| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
(cherry picked from commit 30ee051025753b63ceb19d3b83c44019a19554a1)
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 93dabb2fe0a798f22bb802b9c6521ab9e6a4ac36)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d3436880c0ec1a7776698c739d4a3edc9a6ac57c)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 957c55df7a7086166fb3c14cead6a0dab8f574c1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Homedir is defaultly set accordingly to subdomain_homedir for users from AD.
Resolves:
https://fedorahosted.org/sssd/ticket/2169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Print user friendly warning when permissions on sssd.conf are incorrect and
provide hint.
Resolves:
https://fedorahosted.org/sssd/ticket/2208
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit b3cc9b98966fa2d90172348c334b3b70c5261ab3)
|
|
|
|
|
|
|
|
|
| |
Commit 8280c5213094 introduced filtering local groups for trusted/sub domains,
but attribute groupType was not available with configuration id_provide ldap
and ldap_schema ad.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, group couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
| |
|
|
|
|
|
| |
According to asprintf(3) the content off errmsg is undefined
on error, lets set it to NULL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because domain enumeration currently works for each domain separately,
the code has to establish cross-domain memberships after all domains are
enumerated. The code works as follows:
1) check if any *sub*domains were enumerated. If not, do nothing
2) if any of the groups saved had more original members than
sysdb members, check if members of these groups can be linked now
that all users and groups are saved using the orig_member
attribute of the group matched against originalDN member of the
user.
Related:
https://fedorahosted.org/sssd/ticket/2142
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit changes the enumerate-sdap-domain request to accept a
connection context per object that can be enumerated. Internally in the
request, an sdap_id_op is also created per enumerated object type.
This change will allow i.e. users to be enumerated using GC connection,
while keeping the LDAP connection for groups and services.
|
|
|
|
|
|
|
|
|
|
| |
connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration.
|
|
|
|
|
|
| |
Depending on the state of the subdomain_enumerate variable, the newly
created subdomain object is created with the right value of "enumerate"
attribute in the sysdb.
|
|
|
|
|
| |
The domain was already marked as enumerated using sysdb_set_enumerated
in the enumeration request itself.
|
|
|
|
|
|
|
|
|
|
| |
strptime() which is used to parse LDAP time value does not initialize
all fields of tm structure (especially tm_isdst). This results in
random behavior - when the tm is converted into timestamp via mktime(),
the result depends on current value of tm_isdst.
Resolves:
https://fedorahosted.org/sssd/ticket/2213
|
|
|
|
|
|
| |
Currently always the name of the configured domain was passed to the
CLDAP request. This will fail if the CLDAP request is send to a DC form
a different domain.
|
|
|
|
|
|
|
|
|
| |
If an ID was requested from the back end, but no ID mapping domain
matched, the request ended with a scary error message. It's better to
treat the request as if no such ID was found in the domain
Related:
https://fedorahosted.org/sssd/ticket/2200
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2202
|
|
|
|
|
|
|
|
|
|
|
| |
sss_idmap_domain_has_algorithmic_mapping can return also
IDMAP_SID_INVALID, but it does not mean that idmaping is
unavailable. We should fall back to another method of detection
(sss_idmap_domain_by_name_has_algorithmic_mapping)
and do not return false immediately.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
| |
For id_provider ldap, it is only necessary to enable option ldap_id_mapping.
It is an regression introduced in the commit d3e1d88ce7de3216a862b
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, user couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2199
|
| |
|
| |
|
|
|
|
|
|
|
| |
EOK was returned in done section of netlogon_get_flat_name,
even if error code was set in variable ret.
This patch fixes also warnings from scan-build.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
|
|
|
|
|
|
|
|
|
|
| |
To correctly decide if an object is a member of the main sssd domain, a flat name
is needed. However, the information may not be available when the module is
inited so it may be necessary to refresh this data later while processing a
request.
Resolves:
https://fedorahosted.org/sssd/ticket/2189
|
|
|
|
|
|
|
| |
Use flat name to recognise users and groups belonging to main sssd domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2189
|
| |
|
|
|
|
|
| |
Some override parameters were not inherited when creating subdomains.
Especially with AD trusts, this gave strange results.
|
|
|
|
|
| |
The functionality was removed, but we forgot to remove the corresponding
tests, mostly because these tests were only ever ran as root.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2160
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
it was last one
The last message in the stream might be with empty payload which means we get
only message type and message length (0) returned, i.e. 8 bytes left remaining
in the stream after processing preceding message. This makes our calculation at
the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be
equal to len, after all.
Fixes FAST processing for FreeIPA native OTP case:
https://fedorahosted.org/sssd/ticket/2186
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2191
There was a copy-n-paste bug in the code that resulted in using a wrong
attribute map. This could lead to the primary name not being selected
correctly.
|
| |
|
| |
|
| |
|
|
|
|
| |
New functions were added.
|
|
|
|
|
| |
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback.
|
|
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|