| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the default printf(3) implementation cannot safely be
used on user (or admin) provided input, this is a safe implementation.
This will be used in later patches by the full_name_format option
The implementation came from realmd, but only has libc dependencies.
The number of fields is pre-defined, and safe printf fails if
an invalid field is accessed.
Only string fields are supported, and only flags relevant to string
fields are supported. Width and precision work as expected, but
precision cannot read from a field.
Tests are included, and ported to the check based testing that
sssd uses.
|
| |
|
|
|
|
| |
New functions were added.
|
|
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
|
|
|
|
|
|
| |
Unit test testing detection of the right domain when processing group with members from several domains
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
|
| |
Although static library libsss_test_common was used only in tests,
it was also built with command "make all"
Resolves:
https://fedorahosted.org/sssd/ticket/2097
|
|
|
|
|
| |
Static library libsss_test_common calls tevent functions directly (in module
common_tev.c), but it was not linked with tevent library.
|
| |
|
|
|
|
|
| |
Moved unused functions and merged ipa_selinux_common.c into
ipa_selinux.c
|
|
|
|
|
|
|
|
| |
LDAP_CFLAGS is never defined.
OPENLDAP_CFLAGS is set by src/external/ldap.m4.
This patch does:
sed -i 's/$(LDAP_CFLAGS)/$(OPENLDAP_CFLAGS)/' Makefile.am
|
|
|
|
|
|
| |
If openldap is not built with sasl support
libsss_ad.so will not be linked with libsasl2 although
sasl_client_init is called by function ad_sasl_initialize.
|
|
|
|
|
|
|
| |
Automake computes build dependencies of a program automatically but not
if prog_DEPENDENCIES is set. In this case only the dependencies given by
prog_DEPENDENCIES are used. If the automatically calculated dependencies
should be augmented EXTRA_prog_DEPENDENCIES should be used.
|
|
|
|
|
|
| |
Libraries MUST be specified in LDADD/LIBADD, not LDFLAGS, because
LDFLAGS appear earlier in the command line and library order is
significant.
|
| |
|
|
|
|
|
| |
If sssd is compiled with disabled link_all_deplibs (debian) some test could not
be properly linked. This patch add missing libraries
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1534
|
|
|
|
| |
Adds a reusable async request to download the master domain info.
|
| |
|
|
|
|
| |
Remove code duplication.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use systemd-lgin in preference to check if the user is logged in or not.
Fall back to the old method if no systemd-login support is available at compile
time or if it returns a fatal error, and can't determine the status of the user
on its own.
This will allow to consider a user really active (in order to reuse or refresh
crdentials) only if it really is logged into the system, and not just if one
of the user's processes is stuck around.
Resolves:
https://fedorahosted.org/sssd/ticket/2084
|
| |
|
|
|
|
|
|
|
|
|
| |
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
|
|
|
| |
This tests dlopens and resolves all symbols to make sure there are no missing
symbols in our provider modules.
|
|
|
|
|
|
|
|
|
| |
We checked only header file "sys/inotify" for detection whether inotify
works. Some platforms do not have built in inotify, but contain library,
which provides inotify-compatible interface.
This patch adds more robust detection of inotify in configuration time and
appends linker flags to Makefile if inotify is provided by library.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function gettext needn't be included in libc, it can be part of another
library. Autotools macro AM_GNU_GETTEXT generate makefile variables
(LIBINTL, LTLIBINTL), which contain necessary linker flags.
checking for GNU gettext in libc... no
checking for iconv... yes
checking for GNU gettext in libintl... yes
checking whether to use NLS... yes
checking where the gettext function comes from... external libintl
|
| |
|
|
|
|
| |
The $(PAM_LIBS) variable should be added to LDADD not LDFLAGS
|
| |
|
|
|
|
|
|
| |
Some platform have header file endian.h and anothers have sys/endian.h.
We nedd to use conditional build to handle it correctly, therefore new header
file sss_endian.h was created.
|
|
|
|
|
|
|
|
|
|
|
| |
The LDAP enumeration was too closely tied to the LDAP identity provider.
Because some providers might need special handling such as refresh the
master domain record before proceeding with the enumeration itself, this
patch splits the request itself to a separate async request and lets the
ldap_id_enum.c module only configure this new request.
Also move the enum timestamp to sdap_domain to make the enum tracking
per sdap domain. The cleanup timestamp will be moved in another patch.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA trusts an AD domain the AD user or groups can be placed into
IPA groups e.g. to put AD users under the control of HBAC. Since IPA
group can only have members from the IPA directory tree and the AD users
and groups are not stored there a special IPA object called external
group was introduced. SIDs of users and groups can be added to the
external group and since the external groups are in the IPA directory
tree they can be member of IPA groups.
To speed things up and to remove some load from the IPA servers SSSD
reads all external groups and stores them in memory for some time before
rereading the data.
Enhances https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
|
|
|
| |
Now that we use the libkrb5 defaults for the default ccname template
we do not need the patch that changes the man pages defaults nor the
configure options to change sssd defaults anymore.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
|
|
| |
When we're running 'make rpms' for development purposes, the nested
call to 'make distdir' ends up forcing an update of the translation pot
files. With this patch, we'll automatically ignore them during (S)RPM
actions.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2025
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2023
When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.
But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.
This patch makes sure that for all boolean option, the .val is always
the same as .def_val.
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
|
|
| |
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
|
|
|
| |
This patch implements some unit tests for the recent enhancements to
libsss_idmap.
|
|
|
|
|
| |
It seems that some linkers have problem with wrong order of libraries.
This commit only change order.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1891
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1845
libsss_sudo and libsss_autofs are separate packages that contain just a
single client library with no additional dependencies. This separation
comes from the F-17 timeframe where the feature was really just a tech
preview so we didn't want it to be packaged in sssd proper. On the other
hand users are getting regularly confused about "sudo not working" when
all they really miss is the single library.
This patch moves the files owned by the libsss_autofs and libsss_sudo
packages back to the main sssd package. We also no longer build the
libsss_sudo documentation by default and do not ship the header file as
it was just a private one.
|
|
|
|
|
| |
The utility function will be reused to guess search base from the base
DN of AD trusted domains.
|