summaryrefslogtreecommitdiffstats
path: root/server/providers
Commit message (Collapse)AuthorAgeFilesLines
* Treat a zero-length password as a failuresssd-1_0_7Stephen Gallagher2010-08-241-0/+7
| | | | | Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD.
* Do not check entries during cleanup taskJakub Hrozek2010-05-262-81/+59
| | | | | | | Do not attempt to validate expired entries in cache, just delete them. Also increase the cache timeouts. Fixes: #331
* Do not schedule enumeration after a cleanupJakub Hrozek2010-05-261-2/+2
|
* Fix licensing issues in SSSDStephen Gallagher2010-02-181-0/+24
|
* Explicitly set async DNS timeoutStephen Gallagher2010-01-141-1/+1
| | | | We will allow 5s per DNS server, no retries.
* Re-create c-ares channels if /etc/resolv.conf is modifiedMartin Nagy2010-01-141-1/+11
| | | | Fixes: #378
* Fix return value when offline and TGT is validSumit Bose2010-01-111-1/+1
| | | | Fixes CVE-2010-0014
* Do not blindly accept zero-length passwordsStephen Gallagher2009-12-182-8/+17
|
* Fix ldap child memory hierarchy and other issuesSimo Sorce2009-12-188-306/+482
| | | | | | | | | | | | | | | | | The timeout handler was not a child of the request so it could fire even though the request was already freed. The code wouldn't use async writes to the children so it could incur in a short write with no way to detect or recover from it. Also fixed style of some helper functions to pass explicit paramters instead of a general structure. Add common code to do async writes to pipes. Fixed async write issue for the krb5_child as well. Fix also sdap_kinit_done(), a return statement was missing and we were mixing SDAP_AUTH and errno return codes in state->result Remove usless helper function that just replicates talloc_strndup()
* Fix for #344Sumit Bose2009-12-181-13/+11
| | | | | Do not handle a missing ccache file as inactive by default, check if there are still active processes of the user.
* Do not overwrite valid TGTs when offlineSumit Bose2009-12-182-42/+88
|
* Handle chauthtok with PAM_PRELIM_CHECK separatelySumit Bose2009-12-185-21/+69
| | | | | | If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
* disable password migration codeSumit Bose2009-12-171-2/+2
|
* Raise DEBUG level of sdap_get_generic_done()Stephen Gallagher2009-12-171-1/+1
| | | | | | | The DEBUG level of the result should not be lower than the DEBUG level of the request. It generates too much noise when enumerate is enabled or initgroups deals with groups with large numbers of users.
* fail over: Change the first server pick logicMartin Nagy2009-12-151-5/+26
| | | | | | | | | | The logic of selecting the server to fail over to was changed so that we start from the server next to the one that didn't work the last time. This is because the status of a server that failed last time might get reset before we try another one. This can cause that we try to use the nonworking server repeatedly, not giving a chance to other servers. Fixes: #321
* Don't consider one address with different port numbers as the sameMartin Nagy2009-12-156-21/+38
| | | | | | | | | | | | | There were two problems with the code. We were using fo_set_server_status() instead of fo_set_port_status() when we failed to connect to a service. This is a problem because if two services use the same server, or we want to use one server with two different ports, marking the whole server as bad is incorrect. The other problem was that be_resolve_server_done() was comparing the hostent structures -- these are, however, equal across multiple server:port pairs with the same server addresses. Fixes: #321
* Consolidate code for splitting strings by separatorJakub Hrozek2009-12-103-11/+7
| | | | | | | | There were two functions for parsing strings by a separator. This patch consolidates on the one previously used in confdb. This also allows stripping the tokens of whitespace. Fixes: #319
* Correctly restart server status after the timeoutMartin Nagy2009-12-091-1/+1
| | | | | | | The macro STATUS_DIFF() was wrong causing the result to always be lower than 0, therefore the timeout was never reached. Fixes: #302
* Add some debugging statements to fail_over and resolverMartin Nagy2009-12-091-2/+60
| | | | | These were very useful for debugging and hopefully still will be in the future.
* Reduce code duplication between LDAP child and Kerberos childJakub Hrozek2009-12-094-234/+160
| | | | Fixes: #294
* Add dummy credentials to an empty ccache fileSumit Bose2009-12-081-2/+54
| | | | | | | | | Application like krb5-auth-dialog might get confused if there is a credential cache file without any credentials in it. This patch adds an expired credential where only the client and the server principal are set. The client principal is the user's principal and the server principal corresponds to a TGT principal of the realm the user belongs to.
* Fix bug #311, properly set callback attributeSimo Sorce2009-12-071-0/+1
|
* Allow nesting to fix #310Simo Sorce2009-12-071-0/+1
|
* Add offline support for ipa_accessSumit Bose2009-12-072-17/+134
|
* Try to renew Kerberos credentialsSumit Bose2009-12-075-2/+189
| | | | | | | | When using GSSAPI we need a valid service ticket to talk to the LDAP server. If the ticket is expired the LDAP client returns with 'Can't contact LDAP server'. Currently we set the backend offline if this error occurs although the server is still available. This patch checks if the TGT is expired and tries to renew the credentials before going offline.
* Fix nested group membershipsSimo Sorce2009-12-072-154/+189
| | | | | | | | | Search the local db to find the local DN using the original DN as search key. This way we do not have to rely on weak and faulty heuristicts based on DN names. Add a few helper functions in the process and change the way we pass members to sysdb_store_group_send(), instead of passing users and groups list, just add member DNs to the other sysdb attrs.
* Resolve nested groups also when rfc2307bis is usedSimo Sorce2009-12-071-68/+2
|
* Check LDAP structure before calling ldap_unbind_ext()Sumit Bose2009-12-031-1/+3
|
* Setup ldap child logging from IPA backendJakub Hrozek2009-12-034-45/+54
| | | | Fixes: #296
* Immediately return a krb5 change password request when offlineSumit Bose2009-12-011-0/+7
|
* Remove unneeded debugging codeSumit Bose2009-11-251-9/+0
|
* Fix an internal error when cache_credentials=FALSESumit Bose2009-11-251-1/+4
|
* Get TGT in a child process.Jakub Hrozek2009-11-258-164/+1060
| | | | | | | To avoid blocking in a synchronous call, the TGT is saved in a separate process Fixes: #277
* Split helpers for child processesJakub Hrozek2009-11-257-174/+261
| | | | | Moves several functions out of providers/krb5 hierarchy into a separate module so it can be shared by the ldap child.
* In IPA, the realm is always the domain uppercased.Simo Sorce2009-11-251-2/+7
|
* Fix internal options numbers testSimo Sorce2009-11-251-12/+24
| | | | | | Unfortunately since we changed the defines to an enum the preprocessor test stopped working. Turn tests into runtime tests that will abort the process.
* Really check return value from pam_set_itemSumit Bose2009-11-231-3/+3
|
* Read KDC info from file instead from environmentSumit Bose2009-11-238-44/+357
| | | | | | Then name or IP adress of the KDC is written into the pubconf directory into a file named kdcinfo.REALM. The locator plugin will then read this file and pass the data to the kerberos libraries.
* Speed up user requests while offlineStephen Gallagher2009-11-232-37/+77
| | | | | | | | | This adds a new boolean option to sss_dp_send_acct_req() called fast_reply. If we make a request to the backends and we are currently offline, this option will determine whether we should immediately return from the cache (acceptable for NSS requests) or potentially wait for an online check to complete (required for PAM requests).
* Make backend request type a bitfieldStephen Gallagher2009-11-233-5/+5
|
* Add ldap_pwd_policy optionSumit Bose2009-11-234-45/+92
|
* Add initial failover support for ldap and ipaSimo Sorce2009-11-2019-68/+845
| | | | | | | The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
* Raise some timeoutsSimo Sorce2009-11-201-2/+2
| | | | | When using high debug levels or valgrind the code maybe slow enough that these timeouts were too strict.
* Filter by id range before actually storing entries.Simo Sorce2009-11-202-15/+86
| | | | This way we do not need to check for id ranges on every search.
* Enhance check for remote hostsSumit Bose2009-11-202-55/+97
|
* Add ipa_authSumit Bose2009-11-204-1/+350
| | | | | | | | To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT.
* Improve handling of ccache filesSumit Bose2009-11-203-202/+597
| | | | | | | - save current ccache file to sysdb - use the saved ccache file if the user has running processes - create an empty ccache if offline - return enviroment variables if offline
* Better behavior on cleanupSimo Sorce2009-11-204-20/+44
| | | | | | | | | | | | With the previous code in domains with many users and enumeration enable we would eventually end up making thousands of individual searches for entries in the clean-up process. Change the code to do a full enumeration before a cleanup so we do one single big search to update all entries and only then search for entries to purge. This also fixes the fact that the cleanup task was running at every enumeration instead of running every "ldap_purge_cache_timeout" seconds.
* Validate Kerberos credentials with local keytabSumit Bose2009-11-207-39/+252
|
* Failover fixes and additionsSimo Sorce2009-11-182-6/+24
|
generated by cgit (git 2.34.1) at 2024-05-03 08:52:00 +0000