summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-195-55/+27
|
* Add sysdb_attrs_add_lc_name_aliasSumit Bose2013-12-193-0/+53
|
* sss_cache: fix case-sensitivity issueSumit Bose2013-12-191-27/+36
| | | | | | | For case-insensitive domains the lower-case name for case-insensitive searches is stored in SYSDB_NAME_ALIAS. Related to https://fedorahosted.org/sssd/ticket/1741
* sss_cache: initialize names member of sss_domain_infoSumit Bose2013-12-191-13/+10
| | | | | | | | | sss_tc_fqname() called by sss_get_domain_name() requires that the names member of the sss_domain_info struct is set to work properly. If the names struct is properly initialized in sss_domain_info the separate one in the tool context is not needed anymore. Related to https://fedorahosted.org/sssd/ticket/1741
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+525
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-231/+357
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-133-3/+152
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* AUTOTOOLS: krb5 1.12 is also supported krb5 libsLukas Slebodnik2013-12-101-1/+2
| | | | pac responder was not properly detected with krb5 1.12 library
* NSS: Fix memory leak in sss_setnetgrentLukas Slebodnik2013-12-101-1/+1
| | | | | | | | | | | struct nss_cmd_ctx was not released in function nss_cmd_setnetgrent_done and it wasn't used in the other function, because getnetgrent creates its own nss_cmd_ctx context. struct nss_cmd_ctx was released after closing client because it was allocated under client context. Memory leak is apparent with long living clients. Resolves: https://fedorahosted.org/sssd/ticket/2170
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-092-2/+13
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* failover: check dns_domain if primary servers lookup failedPavel Březina2013-12-091-3/+7
| | | | | | | If primary servers lookup failed, dns_domain is not set. Resolves: https://fedorahosted.org/sssd/ticket/2173
* sysv/gentoo: Send debug output to a file instead of stderrMarkos Chandras2013-12-041-1/+1
| | | | | | | Output from init scripts should go to a file (ideally in /var/log directory) instead of stderr. Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
* sysv/gentoo: Use xdm if possibleMarkos Chandras2013-12-041-1/+1
| | | | | | | Allow sssd to use the xdm wrapper so login managers can use sssd to authenticate users. Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
* SSSD: Unit test - sss_ldap_dn_in_search_basesPavel Reichl2013-11-292-1/+217
| | | | | | | Unit test testing detection of the right domain when processing group with members from several domains Resolves: https://fedorahosted.org/sssd/ticket/2132
* SSSD: Improved domain detectionPavel Reichl2013-11-293-16/+57
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
* SYSDB: Sanitize filter before removing ghost attrsLukas Slebodnik2013-11-292-1/+27
| | | | | | | | | | | sysdb_add_user fails with EIO if enumeration is disabled and user contains backslashes. We try to remove ghost attributes from groups with disabled enumeration, but unsanitized filter is used to find ghost attributes "(|(ghost=usr\\\\002)" and ldb cannot parse this filter. Resolves: https://fedorahosted.org/sssd/ticket/2163
* SYSDB: Sanitize filter before sysdb_search_groupsLukas Slebodnik2013-11-292-1/+13
| | | | | | | | | | sysdb_delete_user fails with EIO if user does not exist and contains backslashes. ldb could not parse filter (&(objectclass=group)(ghost=usr\\\\001)), because ghost value was not sanitized Resolves: https://fedorahosted.org/sssd/ticket/2163
* LDAP: Initialize user count for AD matching ruleJakub Hrozek2013-11-281-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/2157 If AD matching rule was selected, but the group was empty, the SSSD accessed random data. Initializing count to zero prevents that.
* AD: Fix a typo in the man pageJakub Hrozek2013-11-271-1/+1
| | | | https://fedorahosted.org/sssd/ticket/2154
* monitor: Specific error message for missing sssd.confPavel Reichl2013-11-274-3/+16
| | | | | | | | Specific error message is logged for missing sssd.conf file. New sssd specific error value is introduced for this case. Resolves: https://fedorahosted.org/sssd/ticket/2156
* pac: fix potential memory leaksPavel Březina2013-11-261-5/+5
|
* pac: fix double freePavel Březina2013-11-261-8/+6
|
* LDAP: Search for original DN during auth if it's missingJakub Hrozek2013-11-201-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-11-202-33/+147
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* do not use default_domain_suffix with autofsAron Parsons2013-11-181-1/+1
|
* SYSDB: Skip malformed netgroup attribute.Lukas Slebodnik2013-11-151-1/+5
| | | | | | | | | | It was not easy find out why netgroup could not be covert into result entries. Problem was that nisNetgroupTriple contained unexpected string "(,user01)" This patch will ignore only malformed attribute and processing of netgroup will not fail. Resolves: https://fedorahosted.org/sssd/ticket/2137
* LDAP: Prevent from using uninitialized sdap_optionsLukas Slebodnik2013-11-141-1/+1
| | | | | | | | ldap_get_options can fail in time of ldap back end initialisation and then sssd try to release uninitialised sdap_options. Resolves: https://fedorahosted.org/sssd/ticket/2147
* build: fix ordering of linker flagsJan Engelhardt2013-11-121-32/+34
| | | | | | Libraries MUST be specified in LDADD/LIBADD, not LDFLAGS, because LDFLAGS appear earlier in the command line and library order is significant.
* Initialize sid_str to NULL to avoid freeing random dataJakub Hrozek2013-11-082-2/+2
| | | | | If any function before failed, sss_idmap_free_sid() might have been called with random data.
* NSS: Set packet length for initgroupsLukas Slebodnik2013-11-071-0/+7
| | | | | | | | | | Some groups could be skipped, but packet length was not trimmed. This is a reason why valgrind reported access to uninitialised bytes. Actually, it isn't a problem, because the first uint32 in body is number of sended gids. Resolves: https://fedorahosted.org/sssd/ticket/2138
* free idmapped binary SIDs correctlyPavel Březina2013-11-072-6/+6
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* free idmapped smb SIDs correctlyPavel Březina2013-11-071-3/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* free idmapped dom SIDs correctlyPavel Březina2013-11-071-6/+6
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* free idmapped SIDs correctlyPavel Březina2013-11-078-13/+20
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* idmap: add API to free allocated SIDsPavel Březina2013-11-072-0/+84
|
* Updating the version for the 1.11.3 releaseJakub Hrozek2013-10-301-1/+1
|
* Updating translation for the 1.11.2 releasesssd-1_11_2Jakub Hrozek2013-10-3037-6334/+7889
|
* AD: Fix ad_access_filter parsing with empty filterJakub Hrozek2013-10-302-0/+24
|
* NSS: Fix parenthesisJakub Hrozek2013-10-301-1/+1
|
* LDAP: Check all search bases during nested group processingJakub Hrozek2013-10-301-13/+42
|
* nested groups: pick correct domain for cache lookupsPavel Březina2013-10-301-4/+12
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap_fill_memberships: pick correct domain for every memberPavel Březina2013-10-301-4/+19
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ghosts: pick correct domain for every memberPavel Březina2013-10-301-10/+15
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we store subdomain users with correct domain name. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: add sdap_domain_get_by_dn()Pavel Březina2013-10-302-0/+28
| | | | | | | | This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: store base dn in sdap_domainPavel Březina2013-10-302-15/+22
| | | | | | | | | Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ad: shortcut if possible during get object by ID or SIDPavel Březina2013-10-301-0/+96
| | | | | | | | | | When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match. Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.
* free sid obtained from sss_idmap_unix_to_sid()Pavel Březina2013-10-301-0/+2
|
generated by cgit (git 2.34.1) at 2024-05-17 14:48:33 +0000