summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* SYSDB: Skip malformed netgroup attribute.srvbackportLukas Slebodnik2015-10-111-1/+5
| | | | | | | | | | It was not easy find out why netgroup could not be covert into result entries. Problem was that nisNetgroupTriple contained unexpected string "(,user01)" This patch will ignore only malformed attribute and processing of netgroup will not fail. Resolves: https://fedorahosted.org/sssd/ticket/2137
* FO: Use SRV TTL in fail over codeJakub Hrozek2015-10-114-5/+21
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 8df69bbc58c2f4d3f0b34be9756d9ddf24b1db6d)
* resolv: Use the same default timeout for SRV queries as previouslyJakub Hrozek2015-06-242-1/+9
| | | | | | | | | | | | When we changed the resolver code to use the TTL values from the DNS queries instead of harcoded ones, we changed the default value by accident. Add a separate SRV TTL that is backwards-compatible with the old harcoded value. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit eafbc66c2ff6365478e62a8df3fd005bf80e5c7b)
* Backport: Resolv: re-read SRV query every time if its TTL is 0Jakub Hrozek2015-06-241-1/+1
|
* RESOLV: Add an internal function to read TTL from a DNS packetJakub Hrozek2015-06-244-4/+116
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit bf54fbed126ec3d459af40ea370ffadacd31c76d)
* resolv: fix server sort by weightPavel Březina2015-06-241-6/+2
| | | | | | | | | | | When the server list consist only from servers with zero weight the output list contained only one server. Resolves: https://fedorahosted.org/sssd/ticket/2357 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 2be2220f15b2a819a80b07c8881822ef87053c69)
* SIGCHLD handler: do not call callback when pvt data where freedPavel Březina2013-08-285-5/+42
| | | | https://fedorahosted.org/sssd/ticket/1992
* IPA: Do not download or store the member attribute of host groupsJakub Hrozek2013-06-271-5/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
* Quit monitor when there's no more processes to stopOndrej Kos2013-06-251-1/+3
|
* exit original process after sssd is initializedOndrej Kos2013-06-253-4/+73
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1357 Neither systemd or our init script use pid file as a notification that sssd is finished initializing. They will continue starting up next service right after the original (not daemonized) sssd process is terminated. If any of the responders fail to start, we will never terminate the original process via signal and "service sssd start" will hang. Thus we take this as an error and terminate the daemon with a non-zero value. This will also terminate the original process and init script or systemd will print failure.
* make monitor_quit() usable outside signal handlerOndrej Kos2013-06-251-14/+26
|
* Don't use srcdir with testsJakub Hrozek2013-06-211-2/+2
| | | | Fixes build with automake 1.13 or newer.
* monitor: Add forgotten breakJakub Hrozek2013-05-301-0/+1
|
* Set cloexec flag for log filesJakub Hrozek2013-05-161-0/+11
| | | | | | | | https://fedorahosted.org/sssd/ticket/1708 The services kept the fd to /var/log/sssd/sssd.log open. I don't think there's any point in keeping the logfiles open after exec-ing for the child, so I set the CLOEXEC flag.
* Allocate PAM DP request data on responder contextJakub Hrozek2013-05-063-5/+54
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
* LDAP: Only use paging control on requests for multiple entriesJakub Hrozek2013-05-0211-37/+82
| | | | | | | | The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results.
* MAN: Improve ldap_disable_paging documentationStephen Gallagher2013-05-021-1/+4
|
* LDAP: Add option to disable paging controlStephen Gallagher2013-05-029-5/+40
| | | | | | | | | | | | | | | Fixes https://fedorahosted.org/sssd/ticket/967 Conflicts: src/config/SSSDConfig.py src/config/etc/sssd.api.d/sssd-ipa.conf src/config/etc/sssd.api.d/sssd-ldap.conf src/man/sssd-ldap.5.xml src/providers/ipa/ipa_common.c src/providers/ipa/ipa_common.h src/providers/ldap/ldap_common.c src/providers/ldap/sdap.h
* Restart services with a delay in case they are restarted too oftenJakub Hrozek2013-04-241-13/+59
| | | | | | | | | | | | In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
* Updating the version for the 1.5.18 releaseJakub Hrozek2013-02-131-1/+1
|
* TOOLS: Compile on old platforms such as RHEL5sssd-1_5_17Ondrej Kos2013-02-112-39/+148
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* TOOLS: Use file descriptor to avoid races when creating a home directoryOndrej Kos2013-02-115-380/+378
| | | | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* UTIL: Add function for atomic I/OOndrej Kos2013-02-114-0/+103
|
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-02-111-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* Add new debug level macrosOndrej Kos2013-02-111-0/+18
|
* MONITOR: use sigchld handler for monitoring SSSD servicesOndrej Kos2013-01-302-178/+152
| | | | | backport of https://fedorahosted.org/sssd/changeset/20e53344fbdfa215ff7633630feb10458a0274b9
* Cancel ping-check if service goes awayOndrej Kos2013-01-301-1/+15
| | | | | backport of https://fedorahosted.org/sssd/changeset/4134936f56911686e908dbd6bc9634767f399e3d
* Add common SIGCHLD handling for providersOndrej Kos2013-01-305-8/+259
| | | | | backport of https://fedorahosted.org/sssd/changeset/6a9bdb6289bb374d203861cef16f312185725cbc
* Add ipa_hbac_support_srchost option to IPA providerJan Zeleny2012-08-219-52/+412
| | | | | don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
* SYSDB: Make sysdb_attrs_get_el_int() publicStephen Gallagher2012-08-212-7/+9
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-5/+18
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* Converge accept_fd_handler and accept_priv_fd_handlerStephen Gallagher2012-06-221-96/+47
| | | | | | | | These two functions were almost identical. Better to maintain them as a single function. Conflicts: src/responder/common/responder_common.c
* RESPONDERS: Make the fd_limit setting configurableStephen Gallagher2012-06-228-4/+64
| | | | | | | | | | | | | | | This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197 Conflicts: src/config/SSSDConfig.py src/config/SSSDConfigTest.py src/config/etc/sssd.api.conf
* RESPONDERS: Allow increasing the file-descriptor limitStephen Gallagher2012-06-224-0/+49
| | | | | | | This patch will increase the file descriptor limit to 8k or the limits.conf maximum, whichever is lesser. https://fedorahosted.org/sssd/ticket/1197
* HBAC: create empty groups with one NULL elementJakub Hrozek2012-06-221-16/+15
| | | | https://fedorahosted.org/sssd/ticket/1130
* Also expire connections on the privileged pipeStephen Gallagher2012-06-221-0/+9
|
* IPA: Check nsAccountLock during PAM_ACCT_MGMTStephen Gallagher2012-06-225-1/+70
| | | | | | | | https://fedorahosted.org/sssd/ticket/1227 Conflicts: src/providers/ipa/ipa_access.h src/providers/ipa/ipa_init.c
* LDAP: Make sdap_access_send/recv publicStephen Gallagher2012-06-222-12/+17
| | | | We want to consume this in the IPA provider.
* Make the client idle timeout configurableStephen Gallagher2012-06-187-5/+43
|
* Add support for terminating idle connectionsShantanu Goel2012-06-182-4/+73
|
* Do not send SIGPIPE on disconnectionShantanu Goel2012-06-181-6/+21
| | | | | | | | Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it.
* Log message if close() fails in destructor.Shantanu Goel2012-06-181-1/+12
|
* Set return errno to the value prior to calling close().Shantanu Goel2012-06-181-2/+2
|
* DP: Reorganize memory hierarchy of requestsStephen Gallagher2012-06-101-15/+100
| | | | | | | | | | | | | This function alters the memory hierarchy of the be_req to ensure memory safety during shutdown. It creates a spy on the be_cli object so that it will free the be_req if the client is freed. It is generally allocated atop the private data context for the appropriate back-end against which it is being filed. https://fedorahosted.org/sssd/ticket/1226
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-06-041-15/+16
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-06-045-23/+28
|
* Only do one cycle when resolving a serverJakub Hrozek2012-06-047-29/+93
| | | | https://fedorahosted.org/sssd/ticket/1214
* fo_get_server_name() getter for a server nameJakub Hrozek2012-06-046-4/+32
| | | | | Allows to be more concise in tests and more defensive in resolve callbacks
* Rename fo_get_server_name to fo_get_server_str_nameJakub Hrozek2012-06-047-11/+11
|
* IPA: Detect nsupdate support for the realm directiveStephen Gallagher2012-01-173-11/+46
| | | | | For older platforms, do not add the 'realm' line in the update message
generated by cgit (git 2.34.1) at 2024-04-26 15:44:44 +0000