| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
In SSSD we tend to use {} brackets around single-line blocks, too to
make sure we don't forget to add them should the block become larger.
We also don't add a space between function name and the opening "(".
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
As the connection code is async-driven, the LDAP handle might be
invalidated before SSSD attempts to use it. Similar to commit
5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check
for the LDAP handle and aborts the request instead of crashing.
Resolves:
https://fedorahosted.org/sssd/ticket/2305
|
| |
|
|
|
|
|
|
|
|
|
| |
Small change to make the code more readable. The relation between
order, order_array and order_count is more obvious when they
are grouped in structure.
resolves:
https://fedorahosted.org/sssd/ticket/2304
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The monitor process does not read data from standard input in.
We can close file descriptor from stdin.
[sssd] [server_stdin_handler] (0x0020): sssd: EOF on stdin - terminating
Resolves:
https://fedorahosted.org/sssd/ticket/2312
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test ipa_ldap_opt has undefined symbols from libldap and liblber,
but it was not directly linked with openldap libraries.
sh-4.2$ nm --undefined-only .libs/ipa_ldap_opt-tests | grep -E "ldap|ber"
U ber_free
U ldap_err2string
It causes linker failure on systems with disabled link_all_deplibs (debian)
/usr/bin/ld: src/providers/ldap/ipa_ldap_opt_tests-sdap.o: undefined reference
to symbol 'ber_free'
/usr/bin/ld: note: 'ber_free' is defined in DSO /lib64/liblber-2.4.so.2 so try
adding it to the linker command line
/lib64/liblber-2.4.so.2: could not read symbols: Invalid operation
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
There was a resource leak in the introspection code. This patch fixes
the leak.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file sssd_ifp was installed by two subpackages: sssd-common and sssd-dbus
I din't have instaled file org.freedesktop.sssd.infopipe.conf, because it is
in package sssd-dbus. Missing conf file caused problem with starting
the ifp service.
[sssd] [monitor_service_init] (0x0400): Initializing D-BUS Service
[sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] exited with code [3]
[sssd] [mt_svc_exit_handler] (0x0010): Process [ifp], definitely stopped!
[sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.522"
is not allowed to own the service "org.freedesktop.sssd.infopipe" due to
security policies in the configuration file
[sssd[ifp]] [ifp_process_init] (0x0020):
Failed to connect to the system message bus
[sssd[ifp]] [sss_responder_ctx_destructor] (0x0400):
Responder is being shut down
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The sdap_copy_opts function copied all the arguments except for the
sentinel.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2322
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The size of output buffer(obufsize) was longer than initialised data.
In calculation, uint32_t was used for length of the cryptotext,
but uint16_t was written into buffer. The end of buffer was not initialised
and it caused valgrind warning.
Use of uninitialised value of size 8
at 0x37AE40F363: pl_base64_encode_buffer (nssb64e.c:180)
by 0x37AE40F6ED: NSSBase64_EncodeItem_Util (nssb64e.c:482)
by 0x37AE40F87A: BTOA_DataToAscii_Util (nssb64e.c:721)
by 0x40208A: sss_base64_encode (nss_base64.c:47)
by 0x403305: sss_password_encrypt (nss_obfuscate.c:358)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Change description of supported access modes.
Add missing new line in message.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only really care that the file is readable by the owner and not
accessible by group or others. We do not really care whether the owner
can write/execute the file or not, so we mask out those perms.
Resolves:
https://bugzilla.redhat.com/1089098
Resolves:
https://fedorahosted.org/sssd/ticket/2321
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using a custom way to chck file type, use the system
provided macros and a mode mask to decide when we want to check.
Additionally a mask also allows us to selectively check permissions.
Related:
https://bugzilla.redhat.com/1089098
Resolves:
https://fedorahosted.org/sssd/ticket/2321
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/tests/sbus_codegen_tests-sbus_codegen_tests.o: In function `eject_handler':
tests/sbus_codegen_tests.c:229: undefined reference to `ck_assert_uint_eq'
tests/sbus_codegen_tests.c:235: undefined reference to `ck_assert_uint_eq'
tests/sbus_codegen_tests.c:239: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests-sbus_codegen_tests.o: In function `test_marshal_basic_types':
src/tests/sbus_codegen_tests.c:446: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests.c:449: undefined reference to `ck_assert_uint_eq'
src/tests/sbus_codegen_tests-sbus_codegen_tests.o:
src/tests/sbus_codegen_tests.c:451: more undefined references to `ck_assert_uint_eq' follow
collect2: ld returned 1 exit status
make[3]: *** [sbus_codegen_tests] Error 1
Macro ck_assert_uint_eq was added in check-0.9.10
Resolves:
https://fedorahosted.org/sssd/ticket/2319
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5_kt_resolve() returns 0 when a non-existent keytab is read, which
means there was no FATAL-level DEBUG message printed to the user in case
the keytab was missing completely and users had to enable more verbose
debugging to diagnose failure to start up.
This patch adds both the verbose DEBUG message as well as a syslog
message.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The responders were copying code to parse input and on encountering an
uknown domain, send the discover subdomain request. This patch adds a
reusable request that can always be called in responders and in case the
name can be parsed, just shortcut.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Splitting the module would allow responders that test the Data Provider
requests to use the mock_rctx/mock_cctx functions without duplicate
definitions.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
This would allow to call create_dom_test_ctx from tests that expect to
be able to parse input with a regular expression just like a responder
would do with an input from a client.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The force argument was unused and made the code more complex than
required. Moreover, the force argument would have made the subdomain handler
behave differently than other identity domains -- when the front end decides
it's time to update the domains, the back end should just update them.
Handling multiple concurrent requests from multiple responders
(typically after startup) is handled at the generic back end level (see
be_queue_request).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Another function decides whether the responder is updating the
subdomains or just returning an error code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
List test extensions with TEST_EXTENSIONS [1] in Makefile.am to allow
applying separate LOG_COMPILER for binary and Python tests.
This is needed to avoid running Python tests under Valgrind as that
produces too many interpreter-specific errors which are hard to suppress
reliably [2].
Thus a run like this would run only binary tests under Valgrind:
make check PY_LOG_COMPILER=env LOG_COMPILER=valgrind
Or more briefly:
make check LOG_COMPILER=valgrind
[1] http://www.gnu.org/software/automake/manual/automake.html#index-TEST_005fEXTENSIONS
[2] http://svn.python.org/projects/python/trunk/Misc/README.valgrind
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
fixes:
sssd_dbus_request.c:28:1: error: missing initializer [-Werror=missing-field-initializers]
sssd_dbus_request.c:28:1: error: (near initialization for 'error_internal.dummy1') [-Werror=missing-field-initializers]
|
| | |
|
| |
|
|
|
|
| |
This adds a big test case for invoking a handler with all supported
basic arguments, and constructing a reply with the same. Lots of
tedious code, but worth it to make sure things work well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Type safe method handlers allow methods not to have to do tedious
unwrapping and wrapping of DBus method call messages or replies.
Arguments of the following DBus types are supported in type-safe
method handlers. In addition arrays of these are supported.
y: uint8_t
b: bool (but no arrays, yet)
n: int16_t
q: uint16_t
i: int32_t
u: uint32_t
x: int64_t
t: uint64_t
d: double
s: char * (utf8 string)
o: char * (object path)
As an exception, arrays of booleans are not supported, but could be
added later. Other more complex types could be added later if desired.
If a method has other argument types, then it must be marked as having
a raw handler (see below).
Internally each method can have a type specific invoker function which
unpacks the incoming arguments and invokes the method handler with the
correct arguments.
Each method also has a finish which accepts the type-safe out arguments
(ie: return values) and builds the reply message. Like other request
'finish' functions, these free the request talloc context, and are to
be used in place of sbus_request_finish() or friends.
Raw method handlers parse their own method arguments, and prepare their
own reply (ideally using sbus_request_finish() helpers). They can also
do strange things like have variable arguments. To mark a DBus method
as having a raw method handler use the following annotation:
<annotation name="org.freedesktop.sssd.RawHandler" value="true"/>
Raw methods do not have invokers or finish functions.
I've left all of the internal peer to peer communication using raw
method handlers. No code changes here.
|
| |
|
|
|
| |
Also fixes a warning about uninitialized 'method' as the 'method'
variable was unused and not set previously when introspecting.
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2313
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- use brackets after an if
- use the right variable name (candidate_domain instead of
candidate_name).
- fix a typo in a debug message
- only print a debug message about using a default domain when using a
default domain
- add a comment explaning when is a codepath executed
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The code of sss_parse_name_for_domains is really complex and hard to
read. This patch adds a unit test to be able to see the function being
used.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Don't add --with-syslog=journald to extra_distcheck_flags if configured
with systemd (--with-initscript=systemd). Add it if configured with
journald (--with-syslog=journald) instead. This fixes distcheck target
when configured with systemd, but without journald.
Don't install journal.conf helping with enabling journald logging,
unless configured with journald (--with-syslog=journald), as it would be
useless and misleading.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| | |
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Files sss_ldap.c, user_info_msg.c were built in libsss_{ad,ipa,ldap}.so.
In these two files, there are functions sss_ldap_get_diagnostic_msg,
pack_user_info_chpass_error which are needed in libsss_ldap_common.so
sss_ldap_get_diagnostic_msg is used in src/providers/ldap/sdap_async.c,
src/providers/ldap/sdap_async_connection.c
pack_user_info_chpass_error is used in src/providers/ldap/ldap_auth.c
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Functions from module sss_krb5.c were duplicated in many libraries.
e.g. symol check_fast was in libsss_ad.so, libsss_ipa.so,
libsss_krb5.so, libsss_ldap.so
This patch also remove duplicate files between libsss_ldap.so and
libsss_krb5_common.so. libsss_ldap.so has already depended on libkrb5.
Now, it will depend on libsss_krb5_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Functions from module find_uid.c were duplicated in many libraries.
e.g. symol check_if_uid_is_active was in libsss_ad.so, libsss_ipa.so,
libsss_krb5.so, libsss_ldap.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Library libsss_ldap.so does not directly use functions from library
libsss_idmap.so. It only call function sdap_idmap_init (from file sdap_idmap.c)
which is in library libsss_ldap_common.so
sh-4.2$ nm -D --undefined-only /usr/lib64/sssd/libsss_ldap.so | grep idmap
U sdap_idmap_init
On the other hand, libsss_ldap_common.so uses functions from libsss_idmap
but it was not linked to libsss_idmap.so.
sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ldap_common.so | grep idmap
sh-4.2$ echo $?
1
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The symbol add_key (from libkeyutils) is used by
function add_user_to_delayed_online_authentication
(from file src/providers/krb5/krb5_delayed_online_authentication.c)
which is part of libsss_krb5_common.so
Fixes following error:
[sssd[be[default]]] [load_backend_module]
(0x0010): Unable to load ad module with path
(/usr/lib64/sssd/libsss_ad.so), error:
/usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key
-lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so,
but when compiling with -Wl,--as-needed this flag will be ignored,
since it is not used directly. So it was unavailable to
libsss_krb5_common.so which actually needs it.
This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to
libsss_krb5_common.so
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2234
This patch generates the introspection data from the sbus interface meta
structure. The generated XML conforms to
http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format
The XML description of the interface also always includes the
org.freedesktop.DBus.Introspectable interface, which this patch also allows
in the policy settings.
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2239
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Until now there was only one timeout used to re-resolve SRV queries.
This patch adds new (shorter) timeout that will be used for queries that
previously failed.
Resolves:
https://fedorahosted.org/sssd/ticket/1885
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sssd.service was assigned to the dist_systemdunit_DATA variable.
Automake will install this file into the systemd unit directory after building
it if necessary. Automake will also include this generated file in the tarball.
As a result, when building sssd from the tarball, the paths needn't be
recreated.
The files in DATA primaries are added as dependencies to the all target
via the internal all-am target. If sssd.service doesn’t exist, make will look
for a rule to build it. Since there is such a rule, make will simply execute
that rule when I build the all target.
Resolves:
https://fedorahosted.org/sssd/ticket/2314
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We were assuming that the forest had been looked up by netlogon, but
this is not available on Samba 4 domains. We need to check that the
forest is NULL and force the lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/2311
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
