| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Mirrors what we have done with the monitor.
|
| |
|
|
|
|
|
| |
Let services identify themselves voiluntarily as the first operation
instead of polling from the monitor.
Also consolidate some common functions and make them available as monitor
helpers.
|
| |
|
|
|
|
|
|
| |
The child processes call prctl() and when their parent process is
killed, they are sent SIGTERM using prctl. This is currently
Linux-specific, for non-Linuxes, a similar effect is achieved by
catching a set of common termination signals and sending SIGTERM to the
process group.
|
| |
|
|
|
|
| |
Previously, we had hardcoded the paths for the NSS, PAM and
private PAM sockets to /var/lib/sss/pipes. With this patch, we
will specify the sockets with --with-pipe-path.
|
| |
|
|
|
|
|
| |
Make as much as possible static, and remove use of talloc_reference and
allocation/deallocation of memory when not necessary.
Fix also responder use of rctx->conn, was mistakenly used for both
monitor and dp connections.
|
| |
|
|
|
| |
Rationalize and rename connection names in preparatoin for merging of server and
connection structures.
|
| |
|
|
| |
Simplify code by removing stuff that is never used or redundant.
|
| |
|
|
| |
Fix incorrect error code return in local_handler_callback
|
| | |
|
| |
|
|
|
|
| |
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
| |
|
|
|
|
|
|
|
| |
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
The timeout of the data provider call (in ms) got overwritten by a cache
timeout (in s).
|
| |
|
|
| |
Convert auth modules to do the caching themselves
|
| | |
|
| |
|
|
| |
Also fix style, clarify, and simplify some logic.
|
| | |
|
| |
|
|
|
| |
- allow different protocol versions for PAM and NSS
- support more than one protocol version in the responder
|
| |
|
|
|
| |
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This fixes a bug with legacy backends where the cached password would be cleared
on a user update.
Using a different attribute we make sure a userPassword coming from the remote
backend does not interfere with a cachedPassword (and vice versa).
|
| |
|
|
|
|
|
|
|
|
| |
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
| |
|
|
|
|
| |
The domain name is no longer send as an element on its own, but
if set as a member of the response array. If the user was not found
pd->domain is NULL and strlen will seg-fault.
|
| |
|
|
| |
see https://fedorahosted.org/sssd/ticket/25
|
| |
|
|
|
|
|
|
|
|
|
| |
Force a user lookup against the users domain provider.
If a user domain is not specified search though all non fully qualifying
domains.
Perform authentication against the corrent domain auth backend, based on the
user's domain found in the lookup if one was not
specified.
Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM
responder too now.
|
| |
|
|
|
|
|
| |
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
| | |
|
| |
|
|
|
|
|
| |
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
| |
|
|
|
| |
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to correctly filter out duplicate names when multiple non-fully
qualified domains are in use we need to be able to specify the domains order.
This is now accomplished by the configuration paramets 'domains' in the
config/domains entry. 'domains' is a comma separated list of domain names.
This paramter allows also to have disbaled domains in the configuration without
requiring to completely delete them.
The domains list is now kept in a linked list of sss_domain_info objects.
The first domain is also the "default" domain.
|
| | |
|
| |
|
|
|
|
| |
Use common sss_parse_name function in all responders
Simplify responder headers by combining common,cmd,dp in one header and
add name parse structure as part of the common responder context.
|
| |
|
|
|
| |
This way LOCAL domains backed by files works as expected too.
Tested with nss_files + pam_unix
|
| | |
|
| |
|
|
|
|
|
| |
May happen at startup if, for some reason dp is very slow to start and we
receive a request before a reconnection is rescheduled in the responder dp
reconnection code.
This shouldn't happen normally so make it clear with a debug statement.
|
| |
|
|
|
| |
Make nss_ctx a private pointer of the common resp_ctx
Use sss_process_init and remove all duplicate functions from nsssrv.c
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Now it can load from scratch default configuration that is valid for all
daemons.
First thing, make it possible for each daemon/provider to set its own debug
level in its configuration entry.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also shorten names oh other user attributes.
|
