sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	NSS: Add original homedir to home directory template optionssssd-1.9.2-101.el6	Stephen Gallagher	2013-08-08	6	-8/+29
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1805
*	sudo responder: use different callback for oob refreshsssd-1.9.2-100.el6	Pavel Březina	2013-08-08	1	-6/+8
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().
*	MAN: Clarify the min_id/max_id limits furthersssd-1.9.2-99.el6	Jakub Hrozek	2013-08-08	1	-0/+4
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2005 Some users were confused by our description of min_id/max_id and thought the limits only applied to returning entries from the NSS responder. However, the limits are actually enforced on the back end side, so the entries are not even saved to cache.
*	IPA: Do not download or store the member attribute of host groupssssd-1.9.2-98.el6	Jakub Hrozek	2013-08-08	2	-2/+0
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
*	NSS: Clear cached netgroups if a request comes in from the sss_cachesssd-1.9.2-97.el6	Lukas Slebodnik	2013-08-08	4	-0/+55
\| \| \| \| \| \| \|	In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759
*	NSS: allow removing entries from netgroup hash table	Lukas Slebodnik	2013-08-08	3	-1/+32
\| \| \| \| \| \| \| \| \|	There is a timed desctructor in the nss responder that, when the entry timeout passes, removes the netgroup from the hash table while the netgroup is freed. This patch adds a hash delete callback so that if the netgroup is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
*	sudo: print better debug message when a rule has multiple cn valuessssd-1.9.2-96.el6	Pavel Březina	2013-08-08	1	-1/+5
\|
*	sudo: skip rule on error instead of failing completely	Pavel Březina	2013-08-08	1	-1/+3
\| \| \| \|	https://fedorahosted.org/sssd/ticket/2031
*	MAN: Clarify that saving users after enumerating large domain might be CPU ↵sssd-1.9.2-95	Jakub Hrozek	2013-07-25	1	-1/+9
\| \| \| \| \| \|	intensive https://fedorahosted.org/sssd/ticket/1732
*	Allocate PAM DP request data on responder context1.9.2-92	Jakub Hrozek	2013-07-25	3	-5/+54
\| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
*	autofs: fix invalid header 'number of entries' in packet1.9.2-91	Pavel Březina	2013-05-30	1	-1/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
*	Only try to relink ghost users if we're not enumerating1.9.2-90	Jakub Hrozek	2013-05-30	2	-4/+16
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user.
*	LDAP: do not invalidate pointer with realloc while processing ghost users1.9.2-89	Jakub Hrozek	2013-05-30	1	-3/+13
\| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
*	Fix simple access group control in case-insensitive domains1.9.2-88	Jakub Hrozek	2013-04-15	2	-18/+11
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
*	ldap: Fallback option for rfc2307 schema	Simo Sorce	2013-04-15	14	-11/+228
\| \| \| \| \| \| \| \| \| \| \|	Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
*	Resolve GIDs in the simple access provider	Jakub Hrozek	2013-04-15	5	-307/+1033
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
*	Do not compile main() in DP if UNIT_TESTING is defined	Jakub Hrozek	2013-04-15	1	-0/+2
\| \| \| \| \| \| \| \| \| \| \|	The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
*	Add unit tests for simple access test by groups	Jakub Hrozek	2013-04-15	1	-32/+253
\| \| \| \| \| \| \|	I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
*	Provide a be_get_account_info_send function	Jakub Hrozek	2013-04-15	2	-19/+149
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
*	Don't treat 0 as default for pam_pwd_expiration warning1.9.2-85	Jakub Hrozek	2013-03-01	1	-1/+2
\|
*	Fix the krb5 password expiration warning	Jakub Hrozek	2013-02-22	1	-1/+7
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1808
*	nested groups: fix group lookup hangs if member dn is incorrectrhel-6.4 1.9.2-83	Pavel Březina	2013-01-30	1	-0/+24
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
*	SYSDB: Expire group if adding ghost users fails with EEXIST	Jakub Hrozek	2013-01-23	1	-2/+36
\|
*	SYSDB: make the sss_ldb_modify_permissive function public	Jakub Hrozek	2013-01-23	2	-2/+11
\|
*	TOOLS: Use file descriptor to avoid races when creating a home directory	Jakub Hrozek	2013-01-23	4	-354/+364
\| \| \| \| \| \| \| \| \| \| \|	When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
*	TOOLS: Use openat/unlinkat when removing the homedir	Jakub Hrozek	2013-01-23	1	-42/+41
\| \| \| \| \| \| \| \| \| \|	The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
*	Check that strings do not go beyond the end of the packet body in autofs and ↵	Jan Cholasta	2013-01-23	2	-7/+7
\| \| \| \| \| \| \| \|	SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
*	sudo responder: change num_rules type from size_t to uint32_t	Pavel Březina	2013-01-22	7	-26/+26
\| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus. Resolved Conflicts: src/responder/sudo/sudosrv_get_sudorules.c
*	Convert the value of pwd_exp_warning to seconds	Jakub Hrozek	2013-01-22	1	-5/+6
\| \| \| \| \| \| \| \|	When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
*	fix backend callbacks: remove callback properly from dlist	Pavel Březina	2013-01-22	1	-6/+18
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
*	TOOLS: invalidate parent groups in memory cache, too	Jakub Hrozek	2013-01-21	4	-8/+71
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1775
*	LDAP: Compare lists of DNs when saving autofs entries	Jakub Hrozek	2013-01-21	3	-137/+173
\| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
*	Invalidate user entry even if there are no groups	Jakub Hrozek	2013-01-16	2	-11/+8
\| \| \| \| \| \| \| \| \|	Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
*	NSS: invalidate memcache user entry on initgr, too	Jakub Hrozek	2013-01-16	1	-0/+11
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.
*	autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32	Jakub Hrozek	2013-01-16	1	-10/+5
\|
*	LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships	Jakub Hrozek	2013-01-15	1	-12/+4
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
*	TOOLS: Refresh memcache after changes to local users and groups	Jakub Hrozek	2013-01-15	3	-2/+50
\|
*	TOOLS: Provide a convenience function to refresh a list of groups	Jakub Hrozek	2013-01-15	2	-0/+22
\|
*	TOOLS: Split querying nss responder into a separate function	Jakub Hrozek	2013-01-15	5	-38/+79
\| \| \| \| \| \|	The tools query the responder in order to sync the memcache after performing changes to the local database. The functions will be reused by other tools so I split them into a separate functions.
*	TOOLS: move memcache related functions to tools_mc_utils.c	Jakub Hrozek	2013-01-15	4	-161/+189
\| \| \| \| \| \| \|	The upcoming patches will link only users of this file with client libs, so it's better to have it separate. There is no functional change in this patch
*	Fix invalidating autofs maps	Simo Sorce	2013-01-15	1	-1/+1
\|
*	let ldap_backup_chpass_uri work	Pavel Březina	2013-01-15	1	-2/+4
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1760
*	AD: Add user as a direct member of his primary group	Jakub Hrozek	2013-01-09	1	-8/+109
\| \| \| \| \| \| \| \| \| \| \| \|	In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
*	AD: replace GID/UID, do not add another one	Jakub Hrozek	2013-01-09	4	-7/+41
\| \| \| \| \| \| \|	The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
*	IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP	Jakub Hrozek	2013-01-08	3	-4/+6
\| \| \| \|	It is not a map, but a default context. The name should reflect that.
*	SELINUX: Process maps even when offline	Jakub Hrozek	2013-01-08	1	-226/+429
\| \| \| \| \|	Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
*	SYSDB: Split a function to read all SELinux maps	Jakub Hrozek	2013-01-08	2	-23/+49
\|
*	SYSDB: Remove duplicate selinux defines	Jakub Hrozek	2013-01-08	3	-5/+2
\|
*	Refactor gid handling in the PAC responder	Sumit Bose	2013-01-08	4	-105/+238
\| \| \| \| \| \|	Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
*	PAC responder: check if existing user differs	Sumit Bose	2013-01-08	3	-13/+64
\| \| \| \| \| \|	If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.