| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thread safe initialisation was fixed in ticket #2380, but there is
still race condition in reinitialisation.
If caches is invalidated with command sss_cache -U (-G or -E) then
client code will need to reinitialize fast memory cache.
Let say we have two threads. The 1st thread find out that memory cache
should be reinitialized; therefore the fast memory cached is unmapped
and context destroyed. In the same time, 2nd thread tried to check
header of memory cache whether it is initialized and valid. As a result
of previously unmapped memory the 2nd thread access
out of bound memory (SEGFAULT).
The destroying of fast memory cache cannot be done any time. We need
to be sure that there isn't any other thread which uses mmaped memory.
The new counter of active threads was added for this purpose. The state
of fast memory cache was converted from boolean to three value state
(UNINITIALIZED, INITIALIZED, RECYCLED)
UNINITIALIZED
- the fast memory cache need to be initialized.
- if there is a problem with initialisation the state will not change
- after successful initialisation, the state will change to INITIALIZED
INITIALIZED
- if the cahe was invalidated or there is any other problem was
detected in memory cache header the state will change to RECYCLED
and memory cache IS NOT destroyed.
RECYCLED
- nothing will be done is there are any active threads which may use
the data from mmaped memory
- if there aren't active threads the fast memory cahe is destroyed and
state is changed to UNINITIALIZED.
https://fedorahosted.org/sssd/ticket/2445
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 6a60e29468fc6b4043a4dc52d3aab73e8465db70)
|
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
of IPA groups from posixGroups to more general groupOfNames.
However, this object class is used also for roles, permissions and
privileges which caused SSSD to consider those objects to be groups as
well during initgroups.
Resolves:
https://fedorahosted.org/sssd/ticket/2471
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3937736546e2a4b7cccc58fded3efdff9ae690fc)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)
|
|
|
|
|
|
|
|
| |
We loop over the array of returned controls and set 'ret' based on the
control value. In case multiple controls were returned, the 'ret'
variable might be clobbered with result of a string-to-int conversion.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee)
(cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6f91c61426c8cfbfec52d5e77ae4650007694e69)
(cherry picked from commit cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86)
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD supporting tokenGroups, do not skip
non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
|
|
|
|
|
|
|
|
| |
Do not expect objectClass to be posixGroup but rather more general
groupofnames.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sdap_ad_tokengroups_update_members finds the differences between
list of groups from sysdb and list of groups from LDAP (input argument).
For each new group, connections are created between user and group. The other
connections are removed.
The problem was that in some cases function sdap_ad_tokengroups_update_members
was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and
sdap_ad_tokengroups_initgr_posix_sids_done).
The first call created connection between user and groups resolved from
tokengroups and the second call update groups from missing SIDs, but previously
created connections were removed. The worst case was when there weren't any
missing groups. This behaviour caused missing groups in some cases (for users
in child ad domain)
This patch join array of groups obtained from token group and array of groups
obtained from missing SIDs. The function sdap_ad_tokengroups_update_members
is called just once with single array.
Resolves:
https://fedorahosted.org/sssd/ticket/2407
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 99f53d551a1db5d8023b4271eb691d554257624c)
|
|
|
|
|
|
|
| |
It will be easier to steal whole array to another talloc context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 174e9ec6f88d709b6e9481ed06a322c0fc495842)
|
|
|
|
|
|
|
|
|
| |
If array of sids is empty we needn't try to resolve them
and we can immediately finish request in function sdap_ad_resolve_sids_send
This patch is just a small optimisation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 21f2821a4420291c8eb3ee9d427e9e1b0a1d9989)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2410
If two ldap_child processes attempt to prime the ccache at the same time
for the same domain, the ldap_child might fail with:
[ldap_child_get_tgt_sync] (0x0040): Failed to init ccache: Internal credentials cache error
[main] (0x0020): ldap_child_get_tgt_sync failed.
To avoid the race-condition, the ldap_child process now creates the
ccache randomized and before returning to the caller, renames the
randomized ccache to a permanent one.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Using a global memory context for short-lived private data might lead to
memory growth.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2406
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
Our code errored out in the rare case when the user was *also* an LDAP
member of his primary group.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
The function sdap_fill_memberships did several tasks. It's more readable
to split linking the primary members into a separate function.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2323
The functions that check for password expiration can return non-zero
return codes not only on internal failure, but also to indicate that the
password was expired. The code would in this case shortcut in the error
handler instead of making its way to the switch-case code below that
translates the SSSD error codes into PAM error codes.
We don't lose the error reporting, because any internal error would
translate into PAM_SYSTEM_ERROR anyway.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 06ba69972e6728f97f5adbcc3cc4df811a831f53)
(cherry picked from commit 7454855b9b5117a13fe86fb93b9cc870323ccd20)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have difficulty setting up an sss_cli_mc_ctx structure, we try
to clean things up so that we'll be ready to try again the next time
we're called.
Part of that is closing the descriptor of the file if we've opened it
and using memset() to clear the structure.
Now that sss_nss_mc_get_ctx() does its work in two phases, and each one
may end up doing the cleanup, each needs to be careful to reset the
descriptor field so that the new value provided by memset() (0) isn't
mistakenly treated as a file which should be closed by the other.
Resolves:
https://fedorahosted.org/sssd/ticket/2409
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5a4df83d769ace54f92513f0be78e753e0985a25)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f55d45b931ce6c01e005ae94a69e93abda0d2f1c)
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1a783fb0be9a48a0abdfe8b52fce551d530487ce)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Structure "struct sdap_dyndns_update_state" has two linked lists of
structures "struct sss_iface_addr": addresses, dns_addrlist
In *_recv functions, linked list was talloc stealed
to structure sss_iface_addr, but just 1st member was moved to "state" talloc
context. Other member of link list were freed with removing subrequest,
which caused use after free problem.
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0060992d68ba843d4d90b491a1500b6290789a5c)
|
|
|
|
|
|
|
| |
Memory leaks will not be detected if talloc context is NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 24000ed5b08499b49595436b8a3b348fcd4012de)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Real functions use own allocation strategy. We use talloc in wrapped functions.
But wrapped functions should not use global_talloc_context,
leak_check_teardown will report false positive memory leaks.
leak_check_teardown()
./src/tests/cmocka/test_dyndns.c:378: error: Failure!
[ FAILED ] dyndns_test_ok_dyndns_test_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 12e7e87ccbae0d5c2f338cd019ca51556cbcd3ae)
|
|
|
|
|
|
|
|
|
|
|
| |
global_talloc_context should not be NULL in tests. It should be initialised
with function leak_check_setup otherwise memory leak will not be detected.
check_leaks_pop should not be directly called for global_talloc_context.
It is a purpose of function leak_check_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bf65fbdd8c3fecd38a66363c3517e7a2679b8186)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man inet_ntop says:
The caller specifies the number of bytes available in this buffer
in the argument size.
AF_INET
src points to a struct in_addr (in network byte order) which is
converted to an IPv4 network address in the dotted-decimal
format, "ddd.ddd.ddd.ddd". The buffer dst must be at least
INET_ADDRSTRLEN bytes long.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e210ed5da220acebb6751db4466fe352de08eaeb)
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
|
|
|
|
| |
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
| |
Prepare code for other access control checks.
|
|
|
|
|
|
| |
Don't log error if access is denied in function sdap_access_done().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Fixed typo and replaced duplicated string by macro definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a8e9aedbf7f6ada4e9f505da5fad8a61e4066684)
|
|
|
|
|
|
|
| |
Added note to man page about how the time SSSD spends
offline is calculated.
Reviewed-by: Dan Lavu <side_control@runlevelone.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
With this path, a user whose name is "space user" would match a sudo
rule while using the override_default_space option. Please note that the
option is only a client-side override, so the sudoUser attribute must
contain the space in order to match the original name. In other words,
when substituting space ( ) for underscore (_), this attribute would match:
sudoUser: space user
this would not:
sudoUser: space_user
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 3b96d478851fbbe391ab30e3d6a0afdb9ecdd4a0)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
The input of the InfoPipe responder substitutes the configured character
for space and the GetUserAttrs and GetUserGroups functions substitute
space for the configured character in their output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fcfd1cb69762c49ba56326dfc85008c1d83333b2)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
When using the override_default_space option, this patch allows to log
in using both the original name (space user) as well as the normalized
name (space_user).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0fcc9ed1c66bed7ef3a0bcd6c517280a82391d2b)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f3a5ac1a50c1fccd0801023658e42d2093e1a33a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1f3127e88a87953f059c9a70d3582ae1719594b1)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
(cherry picked from commit a1e89ede4995f948abc1acc364246161df7cca2c)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2400
Netgroups often have members that will not process correctly when we
require a fully-qualified name. This patch simply ignores the
default_domain setting for netgroup lookups - we ignore FQDN only
domains for netgroup lookups since
1933ff17513da1d979dd22776a03478341ef5e6b anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e6d441518531e7931e29dd8c65a3448a213e3865)
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When upgrading from a 1.9 version with monolithic packaging to 1.10 or
later with per-provider subpackage, sssd-common can be upgraded (and
restarted) before the new sssd-$provider is restarted. This can lead to
a startup failure, because the sssd_be process from already upgraded
sssd-common would attempt to load a sssd_$provider.so from the
legacy sssd package.
Restarting the service in %posttrans makes sure all the packages are in
place when we restart the service.
Resolves:
https://fedorahosted.org/sssd/ticket/2399
(cherry picked from commit 192027debeaa991690160c3cb68480fe54ad8fdf)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Data Provider lookup code user the original input string as the
lookup key instead of the parsed name component. For example, for an
input joe@mydomain, the backend would have searched for:
(&(cn=joe@mydomain)(objectclass=user))
This patch fixes the lookup to use the parsed name.
https://fedorahosted.org/sssd/ticket/2402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d8b8995ef1c3f2a6c85dc141aaff7eef3faf05c1)
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8c4abd227035169e75cb081424765e65c52b5266)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds periodic check to test if
backend can exit offline mode and only
marks backend as not offline if server
for the service is available.
Prior to this patch we marked backend as not
offline if the offline_timeout was reached
without checking for the server availability
and when the next request failed again
we switched back to the offline mode.
This caused significant slowdowns in some
edge cases.
Fixes:
https://fedorahosted.org/sssd/ticket/2355
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|