summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fixed timeout handling in responderssssd-1.5.1-57.el6Jan Zeleny2011-10-141-72/+72
|
* Fix Coverity issues introduced by DBUS socket patchJakub Hrozek2011-10-141-1/+3
| | | | | | | | | | Fix off-by-one error in remove_socket_symlink() https://fedorahosted.org/sssd/ticket/1043 Report on errno, not return code in create_socket_symlink https://fedorahosted.org/sssd/ticket/1044
* Improve performance of HBAC with large numbers of hostsStephen Gallagher2011-10-144-206/+334
| | | | | | | | | | HBAC: Do not save member/memberOf links We can just trust the values from the FreeIPA server HBAC: Use originalMember for identifying servicegroups HBAC: Use originalMember for identifying hostgroups
* Check if dp_requests hash table exists before using itsssd-1.5.1-56.el6Jakub Hrozek2011-10-131-0/+5
|
* Append PID to sbus server socket name, let clients use a symlinkJakub Hrozek2011-10-1310-26/+208
| | | | | | | | Add option to follow symlinks to check_file() Append PID to sbus server socket name, let clients use a symlink https://fedorahosted.org/sssd/ticket/1034
* man page fix (lists are comma-separated)Jan Zeleny2011-10-133-4/+4
| | | | https://fedorahosted.org/sssd/ticket/1024
* Streamline the example configJakub Hrozek2011-10-131-72/+28
| | | | https://fedorahosted.org/sssd/ticket/1014
* Use explicit base 10 for converting strings to integerssssd-1.5.1-54.el6Jakub Hrozek2011-10-065-8/+8
| | | | https://fedorahosted.org/sssd/ticket/1013
* Better handling for aliasesJakub Hrozek2011-10-067-103/+407
| | | | | | | | | | | | | | Add sysdb interface to get name aliases Add a sysdb_get_direct_parents function Store name aliases for users, groups Return users and groups based on alias https://fedorahosted.org/sssd/ticket/926 Fix typo in sysdb_get_direct_parents
* IPA access: hostname comparison should be case-insensitiveJakub Hrozek2011-09-301-1/+1
|
* HBAC: fix typos preventing proper hostgroup evaluationStephen Gallagher2011-09-301-3/+3
|
* Do not delete requests inside hash_iterate loopJakub Hrozek2011-09-301-10/+12
|
* Do not attempt to close() a file descriptor < 0sssd-1.5.1-52.el6Stephen Gallagher2011-09-201-1/+3
| | | | Coverity 10886
* Fix uninitialized pointer read in sdap_gssapi_get_default_realm()Jakub Hrozek2011-09-201-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1003
* MONITOR: Correctly detect lack of response from servicesStephen Gallagher2011-09-201-21/+26
| | | | | | | | | | We were incorrectly using DBUS_ERROR_TIMEOUT here. The correct behaviour is to check for DBUS_ERROR_NO_REPLY. This way we will properly handle the three-tries in the tasks_check_handler(). Additionally, we weren't properly handling failure counts correctly, meaning we weren't restarting stuck services in a timely manner.
* Use sss_ldap_err2string() instead of ldap_err2string()sssd-1.5.1-51.el6Pavel Březina2011-09-125-40/+54
| | | | | | | | | | sss_ldap_err2string() - function created https://fedorahosted.org/sssd/ticket/986 sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() https://fedorahosted.org/sssd/ticket/986
* Improve error message for LDAP password constraint violationJakub Hrozek2011-09-123-16/+29
| | | | https://fedorahosted.org/sssd/ticket/985
* Do not access memory out of boundsSumit Bose2011-09-071-2/+2
|
* Add option to specify the kerberos replay cache dirStephen Gallagher2011-09-0710-0/+77
| | | | | | | Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980
* HBAC: Properly skip all non-group memberOf entriesStephen Gallagher2011-08-291-1/+2
|
* Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek2011-08-298-3/+33
| | | | https://fedorahosted.org/sssd/ticket/978
* HBAC: Use of hostgroups for targethost or sourcehost was brokenStephen Gallagher2011-08-291-4/+4
| | | | | We were trying to look up the wrong attribute for the name of the hostgroup.
* HBAC: Handle saving groups that have no membersStephen Gallagher2011-08-291-7/+21
|
* Improve password policy error code and messageSumit Bose2011-08-291-4/+9
| | | | | | Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
* Use sysdb attribute name for GID, not LDAP attributeStephen Gallagher2011-08-291-3/+3
|
* Return the first value of name if the multivalued name attribute does not ↵Jakub Hrozek2011-08-291-3/+4
| | | | | | match RDN https://fedorahosted.org/sssd/ticket/926
* Use the default Kerberos realm for LDAP with GSSAPI authJakub Hrozek2011-08-291-3/+55
| | | | https://fedorahosted.org/sssd/ticket/970
* Add vetoed_shells optionsssd-1.5.1-47.el6John Hodrien2011-08-086-15/+44
| | | | | | | | | | | | There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> Prevent segfault if vetoed_shells are specified without allowed_shells https://fedorahosted.org/sssd/ticket/954
* Fix returning groups when gidNumber attribute is not orderedJakub Hrozek2011-08-043-4/+10
| | | | https://fedorahosted.org/sssd/ticket/951
* pyhbac: Do not convert int to boolJakub Hrozek2011-08-041-2/+11
|
* Explicitly ignore groups with gidNumber=0Jakub Hrozek2011-08-042-11/+18
| | | | https://fedorahosted.org/sssd/ticket/916
* Set gidNumber of non-posix groups to 0 even on updatesJakub Hrozek2011-08-041-8/+44
|
* Fix indexing of skipped groupsJakub Hrozek2011-08-041-2/+4
| | | | https://fedorahosted.org/sssd/ticket/928
* sss_client: avoid leaking file descriptorsSimo Sorce2011-08-042-0/+15
| | | | | | | | | | If a pam or nss module is dlcolse()d and unloaded we were leaking the file descriptor used to communicate to sssd in the process. Make sure the fucntion used to close the socket file descriptor is called on dlclose() Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
* Provide python bindings for the HBAC evaluator libraryJakub Hrozek2011-08-048-4/+2694
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes for python HBAC bindings These changes were proposed during a review: * Change the signature of str_concat_sequence() to const char * * use a getsetter for HbacRule.enabled to allow string true/false and integer 1/0 in addition to bool * fix a minor memory leak (HbacRequest.rule_name) * remove overzealous discard consts Fix python HBAC bindings for python <= 2.4 Several parts of the HBAC python bindings did not work with old Python versions, such as the one shipped in RHEL5. The changes include: * a compatibility wrapper around python set object * PyModule_AddIntMacro compat macro * Py_ssize_t compat definition * Do not use PyUnicode_FromFormat * several function prototypes and structures used to have "char arguments where they have "const char *" in recent versions. This caused compilation warnings this patch mitigates by using the discard_const hack on python 2.4 Remove dead code from python HBAC bindings https://fedorahosted.org/sssd/ticket/935 Handle allocation error in python HBAC bindings https://fedorahosted.org/sssd/ticket/934 HBAC rule validation Python bindings https://fedorahosted.org/sssd/ticket/943
* Rewrite HBAC rule evaluatorStephen Gallagher2011-08-0423-1702/+4592
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943
* Request password control unconditionally during bindJakub Hrozek2011-08-041-6/+6
| | | | https://fedorahosted.org/sssd/ticket/940
* Do not add a NULL host parsed from LDAP URIJakub Hrozek2011-08-041-1/+8
| | | | https://fedorahosted.org/sssd/ticket/911
* Use ares_search instead of ares_query for hostname resolutionsssd-1.5.1-43.el6Jakub Hrozek2011-07-131-1/+1
| | | | | | | ares_query does not take search or domain directives from /etc/resolv.conf into account https://fedorahosted.org/sssd/ticket/922
* ipa_dyndns: Use sockaddr_storage for storing IP addressesJakub Hrozek2011-07-131-12/+17
| | | | https://fedorahosted.org/sssd/ticket/915
* Fix TLS/SSL validation after switch to ldap_init_fdSumit Bose2011-07-1313-72/+558
| | | | | | | | | | | | | | Add sockaddr_storage to sdap_service Add sdap_call_conn_cb() to call add connection callback directly Use name based URI instead of IP address based URIs Use ldap_init_fd() instead of ldap_initialize() if available Do not access state after tevent_req_done() is called. Call ldap_install_tls() on ldaps connections
* Honor the TTL value of SRV record lookupsJakub Hrozek2011-07-1311-221/+903
| | | | | | | | | | | | | | | | | | | | | | | | | Add new resolv_hostent data structure and utility functions Resolve hosts by name from files into resolv_hostent Resolve hosts by name from DNS into resolv_hostent Switch resolver to using resolv_hostent and honor TTL Conflicts: src/providers/fail_over.c Provide TTL structure names for c-ares < 1.7 https://fedorahosted.org/sssd/ticket/898 In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to ares_addrttl/ares_addr6ttl so they are in the ares_ namespace. Because they are committed to stable ABI, the contents are the same, just the name changed -- so it is safe to just #define the new name for older c-ares version in case the new one is not detected in configure time.
* Delete cached ccache file if password is expiredSumit Bose2011-07-131-8/+63
|
* Fall back to polling when inotify failsJan Zeleny2011-07-131-28/+68
|
* Do not check pwdAttributeSumit Bose2011-07-131-9/+0
| | | | | | | It is not safe to check pwdAttribute to see if server side password policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is present the bind response we can assume that there is a server side password policy.
* Handle non-POSIX groups in nestingsssd-1.5.1-40.el6Jan Zeleny2011-06-027-52/+132
| | | | | | | | Added sysdb_attrs_get_bool() function Non-posix group processing - sysdb changes Non-posix group processing - ldap provider and nss responder
* Support overriding attribute values locallyJakub Hrozek2011-06-0211-5/+414
| | | | | | | | | | | | | | | | | | Add a new option to override primary GID number https://fedorahosted.org/sssd/ticket/742 Add a new option to override home directory value https://fedorahosted.org/sssd/ticket/551 Add new options to override shell value https://fedorahosted.org/sssd/ticket/742 Conflicts: src/conf_macros.m4
* Properly support IPv6 in LDAP URIs for IPA and LDAP providersJakub Hrozek2011-06-027-23/+121
| | | | | | | | | | | | | | | | | Add utility function to return IP address as string Add a utility function to escape IPv6 address for use in URIs Use escaped IP addresses in LDAP provider Escape IPv6 IP addresses in the IPA provider https://fedorahosted.org/sssd/ticket/880 Fix bad merge We merged in a patch, but missed that it missed a dependency added by another earlier patch.
* Add online callback only once for TGT renewalSumit Bose2011-06-021-25/+44
|
* Fix typo in initgroups negative cache checkStephen Gallagher2011-06-021-1/+1
|