summaryrefslogtreecommitdiffstats
path: root/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* tests: Add NSS responder tests for bysid requestsJakub Hrozek2015-04-241-0/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-141-0/+5
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-141-0/+2
| | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Add missing header file to tarballLukas Slebodnik2015-03-241-0/+1
| | | | | | | | | | | | make distcheck failed due to missing header file. ../src/tests/cmocka/test_ldap_auth.c:33:45: fatal error: tests/cmocka/test_expire_common.h: No such file or directory #include "tests/cmocka/test_expire_common.h" ^ compilation terminated. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: test expirationPavel Reichl2015-03-231-0/+44
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-201-0/+16
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Lock out ssh keys when account naturally expiresPavel Reichl2015-03-051-4/+9
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-051-3/+6
| | | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: refactor pwexpire policyPavel Reichl2015-03-031-0/+1
| | | | | | | | | Move part of pwexpire policy code to a separate function. Relates to: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
* FO: Use SRV TTL in fail over codeJakub Hrozek2015-03-031-0/+19
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* BUILD: Uninstall also symbolic links to python bindingsLukas Slebodnik2015-03-021-8/+16
| | | | | | | | | | | | | | | | | | | | | | Make uninstall did not remove symbolic links and make distcheck did not detect it. As a result of this bug another make install failed. cd /usr/lib64/python2.7/site-packages && \ ln -s _py2sss.so pysss.so ; \ ln -s _py2hbac.so pyhbac.so ; \ ln -s _py2sss_murmur.so pysss_murmur.so ; \ ln -s _py2sss_nss_idmap.so pysss_nss_idmap.so ln: failed to create symbolic link ‘pysss.so’: File exists ln: failed to create symbolic link ‘pyhbac.so’: File exists ln: failed to create symbolic link ‘pysss_murmur.so’: File exists ln: failed to create symbolic link ‘pysss_nss_idmap.so’: File exists Makefile:19361: recipe for target 'install-exec-hook' failed make[4]: *** [install-exec-hook] Error 1 This patch also use argument "-f" with command ln which remove existing destination files before creating symbolic link Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: print the pam status as string, tooJakub Hrozek2015-02-251-1/+3
| | | | | | | | On several places, let's add a pam_strerror() call so that it's easier to debug user problems. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
* TESTS: Run python tests with all supported python versionsLukas Slebodnik2015-02-251-5/+18
| | | | | | | This patch add simple bash wrappers for python tests. They are executed either with python2 or python3. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* BUILD: Add possibility to build python{2,3} bindingsLukas Slebodnik2015-02-251-42/+154
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* BUILD: Remove unused libraries for pysss.soLukas Slebodnik2015-02-251-7/+1
| | | | Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* IFP: move interface definitions from ifpsrv.c into separate filePavel Březina2015-02-171-0/+1
| | | | | | | Number of IFP interfaces will grown up rapidly in the future. It is not convenient to keep it inside ifpsrv.c. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sbus: use hard coded getters instead of generatedPavel Březina2015-02-171-0/+2
| | | | | | | | | | | | | | | Properties are single value of a small number of predefined D-Bus types. There is no need to generate them with codegen. Actually, the source generator for property getters is already quite mess with branching for array, strings and object paths. Adding any more complex type in the future (such as dictionary) would require even more branching or creating a separate path for it. Hard coding the getters will simplify creating new ones for more complex types. This patch also reduces lots of code duplication and creates a simple function for GetAll. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsingJakub Hrozek2015-02-111-12/+0
| | | | | | | | | SSSD contained several backwards-compatible definitions of SRV and TXT APIs as well as structures that carry TTL data. These were intended for RHEL-5 and older releases. Since we don't support those upstream, it's better to remove the code -- it has drifted apart from upstream anyway. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESOLV: Add an internal function to read TTL from a DNS packetJakub Hrozek2015-02-111-0/+27
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: move common opath functions from ifp to sbus codePavel Březina2015-01-231-0/+13
| | | | | | | These functions are quite general thus they may be part of sbus interface. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Include python-test.py in the tarballJakub Hrozek2015-01-231-1/+3
|
* sbus: move iface and object path code to separate filePavel Březina2015-01-231-0/+1
| | | | | | | | | | This is done to better distinguish between connection code and interface stuff. It will help with orientation and thus simplify next changes. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAKE: Don't include autoconf generated file to tarballLukas Slebodnik2015-01-201-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Cover child_common.c with unit testsJakub Hrozek2015-01-151-0/+3
| | | | | | The module wasn't tested properly, which made it harder to patch it Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* responders: new interface for cache requestPavel Březina2015-01-091-1/+23
| | | | | | | | | | | | | | | | Many areas of responders performs an expiration check and refresh of cached objects during single or multiple domain search. This code is duplicated on many areas of the code with small or none modifications. This interface aims to reduce code duplication between responders, by providing one universal API for requesting cached objects. This API will take care of cache lookup, expiration check, cache refresh, out of band cache request, negative cache in both single and multi domain searches. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install libsss_crypt after its dependenciesLukas Slebodnik2014-12-111-33/+34
| | | | | | | | | | | | | | A library should not be installed before it's internal dependencies otherwise there is an error in make distcheck. libtool: install: error: relink `libsss_crypt.la' with the above command before installing it It would be sufficient just to change order of libraries in automake variable pkglib_LTLIBRARIES, but it's better to have internal libraries on the one place. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Fix dependencies of internal sss librariesLukas Slebodnik2014-12-081-1/+14
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAKE: Fix linking of test_child_commonLukas Slebodnik2014-12-081-1/+7
| | | | | | | | | | | | | | | | | | | | Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Rename test-child to dummy-childJakub Hrozek2014-12-041-4/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Build test_child even without cmockaJakub Hrozek2014-12-041-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Basic child testsJakub Hrozek2014-12-031-0/+25
| | | | | | The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>
* BUILD: restrict perms. when installing from sourcePavel Reichl2014-12-021-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-021-0/+1
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: copy keytab into memory to drop privileges earlierSumit Bose2014-12-021-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-021-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-021-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-021-0/+1
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* tests: be_ptaskPavel Březina2014-11-281-0/+16
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: create a private header filePavel Březina2014-11-281-0/+1
| | | | | | This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix KRB5_CONF_PATHSumit Bose2014-11-251-0/+1
| | | | | | | Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-201-0/+2
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Touch files in DESTDIRJakub Hrozek2014-11-181-6/+6
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Make chown of files to sssd user non-fatalJakub Hrozek2014-11-181-3/+3
| | | | | | | | | | | | In build environments, we can't assume the sssd user will be created prior to installing the package, so we can't chown the files. RPM will own the files instead in this case. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatalJakub Hrozek2014-11-181-17/+18
| | | | | | | | | | | | | | | When the SSSD is built in the build system using a non-root user, the user doesn't exist in the build system and file ownership will be maintained by the downstream packaging instead. We need to make sure that setting the ownership to the sssd user is a separate step from creating the directories in this case in order to make failure to set the ownership non-fatal. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-181-2/+11
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-181-0/+4
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Install krb5_child as suid if running under non-privileged userJakub Hrozek2014-11-181-0/+2
| | | | | | | | | | | If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-051-0/+27
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Drop privileges after kinit in ldap_childJakub Hrozek2014-11-051-1/+3
| | | | | | | | After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install ldap_child and as setuid if running under non-privileged userJakub Hrozek2014-11-051-0/+5
| | | | | | | | The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-12 05:08:12 +0000