| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
The newest functional level we branch for is currently
DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for
Windows server 2003 ends in 2015) we can safely set the functional level
to 2003 if the attribute is present but not a known value.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0fafb51756913e78dbf523a69fc3a4ef2bac54ec)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2418
According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a
Windows Server 2012 R2 has a functional level set to '6'. We need to
support that value in order for tokenGroups to be functional.
For more information on the functional levels, please refer to:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9ea0969f6a9e52b7c57feb5808266b0739ee40a4)
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Be able to configure sssd to honor openldap account lock to restrict
access via ssh key. Introduce new ldap_access_order value ('lock')
for enabling/disabling this feature.
Account is considered locked if pwdAccountLockedTime attribut has value
of 000001010000Z.
------------------------------------------------------------------------
Quotation from man slapo-ppolicy:
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If
the account has been locked, the password may no longer be used to
authenticate the user to the directory. If pwdAccountLockedTime is set
to 000001010000Z, the user's account has been permanently locked and
may only be unlocked by an administrator. Note that account locking
only takes effect when the pwdLockout password policy attribute is set
to "TRUE".
------------------------------------------------------------------------
Also set default value for sdap_pwdlockout_dn to
cn=ppolicy,ou=policies,${search_base}
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
|
|
|
|
| |
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
|
|
|
|
| |
Prepare code for other access control checks.
|
|
|
|
|
|
| |
Don't log error if access is denied in function sdap_access_done().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Fixed typo and replaced duplicated string by macro definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sdap_ad_tokengroups_update_members finds the differences between
list of groups from sysdb and list of groups from LDAP (input argument).
For each new group, connections are created between user and group. The other
connections are removed.
The problem was that in some cases function sdap_ad_tokengroups_update_members
was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and
sdap_ad_tokengroups_initgr_posix_sids_done).
The first call created connection between user and groups resolved from
tokengroups and the second call update groups from missing SIDs, but previously
created connections were removed. The worst case was when there weren't any
missing groups. This behaviour caused missing groups in some cases (for users
in child ad domain)
This patch join array of groups obtained from token group and array of groups
obtained from missing SIDs. The function sdap_ad_tokengroups_update_members
is called just once with single array.
Resolves:
https://fedorahosted.org/sssd/ticket/2407
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 99f53d551a1db5d8023b4271eb691d554257624c)
|
|
|
|
|
|
|
| |
It will be easier to steal whole array to another talloc context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 174e9ec6f88d709b6e9481ed06a322c0fc495842)
|
|
|
|
|
|
|
|
|
| |
If array of sids is empty we needn't try to resolve them
and we can immediately finish request in function sdap_ad_resolve_sids_send
This patch is just a small optimisation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 21f2821a4420291c8eb3ee9d427e9e1b0a1d9989)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2410
If two ldap_child processes attempt to prime the ccache at the same time
for the same domain, the ldap_child might fail with:
[ldap_child_get_tgt_sync] (0x0040): Failed to init ccache: Internal credentials cache error
[main] (0x0020): ldap_child_get_tgt_sync failed.
To avoid the race-condition, the ldap_child process now creates the
ccache randomized and before returning to the caller, renames the
randomized ccache to a permanent one.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Using a global memory context for short-lived private data might lead to
memory growth.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2406
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
Our code errored out in the rare case when the user was *also* an LDAP
member of his primary group.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
The function sdap_fill_memberships did several tasks. It's more readable
to split linking the primary members into a separate function.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2323
The functions that check for password expiration can return non-zero
return codes not only on internal failure, but also to indicate that the
password was expired. The code would in this case shortcut in the error
handler instead of making its way to the switch-case code below that
translates the SSSD error codes into PAM error codes.
We don't lose the error reporting, because any internal error would
translate into PAM_SYSTEM_ERROR anyway.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 06ba69972e6728f97f5adbcc3cc4df811a831f53)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have difficulty setting up an sss_cli_mc_ctx structure, we try
to clean things up so that we'll be ready to try again the next time
we're called.
Part of that is closing the descriptor of the file if we've opened it
and using memset() to clear the structure.
Now that sss_nss_mc_get_ctx() does its work in two phases, and each one
may end up doing the cleanup, each needs to be careful to reset the
descriptor field so that the new value provided by memset() (0) isn't
mistakenly treated as a file which should be closed by the other.
Resolves:
https://fedorahosted.org/sssd/ticket/2409
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5a4df83d769ace54f92513f0be78e753e0985a25)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f55d45b931ce6c01e005ae94a69e93abda0d2f1c)
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1a783fb0be9a48a0abdfe8b52fce551d530487ce)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Structure "struct sdap_dyndns_update_state" has two linked lists of
structures "struct sss_iface_addr": addresses, dns_addrlist
In *_recv functions, linked list was talloc stealed
to structure sss_iface_addr, but just 1st member was moved to "state" talloc
context. Other member of link list were freed with removing subrequest,
which caused use after free problem.
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0060992d68ba843d4d90b491a1500b6290789a5c)
|
|
|
|
|
|
|
| |
Memory leaks will not be detected if talloc context is NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 24000ed5b08499b49595436b8a3b348fcd4012de)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Real functions use own allocation strategy. We use talloc in wrapped functions.
But wrapped functions should not use global_talloc_context,
leak_check_teardown will report false positive memory leaks.
leak_check_teardown()
./src/tests/cmocka/test_dyndns.c:378: error: Failure!
[ FAILED ] dyndns_test_ok_dyndns_test_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 12e7e87ccbae0d5c2f338cd019ca51556cbcd3ae)
|
|
|
|
|
|
|
|
|
|
|
| |
global_talloc_context should not be NULL in tests. It should be initialised
with function leak_check_setup otherwise memory leak will not be detected.
check_leaks_pop should not be directly called for global_talloc_context.
It is a purpose of function leak_check_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bf65fbdd8c3fecd38a66363c3517e7a2679b8186)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man inet_ntop says:
The caller specifies the number of bytes available in this buffer
in the argument size.
AF_INET
src points to a struct in_addr (in network byte order) which is
converted to an IPv4 network address in the dotted-decimal
format, "ddd.ddd.ddd.ddd". The buffer dst must be at least
INET_ADDRSTRLEN bytes long.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e210ed5da220acebb6751db4466fe352de08eaeb)
|
|
|
|
| |
This reverts commit 1fe677614603cb57784dbc03f60dbe4c1ba2db44.
|
|
|
|
| |
This reverts commit 4417c874595600cd93e12822fab54aa5753df74a.
|
|
|
|
| |
This reverts commit b7afe5caaaeae1e92479284a7f555aee4ba23422.
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 08145755f66e83c304e11228c2b610a09576dd81)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an object can't be resolved as a posix group we then try to resolve
it as a non-posix (without the gid attribute) nested group and store it as a
group stub into the sysdb.
The purpose is to be able to resolve nested posix groups which are
members of non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 5197ac634572a2e0f8c7cacad68d5e5336064744)
|
|
|
|
|
|
|
|
|
|
| |
Create new set of attributes to be used when processing non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
|
|
|
|
|
|
|
| |
Added note to man page about how the time SSSD spends
offline is calculated.
Reviewed-by: Dan Lavu <side_control@runlevelone.net>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a8e9aedbf7f6ada4e9f505da5fad8a61e4066684)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
With this path, a user whose name is "space user" would match a sudo
rule while using the override_default_space option. Please note that the
option is only a client-side override, so the sudoUser attribute must
contain the space in order to match the original name. In other words,
when substituting space ( ) for underscore (_), this attribute would match:
sudoUser: space user
this would not:
sudoUser: space_user
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 3b96d478851fbbe391ab30e3d6a0afdb9ecdd4a0)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
The input of the InfoPipe responder substitutes the configured character
for space and the GetUserAttrs and GetUserGroups functions substitute
space for the configured character in their output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fcfd1cb69762c49ba56326dfc85008c1d83333b2)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
When using the override_default_space option, this patch allows to log
in using both the original name (space user) as well as the normalized
name (space_user).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0fcc9ed1c66bed7ef3a0bcd6c517280a82391d2b)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f3a5ac1a50c1fccd0801023658e42d2093e1a33a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1f3127e88a87953f059c9a70d3582ae1719594b1)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2400
Netgroups often have members that will not process correctly when we
require a fully-qualified name. This patch simply ignores the
default_domain setting for netgroup lookups - we ignore FQDN only
domains for netgroup lookups since
1933ff17513da1d979dd22776a03478341ef5e6b anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e6d441518531e7931e29dd8c65a3448a213e3865)
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When upgrading from a 1.9 version with monolithic packaging to 1.10 or
later with per-provider subpackage, sssd-common can be upgraded (and
restarted) before the new sssd-$provider is restarted. This can lead to
a startup failure, because the sssd_be process from already upgraded
sssd-common would attempt to load a sssd_$provider.so from the
legacy sssd package.
Restarting the service in %posttrans makes sure all the packages are in
place when we restart the service.
Resolves:
https://fedorahosted.org/sssd/ticket/2399
(cherry picked from commit 192027debeaa991690160c3cb68480fe54ad8fdf)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
(cherry picked from commit a1e89ede4995f948abc1acc364246161df7cca2c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Data Provider lookup code user the original input string as the
lookup key instead of the parsed name component. For example, for an
input joe@mydomain, the backend would have searched for:
(&(cn=joe@mydomain)(objectclass=user))
This patch fixes the lookup to use the parsed name.
https://fedorahosted.org/sssd/ticket/2402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d8b8995ef1c3f2a6c85dc141aaff7eef3faf05c1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The meta server status consists of two parts:
A) port status - managed by failover mechanism
B) SRV lookup status - managed by SRV resolver
Both parts are resetted to "neutral" after some time, having
B timeout greater than A timeout.
We were hitting the following issue:
1. SRV lookup fails (DNS is not reachable), this will set A to
"not working and B to "resolve error". Then the next server is
tried but fails as well.
2. If SSSD tries to go back online the failover will set A to
"neutral" and it will try to resolve SRV again. But B status is
still set to "resolve error" since we haven't reached the timeout
yet and SRV resolution fails immediately. But the next server
is not tried since the port status (A) remains "neutral".
This patch sets the port status to "not working" making the
failover to continue with the next server as expected.
https://fedorahosted.org/sssd/ticket/2390
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5490fa3ea4f6a4118a5188acb0e05daa302ed9d6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds periodic check to test if
backend can exit offline mode and only
marks backend as not offline if server
for the service is available.
Prior to this patch we marked backend as not
offline if the offline_timeout was reached
without checking for the server availability
and when the next request failed again
we switched back to the offline mode.
This caused significant slowdowns in some
edge cases.
Fixes:
https://fedorahosted.org/sssd/ticket/2355
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|