| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Includes several index updates necessary for major performance
improvements.
|
|
|
|
|
| |
Due to incorrectly written loop, SSSD would go into infitite loop if it
processed the same group on two different levels of membership.
|
| |
|
|
|
|
|
|
|
|
|
| |
There are several places (all error-handling) where sss_cmd_done()
is called with no response packet created. As a short-term
solution, we need to check whether the packet is NULL and simply
return EINVAL. client_send() (the consumer) will then forcibly
disconnect the client (which will return PAM_SYSTEM_ERR to the
client).
|
| |
|
|
|
|
|
|
|
|
| |
Utility functions for LDAP nested schema initgroups
Use fewer transactions during RFC2307bis initgroups
Use fewer transactions during IPA initgroups
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Mention cache_credentials and tweak the AD example to match the wiki page.
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix off-by-one error in remove_socket_symlink()
https://fedorahosted.org/sssd/ticket/1043
Report on errno, not return code in create_socket_symlink
https://fedorahosted.org/sssd/ticket/1044
|
|
|
|
|
|
|
|
|
|
| |
HBAC: Do not save member/memberOf links
We can just trust the values from the FreeIPA server
HBAC: Use originalMember for identifying servicegroups
HBAC: Use originalMember for identifying hostgroups
|
| |
|
|
|
|
|
|
|
|
| |
Add option to follow symlinks to check_file()
Append PID to sbus server socket name, let clients use a symlink
https://fedorahosted.org/sssd/ticket/1034
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1024
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1014
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1013
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb interface to get name aliases
Add a sysdb_get_direct_parents function
Store name aliases for users, groups
Return users and groups based on alias
https://fedorahosted.org/sssd/ticket/926
Fix typo in sysdb_get_direct_parents
|
| |
|
| |
|
| |
|
|
|
|
| |
Coverity 10886
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1003
|
|
|
|
|
|
|
|
|
|
| |
We were incorrectly using DBUS_ERROR_TIMEOUT here. The correct
behaviour is to check for DBUS_ERROR_NO_REPLY. This way we will
properly handle the three-tries in the tasks_check_handler().
Additionally, we weren't properly handling failure counts
correctly, meaning we weren't restarting stuck services in a
timely manner.
|
|
|
|
|
|
|
|
|
|
| |
sss_ldap_err2string() - function created
https://fedorahosted.org/sssd/ticket/986
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/985
|
| |
|
|
|
|
|
|
|
| |
Adds a configure option to set the distribution default as well as
an sssd.conf option to override it.
https://fedorahosted.org/sssd/ticket/980
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
|
| |
We were trying to look up the wrong attribute for the name of the
hostgroup.
|
| |
|
|
|
|
|
|
| |
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the
requested password policy cannot be found we return PAM_PERM_DENIED.
Additionally the log message says that the access is denied.
|
| |
|
|
|
|
|
|
| |
match RDN
https://fedorahosted.org/sssd/ticket/926
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/970
|
|
|
|
|
|
|
|
|
|
|
|
| |
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Prevent segfault if vetoed_shells are specified without allowed_shells
https://fedorahosted.org/sssd/ticket/954
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/951
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/916
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/928
|
|
|
|
|
|
|
|
|
|
| |
If a pam or nss module is dlcolse()d and unloaded we were leaking
the file descriptor used to communicate to sssd in the process.
Make sure the fucntion used to close the socket file descriptor is
called on dlclose()
Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for python HBAC bindings
These changes were proposed during a review:
* Change the signature of str_concat_sequence() to const char *
* use a getsetter for HbacRule.enabled to allow string true/false and
integer 1/0 in addition to bool
* fix a minor memory leak (HbacRequest.rule_name)
* remove overzealous discard consts
Fix python HBAC bindings for python <= 2.4
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
Remove dead code from python HBAC bindings
https://fedorahosted.org/sssd/ticket/935
Handle allocation error in python HBAC bindings
https://fedorahosted.org/sssd/ticket/934
HBAC rule validation Python bindings
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/940
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/911
|
|
|
|
|
|
|
| |
ares_query does not take search or domain directives from
/etc/resolv.conf into account
https://fedorahosted.org/sssd/ticket/922
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/915
|