| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Cleanup debug_fn to better match coding conventions.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Remove extra fflush(3) invocation when outputting debug messages.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move DEBUG macro body to the debug_fn function, adding "function"
argument to the latter.
Rename "debug_fn" in sssd_krb5_locator_plugin.c to "plugin_debug_fn" to
remove conflict with the sssd debug_fn.
Replace DEBUG_MSG macro usage with debug_fn function usage.
Remove DEBUG_MSG macro along with tests.
The above makes the total size of binaries drop by 20% for the standard
Fedora build and by 44% for a build configured according to Debian
packaging script.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to using new debug levels in sss_semanage_error_callback.
Make SEMANAGE_MSG_WARN map to SSSDBG_MINOR_FAILURE instead of
SSSDBG_CONF_SETTINGS as it suits it better.
This prepares the function for the following patch switching it
to using updated "debug_fn" which expects new debug levels.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add files cscope creates for inverted index (when running with -q) to
.gitignore. Inverted index enables faster symbol lookup.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Sometimes a UID/GID value was printed using the %d format specifier
which caused overflows for very large values of ID.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Print user friendly warning when permissions on sssd.conf are incorrect and
provide hint.
Resolves:
https://fedorahosted.org/sssd/ticket/2208
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Fail to start sssd if the domains given in the domains option are the same as
or only differ in case.
Resolves:
https://fedorahosted.org/sssd/ticket/2171
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1359
|
|
|
|
|
|
|
| |
Homedir is defaultly set accordingly to subdomain_homedir for users from AD.
Resolves:
https://fedorahosted.org/sssd/ticket/2169
|
|
|
|
| |
This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8.
|
|
|
|
|
|
|
|
|
|
| |
Generate nsupdate input for sending PTR record update messages
separately instead of together in nsupdate_msg_add_ptr.
This fixes updates with addresses from different networks (DNS zones),
as nsupdate doesn't support such updates in a single message.
Fixes https://fedorahosted.org/sssd/ticket/2179
|
|
|
|
|
| |
Memory context memctx was unused in functions _ad_servers_init
sdap_ad_tokengroups_update_members
|
|
|
|
|
|
|
|
|
| |
Commit 8280c5213094 introduced filtering local groups for trusted/sub domains,
but attribute groupType was not available with configuration id_provide ldap
and ldap_schema ad.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, group couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
| |
|
|
|
|
|
|
|
|
|
|
| |
strptime() which is used to parse LDAP time value does not initialize
all fields of tm structure (especially tm_isdst). This results in
random behavior - when the tm is converted into timestamp via mktime(),
the result depends on current value of tm_isdst.
Resolves:
https://fedorahosted.org/sssd/ticket/2213
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because domain enumeration currently works for each domain separately,
the code has to establish cross-domain memberships after all domains are
enumerated. The code works as follows:
1) check if any *sub*domains were enumerated. If not, do nothing
2) if any of the groups saved had more original members than
sysdb members, check if members of these groups can be linked now
that all users and groups are saved using the orig_member
attribute of the group matched against originalDN member of the
user.
Related:
https://fedorahosted.org/sssd/ticket/2142
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit changes the enumerate-sdap-domain request to accept a
connection context per object that can be enumerated. Internally in the
request, an sdap_id_op is also created per enumerated object type.
This change will allow i.e. users to be enumerated using GC connection,
while keeping the LDAP connection for groups and services.
|
|
|
|
|
|
|
|
|
|
| |
connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration.
|
|
|
|
|
|
| |
Depending on the state of the subdomain_enumerate variable, the newly
created subdomain object is created with the right value of "enumerate"
attribute in the sysdb.
|
|
|
|
|
|
| |
Currently always the name of the configured domain was passed to the
CLDAP request. This will fail if the CLDAP request is send to a DC form
a different domain.
|
| |
|
|
|
|
|
| |
PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD
I cannot find in git history where these macro were used.
|
|
|
|
|
|
|
| |
There is a test for sss_authtok_set where '\0' is used as argument data.
'\0' is evaluated as zero and zero is treated as a null pointer.
And there is another test for NULL pointer few lines before.
Patch changes 3rd argument '\0' into properly cast zero length sting ""
|
|
|
|
|
|
|
|
|
| |
If an ID was requested from the back end, but no ID mapping domain
matched, the request ended with a scary error message. It's better to
treat the request as if no such ID was found in the domain
Related:
https://fedorahosted.org/sssd/ticket/2200
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2202
|
|
|
|
|
|
|
|
|
|
|
| |
sss_idmap_domain_has_algorithmic_mapping can return also
IDMAP_SID_INVALID, but it does not mean that idmaping is
unavailable. We should fall back to another method of detection
(sss_idmap_domain_by_name_has_algorithmic_mapping)
and do not return false immediately.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
| |
For id_provider ldap, it is only necessary to enable option ldap_id_mapping.
It is an regression introduced in the commit d3e1d88ce7de3216a862b
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, user couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2199
|
| |
|
| |
|
|
|
|
|
|
|
| |
EOK was returned in done section of netlogon_get_flat_name,
even if error code was set in variable ret.
This patch fixes also warnings from scan-build.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
|
|
|
|
|
|
|
|
|
|
| |
To correctly decide if an object is a member of the main sssd domain, a flat name
is needed. However, the information may not be available when the module is
inited so it may be necessary to refresh this data later while processing a
request.
Resolves:
https://fedorahosted.org/sssd/ticket/2189
|
|
|
|
|
|
|
| |
Use flat name to recognise users and groups belonging to main sssd domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2189
|
| |
|
|
|
|
|
| |
Some override parameters were not inherited when creating subdomains.
Especially with AD trusts, this gave strange results.
|
| |
|