summaryrefslogtreecommitdiffstats
path: root/server/responder/pam
Commit message (Collapse)AuthorAgeFilesLines
* Use standard coding practice to set last loginSimo Sorce2009-10-271-90/+128
| | | | | | | | | This rewrite should also fix a segfault in the code that may happen when exiting in case of error conditions. The previous code was attaching the transaction handle to llreq structure and then calling prepare_reply() from within the request handlers which could ultimately free the preq and llreq and handle before the transaction request was actually completed by tevent.
* Add support for offline auth cache timeoutStephen Gallagher2009-10-224-3/+192
| | | | | | | | | This adds a new option (offline_credentials_expiration) to the [PAM] section of the sssd.conf If the user does not perform an online authentication within the timeout (in days), they will be denied auth once the timeout passes.
* Add pam_ctx (similar to nss_ctx) for storing global PAM configStephen Gallagher2009-10-222-5/+25
|
* Remove two unused functions.Stephen Gallagher2009-10-151-10/+0
| | | | | | These functions were used when reconnecting to the DP after losing the connection. Since there is no DP any longer, there's no reason to have these functions.
* Fix offline authenticationSimo Sorce2009-10-151-16/+3
| | | | | | | | The way we were processing errors from the provider caused offline authentication to stop working. Previously the problem was masked by a bug in the data provider that always returned "Success" for any operation no matter what the actual return code was. when DP got removed the bug became evident.
* Remove DP processSimo Sorce2009-10-092-22/+27
| | | | | Turn the backend process into data provider servers Make Frontends (pam, nss) directly attach to the backends
* Remove unused btreemap codeStephen Gallagher2009-10-061-1/+0
| | | | | We have converted to using dhash in place of btreemap everywhere in the code.
* Send debug messages to logfileJakub Hrozek2009-09-251-1/+3
| | | | | | | | | | | | | Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. Changes the initscript to log to files by default.
* Upgrade confdb to version 2Stephen Gallagher2009-09-251-5/+4
| | | | | This converts a great many configuration options to the new standard format.
* Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher2009-09-235-22/+14
| | | | | | | | This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
* Use syslog for logging error conditions in SSSDJakub Hrozek2009-09-215-14/+22
| | | | | This is just a band-aid until ELAPI is fully functional and ready to use.
* make cli_pid mandatory and increase version number of pam protocolSumit Bose2009-09-141-1/+25
|
* Let the PAM client send its PIDSumit Bose2009-09-141-0/+19
| | | | | | - the client sends the PID as uint32_t and sssd will use uint32_t too - fix a possible type issue where a uint32_t is sent as int32 in internal dbus communication
* Add copyright noticesJakub Hrozek2009-09-111-0/+21
| | | | Fixes: #138
* Split database in multiple filesSimo Sorce2009-09-083-5/+41
| | | | | The special persistent local database retains the original name. All other backends now have their own cache-NAME.ldb file.
* Fix reconnection codeSimo Sorce2009-08-174-48/+57
| | | | | | | Remove redundant reconnection code that was interfeering with the sbus reconnection code. Consolidate include files for sbus relates operations. Make pamsrv code similar to nsssrv code.
* Refactor responder_dp.cStephen Gallagher2009-08-141-6/+6
| | | | | | Many of the functions in responder_dp.c were originally NSS- specific and were moved there from the NSS responder code. Since they are now generic to any responder, rename them to sss_dp_*
* Change the why DP clients identifySimo Sorce2009-08-113-53/+16
| | | | Mirrors what we have done with the monitor.
* Change services identification mechanismSimo Sorce2009-08-111-72/+5
| | | | | | | Let services identify themselves voiluntarily as the first operation instead of polling from the monitor. Also consolidate some common functions and make them available as monitor helpers.
* Make child processes exit when parent diesJakub Hrozek2009-08-111-0/+6
| | | | | | | | The child processes call prctl() and when their parent process is killed, they are sent SIGTERM using prctl. This is currently Linux-specific, for non-Linuxes, a similar effect is achieved by catching a set of common termination signals and sending SIGTERM to the process group.
* Make socket paths a compile-time optionStephen Gallagher2009-08-111-1/+0
| | | | | | Previously, we had hardcoded the paths for the NSS, PAM and private PAM sockets to /var/lib/sss/pipes. With this patch, we will specify the sockets with --with-pipe-path.
* Simplify interfaces initializationSimo Sorce2009-08-103-30/+37
| | | | | | | Make as much as possible static, and remove use of talloc_reference and allocation/deallocation of memory when not necessary. Fix also responder use of rctx->conn, was mistakenly used for both monitor and dp connections.
* Cosmetic changesSimo Sorce2009-08-102-21/+21
| | | | | Rationalize and rename connection names in preparatoin for merging of server and connection structures.
* Remove redundant memory contextsSimo Sorce2009-08-102-5/+5
| | | | Simplify code by removing stuff that is never used or redundant.
* Address CVE-2009-2410Stephen Gallagher2009-07-291-1/+1
| | | | Fix incorrect error code return in local_handler_callback
* Implement resInit for monitor, NSS, PAM, DP and the backendsStephen Gallagher2009-07-201-0/+20
|
* Rework transaction code to use tevent_reqSimo Sorce2009-07-031-31/+84
| | | | | | This is part of a set of patches to rewrite sysdb to a hopefully better API, that will also let use use tevent_req async style calls to manipulate our cache.
* Rename sysdb_req to sysdb_handle.Simo Sorce2009-07-032-12/+6
| | | | | | | | | This sysdb_req has always really been a transaction handle and not a request. This is part of a set of patches to rewrite transaction support in sysdb to a hopefully better API, that will also let use use tevent_req async style to manipulate our cache.
* check pending_return after dbus_connection_send_with_replySumit Bose2009-07-021-1/+1
|
* added kerberos backend with tevent_req event handlingSumit Bose2009-07-021-1/+19
|
* fix detection of authentication against LOCAL domainSumit Bose2009-06-081-3/+9
|
* special-case NSS calls in PAM codeJakub Hrozek2009-05-281-2/+2
|
* fix a wrong timeoutSumit Bose2009-05-261-3/+4
| | | | | The timeout of the data provider call (in ms) got overwritten by a cache timeout (in s).
* Move actual password caching into sysdbSimo Sorce2009-05-184-126/+2
| | | | Convert auth modules to do the caching themselves
* Prevent accepting blank passwordsSimo Sorce2009-05-181-0/+7
|
* Fix crypt functions to not use static buffers.Simo Sorce2009-05-182-18/+16
| | | | Also fix style, clarify, and simplify some logic.
* added new pam client protocolSumit Bose2009-05-151-1/+132
|
* added more flexible handling of client protocolSumit Bose2009-05-151-1/+12
| | | | | - allow different protocol versions for PAM and NSS - support more than one protocol version in the responder
* added check for NULL valuesSumit Bose2009-05-142-9/+1
| | | | | - allow unspecified value in struct pam_data to be NULL - check if domain structure is initialized in pam_reply
* handle other pam calls when offlineSumit Bose2009-04-281-0/+10
|
* Use different attribute for cached passwords change timeSumit Bose2009-04-281-2/+2
|
* change PAM timeout the match NSS timeSumit Bose2009-04-282-3/+1
|
* Use different attribute for cached passwordsSimo Sorce2009-04-271-3/+3
| | | | | | | This fixes a bug with legacy backends where the cached password would be cleared on a user update. Using a different attribute we make sure a userPassword coming from the remote backend does not interfere with a cachedPassword (and vice versa).
* fix for pam proxy chauthtokSumit Bose2009-04-271-0/+1
| | | | | | | | | | When a user from a domain served by the proxy backend changes his password with passwd the passwd command asks for the old password, but it is not validated by the pam_chauthtok call in the proxy backend, because it is running as root. If the request is coming the unpriviledged socket we now call pam_authenticate explicitly before pam_chauthtok.
* removed length of unused element from packet size calculationSumit Bose2009-04-231-1/+1
| | | | | | The domain name is no longer send as an element on its own, but if set as a member of the response array. If the user was not found pd->domain is NULL and strlen will seg-fault.
* fix for a seq fault when pam_reply_delay is called.Sumit Bose2009-04-221-2/+2
| | | | see https://fedorahosted.org/sssd/ticket/25
* Force user check and discover user's domainSimo Sorce2009-04-172-19/+319
| | | | | | | | | | | Force a user lookup against the users domain provider. If a user domain is not specified search though all non fully qualifying domains. Perform authentication against the corrent domain auth backend, based on the user's domain found in the lookup if one was not specified. Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM responder too now.
* Make reconnection to the Data Provider a global settingStephen Gallagher2009-04-141-2/+2
| | | | | | | Previously, every DP client was allowed to set its own "retries" option. This option was ambiguous, and useless. All DP clients will now use a global option set in the services config called "reconnection_retries"
* Fix a couple of segfaults and timeout checksSimo Sorce2009-04-131-1/+1
|
* Implement credentials caching in pam responder.Simo Sorce2009-04-138-373/+494
| | | | | | | Implement credentials caching in pam responder. Currently works only for the proxy backend. Also cleanup pam responder code and mode common code in data provider. (the data provider should never include responder private headers)