| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
If sssd is compiled with disabled link_all_deplibs (debian) some test could not
be properly linked. This patch add missing libraries
|
| |
|
|
|
|
| |
* Stop using --target (unneeded)
* Drop explicit use of --with-default-ccache* since we now pick it up
from libkrb5
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The code wrote into the middle of the packet to a space that was already
reserved and allocated but then still advanced the pointer to the buffer.
https://fedorahosted.org/sssd/ticket/2124
|
| | |
|
| |
|
|
|
|
|
| |
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all, which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a workaround until
https://fedorahosted.org/sssd/ticket/2129 is fixed properly.
Consider a group entry such as:
cn: subgroup@subdom
ghost: someuser
ghost: anotheruser@subdom
Currently in order to print all group members as FQDN (which is the default
for AD provider), the code needs to iterate over the ghost attributes and
parse them into (name,domain) and optionally re-add the domain.
The proper fix would be to store always just the FQDN in the hardcoded
form of user@domain
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have group with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent group 5000' and this request goes through data
provider, searching in parent domain first. Even though this
group does not belong to this domain it is found and stored as
ad.pb group.
With this patch we look at group's SID and put it into correct domain.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have user with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent passwd 5000' and this request goes through data
provider, searching in parent domain first. Even though this
user does not belong to this domain it is found and stored as
ad.pb user.
With this patch we look at user's SID and put it into correct domain.
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
|
|
|
| |
This is a wrapper around be_ptask_create() that allows to create
synchronous periodic tasks.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
|
|
|
| |
Every request is attached to be_ctx->domain by default. We
will change the domain to a subdomain if it is relevant.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP.
|
| |
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
|
| |
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
| |
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
When a subdomain user logs in, the username the account request receives
is a FQDN. This hackish patch parses the FQDN and only uses the name to
search the LDAP.
|
| |
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
| |
|
|
|
|
|
|
| |
This patch fixes few format string warnings in the file test_utils.c
src/tests/cmocka/test_utils.c:54:56:
warning: format specifies type 'unsigned int' but the
argument has type 'size_t' (aka 'unsigned long') [-Wformat]
|
| |
|
|
|
| |
In case the entry was deleted from the server, the search didn't notice
and kept returning the cached data.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104
|
| |
|
|
|
|
|
| |
We had a hard coded value of Global Catalog port (3268).
Informations from SRV record was ignored.
This patch prefer port number from SRV record and hard coded value is used only
as a fall back if port number was not initialized.
|
| |
|
|
|
|
|
|
|
|
| |
If the forest root of a trusted forest is managing POSIX IDs for its
users and groups the same is assumed for all member domains in the
forest which do not have explicitly have an idrange set.
To reflect this SSSD will create the matching ranges automatically.
Fixes https://fedorahosted.org/sssd/ticket/2101
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
| | |
|
| | |
|
| |
|
|
|
| |
be_ptask_destroy was unreachable since sdom is not present
in the list of sdap domains any more.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2123
Previously, the subdomains were always unbound even if the administrator
limited the ranges with min_id/max_id. This could have posed problems
when running programs that scan the whole ID space, such as "groupadd
-r".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2030
|
| |
|
|
|
|
|
|
|
| |
Currently online callbacks are only executed if the backend was offline
before. This patch add a new class of callback which are always called
if the backend gets a request to go online.
They can be used e.g. to reset timeouts until a more sophisticated method
(OpenLMI, sssctl) is available.
|
| | |
|
| | |
|
| |
|
|
|
| |
When running in IPA server mode, the IPA sites should be ignored and the
SSSD should only connect to the local server.
|
| | |
|
| |
|
|
|
|
| |
I find it more readable to include headers from outside the sssd tree
with <foo.h>, not "foo.h". The latter should be used for in-tree headers
only.
|
| |
|
|
|
| |
Parameter mem_ctx was unused in static function
get_password_migration_flag_recv
|
| |
|
|
|
|
|
| |
In function create_empty_cred, krb5_creds was aloocated using calloc,
but krb5_free_creds was used to remove this creds in done section.
Therefore clang static analyzer repoted this as warning:
Potential leak of memory pointed to by 'cred'
|
| | |
|
