summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* NSS: Fix netgroup midpoint cache refreshJakub Hrozek2013-01-293-3/+3
| | | | | | | | https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* responder_dp: Add timeout to side requetsSimo Sorce2013-01-291-1/+25
| | | | | | | This is an additional proteciont in case the provider misbheaves to avoid having requests pending forever. Fixes: https://fedorahosted.org/sssd/ticket/1717
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2013-01-293-18/+56
|
* Free the internal DP requestJakub Hrozek2013-01-291-0/+8
|
* LDAP: Check validity of naming_contextJakub Hrozek2013-01-291-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* LDAP: Handle empty namingContexts values safelyStephen Gallagher2013-01-291-0/+8
| | | | | | | | Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
* Initialize Kerberos ticket renewal in the IPA providerJakub Hrozek2012-10-111-0/+13
| | | | | | Fixes https://fedorahosted.org/sssd/ticket/1526 in the 1.8 branch
* Updating the version for the 1.8.6 releaseJakub Hrozek2012-10-071-1/+1
|
* FO: Check server validity before setting statussssd-1_8_5Jakub Hrozek2012-10-037-33/+49
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek2012-09-211-30/+39
| | | | https://fedorahosted.org/sssd/ticket/1515
* Move SELinux processing from session to account PAM stackTimo Aaltonen2012-09-071-66/+66
| | | | | | | Stops the session stack from returning an error when SELinux is not used. Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the clientJakub Hrozek2012-09-073-8/+114
| | | | https://fedorahosted.org/sssd/ticket/1460
* Fixed wrong number in shadowLastChangeJan Zeleny2012-09-071-1/+2
| | | | | The attribute is supposed to contain number of days since the epoch, not the number of seconds.
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-09-071-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* SYSDB: Make sysdb_attrs_get_el_int() publicJakub Hrozek2012-08-212-8/+10
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-4/+14
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* Make the client idle timeout configurableStephen Gallagher2012-06-187-5/+43
|
* Add support for terminating idle connectionsShantanu Goel2012-06-182-2/+67
|
* Do not send SIGPIPE on disconnectionShantanu Goel2012-06-181-6/+21
| | | | | | | | Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it.
* Log message if close() fails in destructor.Shantanu Goel2012-06-181-1/+12
|
* Set return errno to the value prior to calling close().Shantanu Goel2012-06-181-2/+2
|
* Send the correct enumeration requestJakub Hrozek2012-06-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1329
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+28
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTIONJakub Hrozek2012-06-133-9/+12
| | | | https://fedorahosted.org/sssd/ticket/1271
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are ↵Jan Cholasta2012-05-311-36/+49
| | | | | | missing https://fedorahosted.org/sssd/ticket/1356
* SSH: Supress error message output in sss_ssh_knownhostsproxyJan Cholasta2012-05-312-15/+8
|
* SSH: Update sss_ssh_knownhostsproxy manual pageJan Cholasta2012-05-311-1/+1
| | | | | Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in OpenSSH 5.9.
* Bumping version to 1.8.5Stephen Gallagher2012-05-301-1/+1
|
* Updating translations for 1.8.4 releasesssd-1_8_4Stephen Gallagher2012-05-3027-438/+1236
|
* Revert the client packet length, too, after reverting the packet protocolJakub Hrozek2012-05-291-1/+1
|
* NSS: Restore original protocol for getservbyportStephen Gallagher2012-05-252-3/+4
| | | | When fixing an endianness bug, we changed the protocol unnecessarily.
* Send 16bit protocol numbers from the sss_clientJakub Hrozek2012-05-252-7/+8
| | | | https://fedorahosted.org/sssd/ticket/1348
* Use sized_string correctly in FQDN domainsJakub Hrozek2012-05-231-2/+2
|
* Fixed issue in SELinux user mapsJan Zeleny2012-05-221-0/+2
| | | | | | There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-222-2/+4
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-222-3/+8
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher2012-05-221-7/+13
| | | | https://fedorahosted.org/sssd/ticket/1330
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-224-0/+181
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Warn to syslog when dereference requests failAriel Barria2012-05-221-2/+2
|
* NSS: Expire in-memory netgroup cache before the nowait timeoutStephen Gallagher2012-05-161-1/+9
| | | | | | | | The fact that we were keeping it in memory for the full duration of the cache timeout meant that we would never reap the benefits of the midpoint cache refresh. https://fedorahosted.org/sssd/ticket/1340
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-162-2/+2
|
* RPM: Allow running 'make rpms' on RHEL 5 machinesStephen Gallagher2012-05-151-5/+7
| | | | | | | | | | Our previous detection for this was flawed, because the %{rhel} macro did not exist on the version of RPM shipped with RHEL 5, but it worked when building for RHEL 5 through mock. This new patch relies on grepping /etc/redhat-release for the version information. https://fedorahosted.org/sssd/ticket/1206
* Potential NULL dereference in proxy providerAriel Barria2012-05-141-1/+1
|
* murmurhash: Relax inline requirementStephen Gallagher2012-05-111-2/+2
|
* build: resolve link failureJan Engelhardt2012-05-111-0/+1
| | | | | | | | | | | libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make[2]: *** [sssd_be] Error 1 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* SYSDB: Handle user and group renames betterJakub Hrozek2012-05-112-7/+182
| | | | | | | | | | | | Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.
* Send the correct enumeration requestJakub Hrozek2012-05-101-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1329
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-05-091-15/+18
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* krb5 locator: Do not leak addrinfoJakub Hrozek2012-05-071-0/+2
|
generated by cgit (git 2.34.1) at 2024-06-22 20:51:31 +0000