| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
We checked only header file "sys/inotify" for detection whether inotify
works. Some platforms do not have built in inotify, but contain library,
which provides inotify-compatible interface.
This patch adds more robust detection of inotify in configuration time and
appends linker flags to Makefile if inotify is provided by library.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function gettext needn't be included in libc, it can be part of another
library. Autotools macro AM_GNU_GETTEXT generate makefile variables
(LIBINTL, LTLIBINTL), which contain necessary linker flags.
checking for GNU gettext in libc... no
checking for iconv... yes
checking for GNU gettext in libintl... yes
checking whether to use NLS... yes
checking where the gettext function comes from... external libintl
|
| |
|
|
|
|
|
|
| |
Some platform have header file endian.h and anothers have sys/endian.h.
We nedd to use conditional build to handle it correctly, therefore new header
file sss_endian.h was created.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1891
|
|
|
|
|
|
| |
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In SSSD, we use dlopen() and dlsym() in two files
src/providers/data_provider_be.c and src/providers/proxy/proxy_init.c.
Hence we should explicitly link with -ldl also in simple_access-tests.
SSSD can be compiled with two crypto libraries nss or libcrypto. NSS has
dependency nspr which depends on "libdl and libpthread" This is a reason why
compilation of test did not fail even if -ldl was not explicitly added to
simple_access_tests_LDADD. But libcrypto doesn't depend on libdl, so in
this case compilation of tests will not be successful.
Upstream nspr 4.9 has two ways have to obtain metainformation about
libraries
pkg-config and own script nspr-config. First one doesn't list "-ldl"
"-lpthread" but second one lists both "-ldl" "-lpthread"
That's also why the Ubuntu maintainer found this bug -- Fedora has got
patched version of nspr, but Debian (Ubuntu) doesn't
|
|
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
|
|
| |
Fixes build with automake 1.13 or newer.
|
| |
|
|
|
|
|
|
| |
The tools query the responder in order to sync the memcache after
performing changes to the local database. The functions will be reused
by other tools so I split them into a separate functions.
|
|
|
|
|
|
|
| |
The upcoming patches will link only users of this file with client libs,
so it's better to have it separate.
There is no functional change in this patch
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1659
|
|
|
|
|
|
|
|
| |
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1500
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1460
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
| |
|
|
|
|
|
| |
This patch adds support for checking whether a user is expired or
disabled in AD.
|
|
|
|
|
|
| |
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
|
|
|
|
| |
This will reduce code duplication between the krb5, ipa and ad
providers
|
|
|
|
|
|
|
| |
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|