summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* idmap: allow ranges with external mapping to overlapSumit Bose2013-10-172-5/+71
| | | | | | | | | | | If POSIX IDs are managed externally e.g. by AD it might be possible that the IDs are centrally manages for the whole forest. Hence there might not be a single ID range for each member domain in the forest but only a single ID range for the whole forest. This means that we have to allow collisions if ID ranges in this case. Unit tests are added to make sure that the collisions are only allowed for external mappings.
* idmap: fix a memory leak if a collision is detectedSumit Bose2013-10-171-6/+7
|
* idmap: add internal function to free a domain structSumit Bose2013-10-171-4/+15
|
* KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userJakub Hrozek2013-10-172-0/+9
| | | | | | | If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
* IPA server mode: properly initialize ext_groupsSumit Bose2013-10-161-1/+2
|
* LDAP: Set default value for dyndns update to falseLukas Slebodnik2013-10-151-1/+1
| | | | | | | | In some cases, local boolean variable "do_update" could be used without proper initialisation. Clang static analyser warning: "Assigned value is garbage or undefined" It was not a big problem, because non-zero value for boolean variable mean true.
* INI: Disable line-wrapping functionalityJakub Hrozek2013-10-111-1/+1
| | | | | | | Supporting the latest INI release brought an incompatible change. Lines beginning with a whitespace were treated as continuation of the previous line. This patch reverts to ignoring the whitespace as we did previously so that the existing configurations keep working.
* LDAP: handle SID requests if noexist_delete is setSumit Bose2013-10-101-0/+10
| | | | Fixes https://fedorahosted.org/sssd/ticket/2116
* MAN: Reflow debug_levels.xmlStephen Gallagher2013-10-071-13/+20
| | | | | | Many lines in debug_levels.xml violated our line-length conventsions. This patch provides no functional changes, it simply brings those lines into compliance.
* MAN: Clarify debug level documentationStephen Gallagher2013-10-071-6/+20
| | | | | | | Originally, we planned to deprecate the decimal values for the debug levels, but that has proven to be too difficult for most users to understand. Instead, we will document both the simple decimal and complex bitmask values and recommend the use of the decimal values.
* krb5: Fix unit testsJakub Hrozek2013-10-072-85/+46
|
* krb5: Remove ability to create public directoriesSimo Sorce2013-10-073-71/+37
| | | | | | | | | Setting up public directories is the job of the admin, and current sssd syntax can't express the actual intention of the admin with regrads to which parts of the path should be public or private. Resolves: https://fedorahosted.org/sssd/ticket/2071
* AD: properly intitialize GC from ad_server optionSumit Bose2013-10-041-1/+1
|
* SYSDB: Fix incorrect DEBUG messageStephen Gallagher2013-10-041-1/+1
| | | | | | | | A bad comparison resulted in the sysdb_sudo_check_time() function always printing a debug message saying that the time matched. Resolves: Coverity Issue #12031
* sudo: improve time restrictions debug messagesPavel Březina2013-10-012-0/+15
|
* sudo: allow specifying only one time restrictionPavel Březina2013-10-011-47/+34
| | | | https://fedorahosted.org/sssd/ticket/2100
* Updating the version for the 1.11.2 releaseJakub Hrozek2013-09-271-1/+1
|
* Updating the translations for the 1.11.1 releasesssd-1_11_1Jakub Hrozek2013-09-2736-6127/+7211
|
* MAN: Document that POSIX attributes must be replicated to GCJakub Hrozek2013-09-271-0/+5
| | | | | | Currently the AD provider relies on the presence of the POSIX attributes in the Global Catalog. This patch mentiones the fact in the sssd-ad(5) manual page.
* AD: talk to GC first even for local domain objectsJakub Hrozek2013-09-272-7/+18
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
* LDAP: Allow searching subdomain during RFC2307bis initgroupsJakub Hrozek2013-09-271-9/+11
| | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.
* LDAP: Require ID numbers when ID mapping is offJakub Hrozek2013-09-272-7/+77
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
* KRB5: Use the correct domain when authenticating with cached passwordJakub Hrozek2013-09-271-4/+4
|
* KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolvedJakub Hrozek2013-09-271-0/+1
|
* Do not return DP_ERR_FATAL in case of successSumit Bose2013-09-271-1/+5
|
* ipa_server_mode: write capaths to krb5 include fileSumit Bose2013-09-274-4/+56
| | | | | | | | | | | | If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
* IPA: store forest name for forest member domainsSumit Bose2013-09-278-16/+158
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* IPA: Ignore dns_discovery_domain in server modeJakub Hrozek2013-09-261-0/+36
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
* ad: store group in correct tree on initgroups via tokenGroupsPavel Březina2013-09-261-11/+41
| | | | | | | | | If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* sysdb: sysdb_update_members can take either name or dnPavel Březina2013-09-264-25/+65
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2013-09-262-16/+55
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* util: add get_domains_head()Pavel Březina2013-09-262-0/+15
| | | | | | | This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066
* KRB5: Fix bad comparisonJakub Hrozek2013-09-261-1/+1
|
* krb5: Be more lenient on failures for old ccacheSimo Sorce2013-09-252-2/+2
| | | | | | | | | | | Fix a check for an error return code that can be returned when the ccache is not found. Even in case of other errors still do not fail authentication but allow it to proceed using a new ccache file if necessary. Related: https://fedorahosted.org/sssd/ticket/2053
* NSS: Failure to store entry negative cache should not be fatalJakub Hrozek2013-09-251-18/+31
| | | | | The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
* NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek2013-09-251-66/+105
| | | | | | | https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
* man: server side password policies always takes precedencePavel Březina2013-09-241-0/+5
| | | | https://fedorahosted.org/sssd/ticket/2091
* Convert IN_MULTICAST parameter to host orderJakub Hrozek2013-09-243-3/+3
| | | | | | | https://fedorahosted.org/sssd/ticket/2087 IN_MULTICAST accepts address in the host order, but network order was supplied.
* Check slot validity before MC_SLOT_TO_PTR.Michal Zidek2013-09-232-15/+79
| | | | | resolves: https://fedorahosted.org/sssd/ticket/2049
* krb5: do not expand enterprise principals is offlineSumit Bose2013-09-231-1/+1
| | | | | | | | Expanding a principle to an enterprise principal only makes sense if there is a KDC available which can process it. If we are offline the plain principal should be used, e.g. to create an expired ccache. Fixes https://fedorahosted.org/sssd/ticket/2060
* krb5: save canonical upn to sysdbSumit Bose2013-09-235-20/+58
| | | | | | | | | | | | | If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060
* LDAP: Use primary cn to search netgroupLukas Slebodnik2013-09-223-7/+22
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2075
* AD: Failure to get flat name is not fatalJakub Hrozek2013-09-223-68/+86
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
* sdap_domain_add: remove too strict consistency checkSumit Bose2013-09-201-10/+0
| | | | | The check worked for simple setups but fails e.g. in environment with trusts.
* man: improve sssd-sudo manual pagePavel Březina2013-09-201-2/+22
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2085
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-185-7/+211
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-184-18/+29
| | | | AD provider will override the default with its own.
* AD: async request to retrieve master domain infoJakub Hrozek2013-09-185-214/+417
| | | | Adds a reusable async request to download the master domain info.
* KRB5: Call umask before mkstemp in the krb5 child codeJakub Hrozek2013-09-171-0/+3
|
* simple provider: obey case sensitivity for subdomain users and groupsPavel Březina2013-09-171-7/+43
| | | | | | | | When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034
generated by cgit (git 2.34.1) at 2024-05-27 11:42:33 +0000