| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Timers always come before fd events, wait 5 microseconds between processing
operations so that tevent has a chance of cactching an fd event in between.
This allows the backend to reply to pings even while processing very large ldap
results (importanty especially during the first enumeration).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
| | |
|
| | |
|
| |
|
|
|
| |
This converts a great many configuration options to the new
standard format.
|
| |
|
|
|
|
|
|
|
| |
- make the build of the locator plugin optional
- added a man page for the locator plugin
- use krb5.h if krb5/krb5.h cannot be found
- added alternatives for missing functions
- set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version
is lesser than 1.0.0
|
| |
|
|
|
|
|
| |
Remove this provider type, as well as any references in the docs and
examples to the "LEGACYLOCAL" migration domain.
Fixes: #165
|
| |
|
|
| |
Fixes a segfault seen in the wild with providers=files
|
| | |
|
| |
|
|
|
|
|
|
| |
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
| |
|
|
|
| |
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
| |
|
|
|
|
|
|
|
|
| |
There was a chance that groups w/o members could end up causing a failure to
store the group. This would happen in case the structure used by glibc to fill
up the group data was "dirty". Always memset structures before passing them to
te libc and also check if there are any members, before calling the async
function.
Finally add some tracing at level 7 so that it is easier to follow what is going
on in case of touble.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The configuration options krb5ccache_dir and krb5ccname_template
are added to the Kerberos provider to create the user's credential
caches the same way as pam_krb5 does. Due to the design of the sssd
and the supported ccache types of MIT Kerberos only files are
allowed.
|
| |
|
|
|
|
| |
- the client sends the PID as uint32_t and sssd will use uint32_t too
- fix a possible type issue where a uint32_t is sent as int32 in internal
dbus communication
|
| |
|
|
|
|
|
|
|
|
| |
This patch makes basic options multiype, the init function assigns
a type from the initialization array, and processes values fetched
from confdb accordingly.
4 types are supported so far: string, number, blob and boolean
Also convert defines into enums where appropriate.
Add fetch functions that check the requested type.
|
| |
|
|
|
| |
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
| |
|
|
|
|
|
|
|
| |
The request was being freed, instead of marking it done and let the callback
free it when done. This was causing us to access freed memory, when trying to
set the next run.
Let the callback add new runs and free the request instead as normally we would
do with any other tevent_req async call.
Courtesy of valgrind again.
|
| |
|
|
|
|
|
|
| |
By attaching the reply to a subreq, we ended up freeing the operations list
element before we used it to skip to the next one.
Do not steal the context and let the unlocking code free the old reply, when it
moves onto processing the next one.
Got this one with valgrind.
|
| |
|
|
|
|
|
| |
After the recent changes we lost the capability to actually go offline.
Put back code that would mark the backend as offline when timeouts happen.
Make sure the enumeration code also obbeys the offline timeout, and
contributes in determining if we are offline or not.
|
| |
|
|
|
| |
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
| |
|
|
| |
Make counter for used messages explicit.
|
| |
|
|
|
| |
Check if the timestamp argument of sdap_save_group_recv is NULL before
using it.
|
| |
|
|
|
| |
sdap_get_initgr_process() was using the wrong sdap_id_map struct
when creating the searchfilter for the initgroups() call.
|
| |
|
|
| |
New tevent library finally outlawed nested loops.
|
| |
|
|
|
| |
If enumerations are disabled for this domain, then do not start the
enumeration task.
|
| |
|
|
|
|
|
|
|
|
|
| |
The data provider backends stored a name value besides the domain
name to identify themselves to the data provider. This was the name
of the id provider. Currently the backends can have different
providers for id, authentication etc. So the name may be missleading.
Also when there are more domains with the same id provider the name
is not enough to identify the backend but the domain name is. As a
consequence the backend name is removed completely and only the
domain name is used for identification.
|
| | |
|
| |
|
|
|
|
| |
Currently the kerberos locator plugin needs these two variables to
be set to find a KDC which is configured in sssd but not in
/etc/krb5.conf.
|
| | |
|
| |
|
|
|
|
| |
Always immediately return to DP, and update users/groups in the background.
Also implements an optimization to retrieve only changed/new users/groups
by filtering using the modifyTimestamp after the first query.
|
| | |
|
| |
|
|
|
| |
First pass to remove the legacy option and make it just a property of the
provider
|
| | |
|
| | |
|
| |
|
|
| |
Try as hard as possible to store as much data as we can.
|
| |
|
|
|
|
| |
- making the realm part upper case is now optional and done in the
LDAP backend
- using a username@realm UPN is now optional
|
| |
|
|
|
| |
If available the original DN and the user principle will be stored
in sysdb.
|
| |
|
|
|
|
| |
If a user principle name (upn) can be found in sysdb the krb5
backend will use this otherwise is build as username@realm. It is
checked that the realm is upper case only.
|
| | |
|
| |
|
|
|
|
|
| |
Remove redundant reconnection code that was interfeering with the sbus
reconnection code.
Consolidate include files for sbus relates operations.
Make pamsrv code similar to nsssrv code.
|
| |
|
|
|
|
|
|
| |
This patch introduces provider=files as a valid provider.
Upon loading the backend, its properties in confdb are overwritten to
those that represent legacy local domain.
Also document this in sssd.conf(5) and example config
|
| |
|
|
| |
Mirrors what we have done with the monitor.
|
