summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Update version to 1.1.91sssd-1_1_91Stephen Gallagher2010-05-0715-1158/+1814
| | | | Commit new strings for string freeze
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-0714-14/+716
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Use service discovery in backendsJakub Hrozek2010-05-0717-36/+224
| | | | | | | | | Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
* Add callback when the ID provider switches from offline to onlineStephen Gallagher2010-05-074-0/+174
| | | | | | | | Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
* Add more warnings about nearly expired passwordsSumit Bose2010-05-071-5/+66
| | | | | For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
* Add retry option to pam_sssSumit Bose2010-05-072-92/+164
|
* Add support for delayed kinit if offlineSumit Bose2010-05-0723-37/+620
| | | | | | | If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
* Compare the full service nameSumit Bose2010-05-071-1/+2
|
* Create kdcinfo and kpasswdinfo file at startupSumit Bose2010-05-073-1/+50
|
* Clean up kdcinfo and kpasswdinfo files when exitingStephen Gallagher2010-05-075-1/+67
|
* Fix memory hierarchy in the ipa timerulesJakub Hrozek2010-05-071-4/+4
|
* Handle Krb5 password expiration warningSumit Bose2010-05-074-176/+213
|
* Split pam_data utilities into a separate fileSumit Bose2010-05-073-35/+62
|
* Improve the offline authentication messageJakub Hrozek2010-05-071-2/+2
|
* Make krb5_kpasswd available for any krb5 providerStephen Gallagher2010-05-073-1/+5
| | | | | | | | | Previously, the option krb5_kpasswd was only available if 'chpass_provider = krb5' was specified explicitly. Now it will be available also if 'auth_provider = krb5'. This option was also missing from the IPA options, so I have added it there as well
* Properly set up SIGCHLD handlersStephen Gallagher2010-05-076-54/+116
| | | | | | Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
* Use all available servers in LDAP providerJakub Hrozek2010-05-073-14/+91
|
* Add a README fileJakub Hrozek2010-05-071-0/+37
|
* Fix segfault in GSSAPI reconnect codeStephen Gallagher2010-05-072-57/+41
| | | | | Also clean up some duplicated code into a single common routine sdap_account_info_common_done()
* Fix a wrong return value in IPA HBACSumit Bose2010-05-031-2/+2
|
* Avoid freeing sdap_handle too earlySimo Sorce2010-05-032-18/+46
| | | | | Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.
* Better handle sdap_handle memory from callers.Simo Sorce2010-05-037-42/+144
| | | | | | | | | | | | | Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
* Fix uninitialized variableJakub Hrozek2010-05-031-0/+1
|
* Try all servers during Kerberos authJakub Hrozek2010-05-031-23/+104
| | | | | The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
* Add dns_resolver_timeout optionStephen Gallagher2010-04-307-2/+34
| | | | | | We had a hard-coded timeout of five seconds for DNS lookups in the async resolver. This patch adds an option 'dns_resolver_timeout' to specify this value (Default: 5)
* Fix wrong return valueSumit Bose2010-04-301-15/+14
| | | | | If there was a failure during a password change a wrong return value was send back to the PAM stack.
* Remove the NSS_LIBS and KRB5_LIBS variables from sssd.specStephen Gallagher2010-04-302-4/+0
| | | | | | | | | | | | | | | Due to the way RPM processes the %configure macro, these variables were not actually being passed down to recursive configure invocations. In other words, they were useless. Futhermore, in more recent Fedora versions (13+), some of the dependencies have moved from -lnss to -lnspr4. As a result, it is safer to rely on the complete output of 'pkg-config nss --libs' instead of restricting to -lnss. The downside to this is that it may result in linking unnecessarily against other NSS components such as libsmime3 and libplc4 (among others). However, since these are already dependencies of libnss itself, there should be no risk of them being unavailable on the platform when installed.
* Support SRV servers in failoverJakub Hrozek2010-04-305-60/+551
| | | | | | | | | | | | | | | Adds a new failover API call fo_add_srv_server that allows the caller to specify a server that is later resolved into a list of specific servers using SRV requests. Also adds a new failover option that specifies how often should the servers resolved from SRV query considered valid until we need a refresh. The "real" servers to connect to are returned to the user as usual, using the fo_resolve_service_{send,recv} calls. Make SRV resolution work with c-ares 1.6
* Remove freed server_common entities from listJakub Hrozek2010-04-301-1/+24
|
* Sort SRV replies according to RFC 2782Jakub Hrozek2010-04-303-0/+336
| | | | | | | | | | RFC 2782 defines a way to sort replies to a SRV query. In short, the algorithm sorts all replies by priority and then does a weight-based selection for every priority level. For details, please see the sections "Usage rules" for overview of the algorithm and section "The 'Weight' field" for description on the weight selection.
* Display a message if a password reset by root failsSumit Bose2010-04-264-8/+235
|
* Unset authentication tokens if password change failsSumit Bose2010-04-261-27/+52
|
* Make the handling of fd events opaqueSumit Bose2010-04-266-184/+280
| | | | | | | Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
* New version of IPA auth and password migrationSumit Bose2010-04-264-199/+425
| | | | | | | | | The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
* Make Kerberos authentication a tevent_reqSumit Bose2010-04-262-307/+426
| | | | | To allow other providers to include Kerberos authentication the main part is put into a tevent request.
* Do not mark a request as failed twiceJakub Hrozek2010-04-261-1/+0
|
* Treat server names as case-insensitive in failover codeJakub Hrozek2010-04-261-2/+2
|
* Fix a potential memory violationSumit Bose2010-04-261-2/+4
| | | | If read() returns with errno set to EINTR -1 is added to total_len.
* Set LDAP_OPT_RESTART for all LDAP connectionsSumit Bose2010-04-261-7/+7
|
* Avoid accessing half-deallocated memory when using talloc_zfree macro.eindenbom2010-04-161-1/+5
| | | | | | The correct memory deallocation sequence is: - clear pointer to memory first - then deallocate memory
* Make ID provider init functions clearerStephen Gallagher2010-04-164-11/+11
| | | | | | | | | | | Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.
* Give information about ldap_schema in the sample configStephen Gallagher2010-04-161-0/+7
| | | | Resolves: https://fedorahosted.org/sssd/ticket/438
* Use SO_PEERCRED on the PAM socketSumit Bose2010-04-166-3/+162
| | | | | | | | | | | | | | | | | This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
* Revert "Add better checks on PAM socket"Sumit Bose2010-04-164-274/+5
| | | | This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
* Remove unused configure macroStephen Gallagher2010-04-151-1/+0
|
* Update translations for SSSD 1.2 branchStephen Gallagher2010-04-1214-1689/+2416
|
* Support docdir and abs_builddirStephen Gallagher2010-04-122-0/+7
| | | | | | | | Old versions of autoconf (before 2.60) did not include support for the docdir and abs_builddir variables. This patch emulates support for them. Fixes https://fedorahosted.org/sssd/ticket/422
* Updating IT translationGuido Grazioli2010-04-081-135/+160
|
* Adding interface documentationDmitri Pal2010-04-086-20/+1728
| | | | Package refarray documentation by default
* SELinux login managementJakub Hrozek2010-04-0813-0/+437
| | | | | | | | | | Adds a new option -Z to sss_useradd and sss_usermod. This option allows user to specify the SELinux login context for the user. On deleting the user with sss_userdel, the login mapping is deleted, so subsequent adding of the same user would result in the default login context unless -Z is specified again. MLS security is not supported as of this patch.
generated by cgit (git 2.34.1) at 2024-05-05 00:58:42 +0000