| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
We were not passing the old authtok to the pam_chauthtok()
function, causing it to return PAM_AUTH_ERR.
|
|
|
|
|
|
|
| |
We weren't zeroing out the proxy_auth_ctx when we created it, so
the 'running' element was sometimes being filled with garbage data
that exceeded the maximum number of child processes. This meant
that no requests were ever sent to the child processes.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new tevent_req to the proxy provider, which will
spawn short-lived child processes to handle PAM requests. These
processes then call the proxied PAM stack and return the results
via SBUS method reply. Once it is returned, the parent process
kills the child.
There is a maximum of ten child processes running simultaneously,
after which requests will be queued for sending once a child slot
frees up. The maximum processes will be made configurable at a
later date (as this would violate string freeze).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Updated EntryCache*Timeout to the correct values.
Fixed one missed EntryCacheTimeout
Added notes about perf hit of using enumeration.
|
| |
|
|
|
|
|
|
|
|
| |
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
* add forgotten ldap_dns_service option
* sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir)
* ldap_uri is no longer mandatory for LDAP provider - the default is to
use service discovery with no address set now. Ditto for krb5_kdcip
and ipa_server
|
| |
|
|
|
|
| |
Update translation strings.
|
|
|
|
|
|
|
|
|
| |
The manpages had five seconds listed, but the source disagreed (it
was set to 60 seconds).
This resulted in long wait times when unlocking the screen after
network disconnection, for example.
If enumerate=True, we will set this value to a minimum of 30s
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
To allow a fallback to the setting in krb5.conf the locator plugin
returns KRB5_PLUGIN_NO_HANDLE in nearly all error conditions. Only if the
call back fails the error code of the callback is returned.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This reverts commit 4f5664a2ec401f43c090e6170ed9c78390c35272.
|
|
|
|
|
|
|
|
|
|
| |
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
| |
|
| |
|
|
|
|
| |
Commit new strings for string freeze
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
|
|
|
|
|
|
|
| |
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
|
|
|
|
|
|
| |
Allow backends to set a callback in the be_ctx that should be
invoked when the ID provider goes online.
This can be used to perform regular maintenance tasks that are
valid only when going online.
|
|
|
|
|
| |
For the shadow and mit_kerberos password policy warnings are sent to the
client if the password is about to expire.
|
| |
|
|
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|