summaryrefslogtreecommitdiffstats
path: root/server/providers
Commit message (Collapse)AuthorAgeFilesLines
* Add support for offline auth cache timeoutStephen Gallagher2009-10-221-0/+1
| | | | | | | | | This adds a new option (offline_credentials_expiration) to the [PAM] section of the sssd.conf If the user does not perform an online authentication within the timeout (in days), they will be denied auth once the timeout passes.
* Fix setting the schema in the ipa providerSimo Sorce2009-10-221-0/+3
|
* update ipa auth options to new option schemeSumit Bose2009-10-223-110/+133
|
* update krb5 option handling to new option schemeSumit Bose2009-10-227-125/+273
|
* Fix potential memory leaks in the data providerMartin Nagy2009-10-221-2/+4
|
* Better offline/enumeration behaviorSimo Sorce2009-10-221-10/+12
| | | | | | | | Go offline in case of hard errors too. It makes no sense to keep trying too often when you have bad credentials for example. Also delay starting the enumeration thread so that we finish initializations first (bind to ldap is still a blocking operation and this may interfere with clients/monitor registrations).
* added generic LDAP search sdap_get_generic_send/_recvSumit Bose2009-10-224-0/+304
|
* Start implementing ipa specific options.Simo Sorce2009-10-205-7/+593
| | | | | First step generate ldap options from ipa options. Add sssd-ipa man page too.
* Always list inputs before outputsSimo Sorce2009-10-161-8/+11
|
* Add first basic IPA providerSimo Sorce2009-10-161-0/+233
|
* Move all krb5 provider init functionsSimo Sorce2009-10-164-193/+261
| | | | | Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
* Move all ldap provider init functionsSimo Sorce2009-10-165-145/+202
| | | | | Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
* Check for expired passwords in LDAP providerSumit Bose2009-10-154-23/+425
|
* enable debugging of krb5_childSumit Bose2009-10-153-4/+142
|
* more implicit provider target settingsSumit Bose2009-10-151-13/+48
| | | | | | | | | If auth_provider or access_provider is ont set explicitly id_provider is used if it can handle auth or access control requests respectively. If not auth defaults to 'none' and the access_provider is set to 'permit'. The option 'deny' is added for the access_provider to explicitly deny access.
* set chpass_provider implicit if not set explicitSumit Bose2009-10-152-20/+60
| | | | | | - if chpass_provider is not given in the configuration file but an auth_provider and the auth_provider can also handle change password requests it is used as chpass_provider.
* Return the dp error from the providersSimo Sorce2009-10-156-81/+179
|
* Move ldap provider configuration into its own fileSimo Sorce2009-10-146-189/+252
|
* Make options parser available to all providersSimo Sorce2009-10-148-294/+366
|
* send a message if a backend target is not configuredSumit Bose2009-10-141-12/+30
| | | | | | If a backend target is not configured the return code is changed from PAM_SYSTEM_ERR to PAM_MODULE_UNKNOWN and an error message is sent back to the client.
* make sdap_id_connect_* independent of sdap_id_ctxSumit Bose2009-10-143-180/+188
| | | | | | | | The sdap_id_connect_* request tries to bind to an LDAP server with the default credentials. Only the opts component of the sdap_id_ctx context is used. A new request sdap_cli_connect_* is created which expects only the opts pointer as parameter and not the whole context. This makes it reusable by other providers.
* add a replacement if ldap_control_create is missingSumit Bose2009-10-133-8/+7
|
* fix a wrong argument to unpack_bufferSumit Bose2009-10-121-18/+40
| | | | | | | | | - the patch to handle short read introduced a new variable len to store the amount of data read. Instead of using this variable unpack_buffer was called with the old variable ret. Thanks to mnagy@redhat.com for finding this. - this patch also fixes a potential error when the message size is equal to the buffer size.
* use the correct kerberos context for each targetSumit Bose2009-10-091-4/+33
| | | | | - when the kerberos provider was used as a chpass_provider but not as auth_provider the backend died
* Remove DP processSimo Sorce2009-10-097-1259/+241
| | | | | Turn the backend process into data provider servers Make Frontends (pam, nss) directly attach to the backends
* Differentiate between search and network timeoutsSimo Sorce2009-10-093-5/+7
| | | | | | Network timeouts are used in quick operations like bind. Search timeout is used for operations that can "legally" require more time. Change defaults to 6 and 60 seconds respectively.
* add support for server side LDAP password policiesSumit Bose2009-10-083-11/+125
| | | | | | | - password policy request controls are send during bind and change password extended operation - the response control is evaluated to see if the password is expired or will expire, soon
* Remove unused btreemap codeStephen Gallagher2009-10-062-2/+0
| | | | | We have converted to using dhash in place of btreemap everywhere in the code.
* remove redundant talloc_freeSumit Bose2009-10-051-3/+0
| | | | - this patch should fix bug #213, a double free in the sdap timeout handler
* handle expired password during authenticationSumit Bose2009-10-051-2/+25
|
* Fix long timeout on ldap operationSimo Sorce2009-10-012-5/+14
| | | | | Always use the network timeout defined in the options. But raise defaults to 60 seconds or enumerations can easily fail.
* Initial implementation of sasl bind supportSimo Sorce2009-10-016-59/+488
| | | | | | Inits krb5 credentials, if sasl mech is GSSAPI. Tested with GSSAPI and host keytab as well as user credentials. Updates also manpages with the new options.
* Let backend respond while fetching large resultsSimo Sorce2009-09-251-2/+11
| | | | | | | Timers always come before fd events, wait 5 microseconds between processing operations so that tevent has a chance of cactching an fd event in between. This allows the backend to reply to pings even while processing very large ldap results (importanty especially during the first enumeration).
* remove krb5_try_simple_upn option and make it a default fallbackSumit Bose2009-09-252-9/+1
|
* Send debug messages to logfileJakub Hrozek2009-09-252-1/+7
| | | | | | | | | | | | | Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. Changes the initscript to log to files by default.
* fix possible short reads in kerberos providerSumit Bose2009-09-252-15/+46
|
* add new config options ldap_tls_cacert and ldap_tls_cacertdirSumit Bose2009-09-254-67/+72
|
* Upgrade confdb to version 2Stephen Gallagher2009-09-257-120/+88
| | | | | This converts a great many configuration options to the new standard format.
* added support for older MIT kerberos versionssbose2009-09-243-7/+37
| | | | | | | | | - make the build of the locator plugin optional - added a man page for the locator plugin - use krb5.h if krb5/krb5.h cannot be found - added alternatives for missing functions - set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version is lesser than 1.0.0
* Remove provider=filesJakub Hrozek2009-09-231-56/+0
| | | | | | | Remove this provider type, as well as any references in the docs and examples to the "LEGACYLOCAL" migration domain. Fixes: #165
* Don't try to use initgroups_dyn if not availableSimo Sorce2009-09-231-0/+3
| | | | Fixes a segfault seen in the wild with providers=files
* Fix copy&paste of wrong structureSimo Sorce2009-09-231-2/+2
|
* Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher2009-09-238-135/+121
| | | | | | | | This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
* Use syslog for logging error conditions in SSSDJakub Hrozek2009-09-218-121/+135
| | | | | This is just a band-aid until ELAPI is fully functional and ready to use.
* Better handle groups w/o membersSimo Sorce2009-09-171-6/+122
| | | | | | | | | | There was a chance that groups w/o members could end up causing a failure to store the group. This would happen in case the structure used by glibc to fill up the group data was "dirty". Always memset structures before passing them to te libc and also check if there are any members, before calling the async function. Finally add some tracing at level 7 so that it is easier to follow what is going on in case of touble.
* Fix copy&paste error.Simo Sorce2009-09-171-4/+4
|
* Check if SSL/TLS handler is already in placeSumit Bose2009-09-161-1/+8
| | | | | | | | | Authentication against a LDAP server should always use an encrypted connection. To acchive this the LDAP provider calls ldap_start_tls which will fail if the connection is already encrypted, e.g. if an ldaps tunnel is already established. Because the error message from ldap_start_tls is not specific we check the status with ldap_tls_inplace before calling ldap_start_tls.
* added child timeout handlerSumit Bose2009-09-142-6/+90
|
* fix the wrong usage of an offsetSumit Bose2009-09-141-1/+1
|
* add krb5ccache_dir and krb5ccname_template optionSumit Bose2009-09-145-50/+356
| | | | | | | | The configuration options krb5ccache_dir and krb5ccname_template are added to the Kerberos provider to create the user's credential caches the same way as pam_krb5 does. Due to the design of the sssd and the supported ccache types of MIT Kerberos only files are allowed.
generated by cgit (git 2.34.1) at 2024-04-26 19:48:43 +0000