getter for a server name Allows to be more concise in tests and more defensive in resolve callbacks Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214 Detect cycle in the fail over on subsequent resolve requests only
* RESPONDERS: Allow increasing the file-descriptor limitsssd-1.5.1-51.el5Stephen Gallagher2012-04-254-0/+49
| | | | | | | This patch will increase the file descriptor limit to 8k or the limits.conf maximum, whichever is lesser. https://fedorahosted.org/sssd/ticket/1197
* LDAP: Add option to disable paging controlStephen Gallagher2012-03-229-5/+40
| | | | | | | | | | | | | | | Fixes https://fedorahosted.org/sssd/ticket/967 Conflicts: src/config/SSSDConfig.py src/config/etc/sssd.api.d/sssd-ipa.conf src/config/etc/sssd.api.d/sssd-ldap.conf src/man/sssd-ldap.5.xml src/providers/ipa/ipa_common.c src/providers/ipa/ipa_common.h src/providers/ldap/ldap_common.c src/providers/ldap/sdap.h
* IPA: Detect nsupdate support for the realm directiveStephen Gallagher2012-01-173-15/+55
| | | | | For older platforms, do not add the 'realm' line in the update message
* Log nsupdate messageJakub Hrozek2012-01-101-0/+3
| | | | https://fedorahosted.org/sssd/ticket/893
* Handle timeout during sss_ldap_init_sendJakub Hrozek2011-12-133-3/+41
| | | | | | | | | In some cases, where there would be no response from the LDAP server, there would be no R/W events on the LDAP fd, so sdap_async_sys_connect_done would never be called. This patch adds a tevent timer that cancels the connection after SDAP_NETWORK_TIMEOUT seconds.
* Ignore NULL-terminator when checking UTF8-validity for netgroupssssd-1.5.1-46.el5Stephen Gallagher2011-12-091-1/+1
| | | | Glib fails if the NULL-terminator is included when a length is specified.
* Ignore NULL-terminator when checking UTF8-validitysssd-1.5.1-45.el5Stephen Gallagher2011-12-052-4/+4
| | | | | Glib fails if the NULL-terminator is included when a length is specified.
* Allow using Glib for UTF8 supportStephen Gallagher2011-12-058-54/+236
|
* RESPONDER: Ensure that all input strings are valid UTF-8Stephen Gallagher2011-12-057-2/+52
|
* LDAP: Try next failover server on any errorStephen Gallagher2011-12-051-9/+5
|
* Revert "RHEL5: Remove UTF8 support for RHEL5"Stephen Gallagher2011-12-053-6/+35
| | | | This reverts commit c417f0b8cde38ff5cc10241383f1481e3440879c.
* Add -fno-strict-aliasingsssd-1.5.1-43.el5Stephen Gallagher2011-11-281-1/+2
|
* SYSDB: Update sysdb version to latestsssd-1.5.1-40.el5Stephen Gallagher2011-11-022-1/+362
| | | | | Includes several index updates necessary for major performance improvements.
* RFC2307bis initgroups: fix nested groups processingJakub Hrozek2011-10-311-20/+33
| | | | | Due to incorrectly written loop, SSSD would go into infitite loop if it processed the same group on two different levels of membership.
* RHEL5: Remove UTF8 support for RHEL5Stephen Gallagher2011-10-263-35/+6
|
* RESPONDER: Fix segfault in sss_packet_send()Stephen Gallagher2011-10-261-0/+5
| | | | | | | | | There are several places (all error-handling) where sss_cmd_done() is called with no response packet created. As a short-term solution, we need to check whether the packet is NULL and simply return EINVAL. client_send() (the consumer) will then forcibly disconnect the client (which will return PAM_SYSTEM_ERR to the client).
* Plug memory leaks in LDAP providerJakub Hrozek2011-10-261-0/+3
|
* Use fewer transactions during RFC2307bis initgroupsJakub Hrozek2011-10-261-539/+802
| | | | | | | | Utility functions for LDAP nested schema initgroups Use fewer transactions during RFC2307bis initgroups Use fewer transactions during IPA initgroups