| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
|
| |
|
|
|
|
| |
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There were two problems with the code. We were using
fo_set_server_status() instead of fo_set_port_status() when we failed to
connect to a service. This is a problem because if two services use the
same server, or we want to use one server with two different ports,
marking the whole server as bad is incorrect. The other problem was that
be_resolve_server_done() was comparing the hostent structures -- these
are, however, equal across multiple server:port pairs with the same
server addresses.
Fixes: #321
|
| | |
|
| |
|
|
|
|
|
| |
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
| |
|
|
| |
When possible using a macro that correctly deals with tstate
|
| | |
|
| |
|
|
|
| |
Put all init functions in their own file so that the other files can be reused in
other providers w/o having them in the way.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
| |
|
|
|
|
| |
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This patch makes basic options multiype, the init function assigns
a type from the initialization array, and processes values fetched
from confdb accordingly.
4 types are supported so far: string, number, blob and boolean
Also convert defines into enums where appropriate.
Add fetch functions that check the requested type.
|
| |
|
|
|
| |
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This changes the style quite a lot, but the tevent_req style
is much more clear and much less error-prone than the giant
loop we had previously.
|
| |
|
|
|
|
| |
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
| |
|
|
|
|
|
|
|
| |
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
| | |
|
| |
|
|
|
|
|
| |
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
|
| | |
|
| | |
|
| |
|
|
| |
Convert auth modules to do the caching themselves
|
| | |
|
| |
|
