summaryrefslogtreecommitdiffstats
path: root/server/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* Use macros to hide memcpy callsJakub Hrozek2010-02-182-53/+19
| | | | | The memcpy calls introduced in the memalign patches are ugly. This patch hides them behind a set of macros.
* Make change password errors more transparentSumit Bose2010-02-123-5/+36
|
* Fix other memory alignment issuesJakub Hrozek2010-02-102-14/+20
| | | | | | | Similar to George McCollister's patch to the pam code, this patch fixes other places in the code where we forced data into 32-bit alignment. Fixes: #390
* Make return values more specific during password changeSumit Bose2010-02-101-3/+5
| | | | | | | - return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password change operation fails - send a message to the user if the system is offline and the password cannot be changed
* Document when LDAP referral chasing is availableSumit Bose2010-02-051-0/+12
|
* Reactivate old fd handling conditionallySumit Bose2010-02-054-1/+78
| | | | | | | Older versions of openLDAP do not provide a connection callback. This patch adds a configure check to see if the callback is available and activates the old way of handling the file description of the LDAP connection. This also means that it is not possible to follow referrals.
* Internationalize the command-line help messageStephen Gallagher2010-02-051-3/+3
|
* Enable debug_timestamps by defaultStephen Gallagher2010-02-051-1/+1
| | | | | It can be overridden in the sssd.conf or on the commandline with --debug-timestamps=0
* Add new option ldap_referralsSumit Bose2010-02-023-1/+14
|
* Use ldap connection callbacks to get file descriptorsSumit Bose2010-02-024-43/+121
|
* Return an error for an unknown PAM requestSumit Bose2010-01-051-2/+8
|
* Fix ldap child memory hierarchy and other issuesSimo Sorce2009-12-184-208/+262
| | | | | | | | | | | | | | | | | The timeout handler was not a child of the request so it could fire even though the request was already freed. The code wouldn't use async writes to the children so it could incur in a short write with no way to detect or recover from it. Also fixed style of some helper functions to pass explicit paramters instead of a general structure. Add common code to do async writes to pipes. Fixed async write issue for the krb5_child as well. Fix also sdap_kinit_done(), a return statement was missing and we were mixing SDAP_AUTH and errno return codes in state->result Remove usless helper function that just replicates talloc_strndup()
* Handle chauthtok with PAM_PRELIM_CHECK separatelySumit Bose2009-12-181-7/+19
| | | | | | If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
* Raise DEBUG level of sdap_get_generic_done()Stephen Gallagher2009-12-171-1/+1
| | | | | | | The DEBUG level of the result should not be lower than the DEBUG level of the request. It generates too much noise when enumerate is enabled or initgroups deals with groups with large numbers of users.
* Don't consider one address with different port numbers as the sameMartin Nagy2009-12-152-3/+7
| | | | | | | | | | | | | There were two problems with the code. We were using fo_set_server_status() instead of fo_set_port_status() when we failed to connect to a service. This is a problem because if two services use the same server, or we want to use one server with two different ports, marking the whole server as bad is incorrect. The other problem was that be_resolve_server_done() was comparing the hostent structures -- these are, however, equal across multiple server:port pairs with the same server addresses. Fixes: #321
* Consolidate code for splitting strings by separatorJakub Hrozek2009-12-101-3/+2
| | | | | | | | There were two functions for parsing strings by a separator. This patch consolidates on the one previously used in confdb. This also allows stripping the tokens of whitespace. Fixes: #319
* Reduce code duplication between LDAP child and Kerberos childJakub Hrozek2009-12-091-118/+7
| | | | Fixes: #294
* Allow nesting to fix #310Simo Sorce2009-12-071-0/+1
|
* Try to renew Kerberos credentialsSumit Bose2009-12-075-2/+189
| | | | | | | | When using GSSAPI we need a valid service ticket to talk to the LDAP server. If the ticket is expired the LDAP client returns with 'Can't contact LDAP server'. Currently we set the backend offline if this error occurs although the server is still available. This patch checks if the TGT is expired and tries to renew the credentials before going offline.
* Fix nested group membershipsSimo Sorce2009-12-071-143/+129
| | | | | | | | | Search the local db to find the local DN using the original DN as search key. This way we do not have to rely on weak and faulty heuristicts based on DN names. Add a few helper functions in the process and change the way we pass members to sysdb_store_group_send(), instead of passing users and groups list, just add member DNs to the other sysdb attrs.
* Resolve nested groups also when rfc2307bis is usedSimo Sorce2009-12-071-68/+2
|
* Check LDAP structure before calling ldap_unbind_ext()Sumit Bose2009-12-031-1/+3
|
* Setup ldap child logging from IPA backendJakub Hrozek2009-12-033-45/+47
| | | | Fixes: #296
* Get TGT in a child process.Jakub Hrozek2009-11-258-164/+1060
| | | | | | | To avoid blocking in a synchronous call, the TGT is saved in a separate process Fixes: #277
* Make backend request type a bitfieldStephen Gallagher2009-11-231-1/+1
|
* Add ldap_pwd_policy optionSumit Bose2009-11-234-45/+92
|
* Add initial failover support for ldap and ipaSimo Sorce2009-11-209-17/+266
| | | | | | | The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
* Raise some timeoutsSimo Sorce2009-11-201-2/+2
| | | | | When using high debug levels or valgrind the code maybe slow enough that these timeouts were too strict.
* Filter by id range before actually storing entries.Simo Sorce2009-11-201-0/+24
| | | | This way we do not need to check for id ranges on every search.
* Better behavior on cleanupSimo Sorce2009-11-204-20/+44
| | | | | | | | | | | | With the previous code in domains with many users and enumeration enable we would eventually end up making thousands of individual searches for entries in the clean-up process. Change the code to do a full enumeration before a cleanup so we do one single big search to update all entries and only then search for entries to purge. This also fixes the fact that the cleanup task was running at every enumeration instead of running every "ldap_purge_cache_timeout" seconds.
* Store initgr expire time on initgr callSimo Sorce2009-11-181-6/+17
|
* Fix double free case.Simo Sorce2009-11-121-1/+3
|
* Try to fix offline loginsSimo Sorce2009-11-121-12/+6
|
* Add cleanup taskSimo Sorce2009-11-106-155/+910
|
* Fix tevent_req error checking.Simo Sorce2009-11-096-117/+45
| | | | When possible using a macro that correctly deals with tstate
* Fix enumerationsSimo Sorce2009-11-091-2/+6
| | | | | The counter was not set so we were storing only the first user for each anumeration.
* Split async helpers in multiple filesSimo Sorce2009-11-065-3285/+3383
| | | | | | The size of sdap_async.c was unmanageable. This patch splits it into a generic file with common infrastructure calls, a file that handles connection calls and a file for id related calls.
* Reorganize ldap id provider filesSimo Sorce2009-11-064-547/+583
| | | | Split enum task in a separate file.
* Unify code to use the generic search interfaceSimo Sorce2009-11-061-593/+473
| | | | | | | This code removes redundancies in the code. both users and groups enumeration code use the same search generic search function now. Also the code to save users and groups have been unified across all callers.
* Fix and enhance initgroups callSimo Sorce2009-11-061-170/+637
| | | | | | | | This call was failing and was defective because it didn't properly handle the various different schemas we support. Now the function does 2 things: - Updates the user entry to make sure it is still valid - Retrieves every group the user is member of
* Unify parse routines, use maps in generic searchesSimo Sorce2009-11-064-130/+77
| | | | | This remove redundant code and also allows the generic search to be used to use maps to convert attributes.
* Store the original memberof attributes if anySimo Sorce2009-11-061-7/+30
| | | | | Also change the interface of sdap_save_user_send() so that it can be more easily reused like it was done for sdap_save_group_send().
* Make useful function more broadly available.Simo Sorce2009-11-063-30/+30
|
* add replacements for missing Kerberos callsSumit Bose2009-11-051-8/+8
|
* Rename sdap_id_map to sdap_attr_mapSimo Sorce2009-11-034-19/+55
| | | | | | Also start adding some infrastructure to use the USN counter when available. In particular add a place to add generic attrs mapping, ie attributes that are neither user nor group specific.
* Fix segfault when SASL is not used at allSimo Sorce2009-10-302-2/+4
|
* Add support to get rootDSE from the LDAP server.Simo Sorce2009-10-296-121/+398
| | | | | | | | | | | | Also fic sdap_get_generic_send() to be a bit more "generic" :-) Also figs bugs within it. This patch allow us 2 good things. A) we check that the server effectively supports GSSAPI auth before we try to use it. B) against IPA it substantially cuts delays when the server is offline because it uses a 5 second async timeout on the connection and doesn't try to do a slow synchronous kinit+sasl_bind if the server is not even available.
* Tidy up ipa optionsSimo Sorce2009-10-292-2/+29
| | | | | | | | | | | | | | Do not replicate every and each option we may want to set in ipa. Just read out ldap and krb provider options (added reference in the manual too, and removed mention of ipa specific timeout values, use ldap options for that) Avoid calling auth module initialization twice, just pass the auth context to the chpass module too. Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be used for both users and groups. the user and group search bases can still be set separately if necessary but they are now optional and set to be identical to SDAP_SEARCH_BASE if not explicitly specified in the configuration.
* Kill the ldap connection when we go offlineSimo Sorce2009-10-281-5/+16
| | | | | | This patch uses a wrapper to kill the ldap connection when we are marked offline. This also makes sure we do not try to reuse a bad connection handler after a fatal error.
* Move responsibility for entry expiration timeoutSimo Sorce2009-10-273-5/+11
| | | | | The providers are now responsible for determining how long a cached entry is considered valid. The default is the same as before (600s)