| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2796
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Striker Leggette <striker@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Function get_object_from_cache() does not handle services.
This patch adds quick shortcut to avoid sending an LDAP query
to cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2747
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2787
We already mention SSS_NSS_USE_MEMCACHE in sssd(8)
but it makes sense to note it in sssd.conf(5)
together with the memcache_timeout.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2830
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of setting the three same variables over again, add a structure
be_sbus_reply_data with a default initializer BE_SBUS_REPLY_DATA_INIT.
The handlers can then set the structure to BE_SBUS_REPLY_DATA_INIT on
declaration or set a particular value with be_sbus_reply_data_set.
The handler can also reply to the message (typically on failure state)
with be_sbus_req_reply_data()
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Instead of calling sbus_request_return_and_finish() directly with the
same checks copied over, add a be_sbus_reply() helper instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2866
If the LDAP connection is still established when the client moves
offline, we rely on the search timeout to find out the client is
offline. The override search used the enum timeout defaults to 60 seconds.
That caused too long delays in going offline.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a fo_resolve_service callback would modify the server->common member
in any way, for example by dereferencing the server and lowering the
refcount to 0, which would free the common structure, then the next
iteration of fo_resolve_service_done would access memory that was
already gone.
Please see
https://tevent.samba.org/group__tevent__request.html#ga09373077d0b39e321a196a86bfebf280
for more details.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2866
This would help users who authenticate to AD trust servers while offline
and see error messages such as:
[get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.EXAMPLE.COM"]
in the krb5_child.log
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
The error itself doesn't matter that much, because pam_sss.so handles
all preauth errors gracefully already, but the issue triggered a loud
and confusing debug message in the logs.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2683
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2868
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2868
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
belonging to a domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2870
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Currently the first certificate was selected and if it was not valid
p11_child just returned an error. With this patch the validity is
checked first and the first valid certificate is selected.
Resolves https://fedorahosted.org/sssd/ticket/2801
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Printing ldb structures and sysdb_attrs can be a pain. This patch adds a
gdb pretty-printer to help
SSSD and LDB debugging plugins
Activate them by putting:
source /path/to/this/file.py
to your .gdbinit file
To bypass the pretty printer and print the raw values, use the "/r" option:
print /r foobar
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some extra functions were in stack trace on 32 bit architecture.
It might be caused by different optimisation on different platforms.
As a result of this mismatch, the suppression did not match
on 32 bit architecture and it was reported as new memory related error.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user name of a AD user is overridden with the name itself in an
IPA override object SSSD adds this name twice to the alias list causing
an ldb error when trying to write the user object to the cache. As a
result the user is not available.
This patch makes sure that there are no duplicated alias names.
Resolves https://fedorahosted.org/sssd/ticket/2874
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were warnings on 32 bit architecture related to 64bit integer constants.
/home/build/sssd/src/tests/sbus_codegen_tests.c:257:
warning: integer constant is too large for ‘long’ type
/home/build/sssd/src/tests/sbus_codegen_tests.c:259:
warning: integer constant is too large for ‘long’ type
INT${N}_C(value) are defined in the standard c99
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
In python 2.6, the module subprocess does not have the function
check_output.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The local override tests were added after we alredy removed
the sss_cache call from teardowns in other tests. See
commit: 782d39e3916d16b8dbba6ae97aca1db2f3c35d76
Revert "intg: Invalidate memory cache before removing files"
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new integration test for local view overrides.
Regression tests for: #2790, #2757 and #2802.
Resolves:
https://fedorahosted.org/sssd/ticket/2732
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a bunch of LDAP tests.
* Adding/removing a user/group/membership with rfc2307(bis) schema.
* The effect of override_homedir option.
* The effect of fallback_homedir option.
* The effect of override_shell option.
* The effect of shell_fallback option.
* The effect of default_shell option.
* The effect of vetoed_shells option.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
libdbus abort()s when a string argument is not valid UTF-8. Since the
arguments sometimes come from untrusted sources, it's better to check
the string validity explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2861
Messages passed from Data Provider to responder must be valid UTF-8
strings. Because providers might not be completely under our control,
we need to check if the messages we receive are valid UTF-8 and if they
are not, use a fallback.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2861
All back end requests were using pam_strerror() to print additional info
about why request failed. Since pam_strerror() returns localized message
and we don't know the locale beforehand, this message failed to be
transferred through D-Bus, resulting in a crash.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds groups_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We need little more in backroung of responder_cache_req tests. There
will be tests which will use three test groups. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds group_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated
after filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with
two users. One is stored before filter request creation and the second
user is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
users are stored after filter request creation. So filter returns two
users.
This patch adds users_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds function are_values_in_array() to common test code. And
there is tc_are_values_in_array macro defined which is usefull for
talloc allocated values and arrays.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We need little more in background of responder_cache_req tests. There
will be tests which will use three test users. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch only defines constant TEST_USER_PREFIX. So code will be more
redeable.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with two
users. One is stored before filter request creation and the second user
is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two users
are stored after filter request creation. So filter returns two users.
This patch adds user_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option is an optional one that is run when a sbus ping times out
and before a SIGKILL signal is sent.
It is undocumented by default.
diag_cmd (string):
A command that should be run for diagnostic purpose when an sbus timeout
fails. The option value may contain %p which would be expanded for the
process ID of the process that timed out
Example:
pstack %p
This setting would print the stackstrace of the service whose ping timed out.
Default: not set.
Reviewed-by: Petr Cech <pcech@redhat.com>
|