summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Updating the version for the 1.13.0 releasesssd-1_13_0Jakub Hrozek2015-07-061-1/+1
|
* Updating the translations for the 1.13.0 releaseJakub Hrozek2015-07-0638-7772/+6764
|
* PAM: Only cache first-factorJakub Hrozek2015-07-061-1/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Minor code improvementsPavel Reichl2015-07-064-4/+3
| | | | | | | | pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: authenticate agains cachePavel Reichl2015-07-068-8/+261
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: new attribute lastOnlineAuthWithCurrentTokenPavel Reichl2015-07-062-0/+67
| | | | | | | | | | | | | | Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Add and use krb5_auth_queue_send to queue requests by defaultJakub Hrozek2015-07-068-54/+587
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>
* tests: Reduce duplication with new function test_ev_doneJakub Hrozek2015-07-065-15/+16
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_client: Re-check memcache after acquiring the lockLukas Slebodnik2015-07-032-0/+106
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_client: Use unique lock for memory cacheLukas Slebodnik2015-07-033-4/+26
| | | | | | | | | | | | Previously the sma lock was used as for communication with responder. However it would cause a deadlock in case of re-checking memcache after acquiring the lock and before communication with responder.. Required by: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_cache: Clear also initgroups fast cacheLukas Slebodnik2015-07-031-0/+10
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_client: Use initgr mmap cache in client codeLukas Slebodnik2015-07-034-1/+193
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* nss: Invalidate entry in initgr mmap cacheLukas Slebodnik2015-07-031-0/+32
| | | | | | | | | | If user is removed from sysdb cache then it should be also removed from initgroups memory cache. Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Invalidate entry in right memory cacheLukas Slebodnik2015-07-031-8/+25
| | | | | | | | | If group was not found in nss_cmd_getgrnam_search then we tied to invalidate entry in memory cache. But function delete_entry_from_memory cache only invalidated in passwd memory cache. Reviewed-by: Michal Židek <mzidek@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-036-4/+124
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* test_ipa_subdomains_server: Fix build with --coverageLukas Slebodnik2015-07-022-0/+7
| | | | | | | | | | | It seems that gcc did some optimization and used execve instead of execle when the code was instrumented for coverage analysis. So the exec* function was not wrapped and it tried to call real binary ipa-getkeytab Reviewed-by: Michal Židek <mzidek@redhat.com>
* MONITOR: Do not report missing file as fatal in monitor_config_fileMichal Židek2015-07-021-5/+5
| | | | | | | resolv.conf can be missing during boot. This is not fatal and we will check for its existence later. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MONITOR: Poll for resolv.conf if not available during bootMichal Židek2015-07-021-2/+36
| | | | | | | | | | If resolv.conf is not available when SSSD is starting, check for its existence later. Ticket: https://fedorahosted.org/sssd/ticket/2590 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* views: Add is_default_view helper functionMichal Židek2015-07-026-22/+22
| | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Fix incorrect strerror on GPO access denialStephen Gallagher2015-06-231-8/+8
| | | | | | | | | | We're attempting to use strerror() to print the result from ad_gpo_access_check(), but that function returns an extended SSSD errno Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Updating the version.m4 file for the 1.13 Beta releaseJakub Hrozek2015-06-221-1/+1
|
* Updating the translations for the 1.13 Alpha releasesssd-1_13_0_alphasssd-1_12_90Jakub Hrozek2015-06-2238-25095/+31216
|
* test_ipa_subdom_server: Add missing assertLukas Slebodnik2015-06-221-0/+1
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* SDAP: Remove user from cache for missing user in LDAPLukas Slebodnik2015-06-191-21/+26
| | | | | | | | | | | | Function sysdb_get_real_name overrode reurned code LDAP and thus user was not removed from cache after removing it from LDAP. This patch also do not try to set initgroups flag if user does not exist. It reduce some error message. Resolves: https://fedorahosted.org/sssd/ticket/2681 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IFP: add FindByCertificate method for User objectsSumit Bose2015-06-1912-14/+242
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* utils: add get_last_x_chars()Sumit Bose2015-06-195-0/+49
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* ncache: add calls for certificate based searchesSumit Bose2015-06-193-0/+76
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP/IPA: add user lookup by certificateSumit Bose2015-06-194-7/+73
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()Sumit Bose2015-06-195-0/+106
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* certs: add PEM/DER conversion utilitiesSumit Bose2015-06-198-3/+773
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: add ldap_user_certificate optionSumit Bose2015-06-1910-0/+25
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* adding ldap_user_auth_type where missingSumit Bose2015-06-194-0/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: listen to NameOwnerChangedPavel Březina2015-06-194-0/+96
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2326 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sbus: add support for incoming signalsPavel Březina2015-06-195-0/+341
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Fix warnings with enabled optimisationLukas Slebodnik2015-06-191-2/+2
| | | | | | | | | | | | | | | | | It seems that gcc 5.1 optimize enum in some ways and expects that unctions ifp_cache_build_path and ifp_cache_build_base_dn can return unitialized value due to missing default in switch. src/responder/ifp/ifp_cache.c:118:13: warning: 'base_dn' may be used uninitialized in this function [-Wmaybe-uninitialized] ldb_ret = ldb_search(sysdb_ctx_get_ldb(domain->sysdb), tmp_ctx, &result, ^ src/responder/ifp/ifp_cache.c: scope_hint: In function 'ifp_cache_get_cached_objects' src/responder/ifp/ifp_cache.c:135:18: warning: 'path' may be used uninitialized in this function [-Wmaybe-uninitialized] paths[i] = ifp_cache_build_path(paths, type, domain, result->msgs[i]); ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Export nodesPavel Březina2015-06-186-22/+200
| | | | | | | | | | | | | | | | | | | | | | IFP now exports cached users and groups in introspection. After a user is cached with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store And Introspection called with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.DBus.Introspectable.Introspect The cached users would be visible in the Introspection XML as: <node name="ipaldap/397400000" /> </node> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SBUS: Add support for <node /> in introspectionPavel Březina2015-06-186-5/+181
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SBUS: Use default GetAll invoker if none is setPavel Březina2015-06-181-1/+8
| | | | | | | | It is alright for an interface to not have any GetAll invoker set if it doesn't have any properties, but we still want to return an empty message. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]Pavel Březina2015-06-1813-0/+711
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* test_ipa_subdomains_server: Run clean-up after successLukas Slebodnik2015-06-161-0/+7
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Store keytabs in /var/lib/sss/keytabsJakub Hrozek2015-06-163-4/+8
| | | | | | Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek <mzidek@redhat.com>
* CONFIG: Add SSS_STATEDIR as VARDIR/lib/sssJakub Hrozek2015-06-163-5/+8
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviourJakub Hrozek2015-06-143-8/+16
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Do not set keytab through environment variableJakub Hrozek2015-06-141-10/+0
| | | | | | | | | | Otherwise each connection would clobber the environment variable with its own. This is a temporary workaround until SSSD's ldap_child is able to store ccaches in a collection. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Utility function for setting up one-way trust contextJakub Hrozek2015-06-142-9/+91
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Add ad_create_1way_trust_optionsJakub Hrozek2015-06-143-6/+153
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 For one-way trusts we can assume that AD domain is the same as the Kerberis realm. On the other hand, SASL realm and keytab path are specified, unlike two-way trusts that use the system keytab. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Do not set AD_KRB5_REALM twiceJakub Hrozek2015-06-141-8/+0
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Both the AD common code and ipa_ad_ctx_new() used set AD_KRB5_REALM. As verified by unit tests, we don't need to set the parameter twice. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA/AD: Set up AD domain in ad_create_2way_trust_optionsJakub Hrozek2015-06-145-20/+25
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Split off ad_create_default_optionsJakub Hrozek2015-06-143-3/+34
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Make the function reusable and add a simple unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Rename ad_create_default_options to ad_create_2way_trust_optionsJakub Hrozek2015-06-146-36/+150
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-05 01:15:13 +0000