| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Groups also need to honor the settable password field and use * by default.
|
| |
|
|
|
|
| |
This allows for correctly reporting nested group members, while at the same
time not paying a too high price for caluclating nested groups at runtime e
very time a search is made.
|
| |
|
|
|
| |
When I converted fill_grent to speed up enumerations I left out this check
by mistake.
|
| |
|
|
|
|
|
|
|
| |
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
| |
|
|
| |
This way we do not need to check for id ranges on every search.
|
| |
|
|
|
| |
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
| |
|
|
|
|
|
|
| |
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
| |
|
|
|
|
|
| |
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
| |
|
|
|
|
|
|
| |
Also rework check_cache so that the operations it makes are more explicit.
Also add comments about why we are doing something.
Should make the code easier to understand in future (took quite some time and
discussion on IRC to understand exactly how this function was behaving and to
find the callback passing bug).
|
| | |
|
| |
|
|
|
| |
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
| |
|
|
|
|
| |
These functions were used when reconnecting to the DP after losing
the connection. Since there is no DP any longer, there's no reason
to have these functions.
|
| |
|
|
|
| |
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
| |
|
|
|
| |
We have converted to using dhash in place of btreemap everywhere
in the code.
|
| |
|
|
|
|
| |
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
| |
|
|
|
| |
This converts a great many configuration options to the new
standard format.
|
| |
|
|
|
|
|
|
| |
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
| |
|
|
|
| |
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
| |
|
|
|
| |
The patch that added check_cache() broke them, no results returned for any group
with actual members ...
|
| |
|
|
|
|
|
|
| |
This timeout specifies the lifetime of a cache entry before it is
updated out-of-band. When this timeout is hit, the request will
still complete from cache, but the SSSD will also go and update
the cached entry in the background to extend the life of the
cache entry and reduce the wait time of a future request.
|
| |
|
|
|
|
| |
getpwnam, getpwuid, getgrnam and getgrgid will now use a common
function, check_cache, for determining whether to return a cached
value or to go to the provider.
|
| |
|
|
|
| |
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
| |
|
|
| |
Make counter for used messages explicit.
|
| | |
|
| |
|
|
| |
Also remove legacy memberuid support
|
| |
|
|
|
|
|
|
| |
- with the boolean option filterUsersInGroups it can be controlled
wether filtered users appear in groups or not.
- fixed an error which prevented the display of groups with filtered
members
- removed some tab indents
|
| |
|
|
|
|
|
| |
Remove redundant reconnection code that was interfeering with the sbus
reconnection code.
Consolidate include files for sbus relates operations.
Make pamsrv code similar to nsssrv code.
|
| |
|
|
|
|
| |
Many of the functions in responder_dp.c were originally NSS-
specific and were moved there from the NSS responder code. Since
they are now generic to any responder, rename them to sss_dp_*
|
| |
|
|
| |
Mirrors what we have done with the monitor.
|
| |
|
|
|
|
|
| |
Let services identify themselves voiluntarily as the first operation
instead of polling from the monitor.
Also consolidate some common functions and make them available as monitor
helpers.
|
| |
|
|
|
|
|
|
| |
The child processes call prctl() and when their parent process is
killed, they are sent SIGTERM using prctl. This is currently
Linux-specific, for non-Linuxes, a similar effect is achieved by
catching a set of common termination signals and sending SIGTERM to the
process group.
|
| |
|
|
|
|
| |
Previously, we had hardcoded the paths for the NSS, PAM and
private PAM sockets to /var/lib/sss/pipes. With this patch, we
will specify the sockets with --with-pipe-path.
|
| |
|
|
|
|
|
| |
Make as much as possible static, and remove use of talloc_reference and
allocation/deallocation of memory when not necessary.
Fix also responder use of rctx->conn, was mistakenly used for both
monitor and dp connections.
|
| |
|
|
|
| |
Rationalize and rename connection names in preparatoin for merging of server and
connection structures.
|
| |
|
|
| |
Simplify code by removing stuff that is never used or redundant.
|
| | |
|
| |
|
|
|
|
| |
The previous patch to fix an enumeration bug found with group enumeration
inadvertently introduced a bug with user enumeration.
Yeah, almost funny!
|
| |
|
|
|
|
|
|
|
|
| |
If a backend had all its results filtered in fill_pwent or fill_grent
then we would return an empty result, which means "end of results" to
the client.
Now we return ENOENT and let callers decide what to do.
Also make sure we do not grow packets unless we are going to fill them
as that's a recipe for killing the client as the size passed to
sss_packet_grow is used to determine the size of the final packet.
|
| | |
|
| | |
|
| |
|
|
|
| |
- allow different protocol versions for PAM and NSS
- support more than one protocol version in the responder
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Force a user lookup against the users domain provider.
If a user domain is not specified search though all non fully qualifying
domains.
Perform authentication against the corrent domain auth backend, based on the
user's domain found in the lookup if one was not
specified.
Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM
responder too now.
|
| |
|
|
|
|
| |
We need to stop parsing domains as soon as a caaandidate is found and let the
callback search additional domains if the id is not found.
Should fix ticket #21
|
| |
|
|
|
|
| |
Also convert all places where we were using custom code to parse
config arguments.
And fix a copy&paste error in nss_get_config
|
| |
|
|
|
|
|
| |
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
| | |
|
