summaryrefslogtreecommitdiffstats
path: root/src/confdb
Commit message (Collapse)AuthorAgeFilesLines
* NSS: Add option to expand homedir template formatLukas Slebodnik2014-06-022-0/+13
| | | | | | | | | LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853
* confdb: add confdb_list_all_domain_names()Pavel Březina2014-05-282-0/+80
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Per-attribute ACL for usersJakub Hrozek2014-05-131-0/+1
| | | | | | | | | | | Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: Re-add the InfoPipe serverJakub Hrozek2014-04-041-0/+3
| | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-02-122-34/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-122-103/+103
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* CONFDB: fail if there are domains with same namePavel Reichl2014-02-091-0/+18
| | | | | | | | | | Fail to start sssd if the domains given in the domains option are the same as or only differ in case. Resolves: https://fedorahosted.org/sssd/ticket/2171 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* monitor: Specific error message for missing sssd.confPavel Reichl2013-11-271-2/+7
| | | | | | | | Specific error message is logged for missing sssd.conf file. New sssd specific error value is introduced for this case. Resolves: https://fedorahosted.org/sssd/ticket/2156
* confdb: Make offline timeout configurableMichal Zidek2013-11-071-0/+1
| | | | | | | Added and documented option offline_timeout. Resolves: https://fedorahosted.org/sssd/ticket/1718
* dp: make subdomains refresh interval configurablePavel Březina2013-10-252-0/+10
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* Remove unused constantsJakub Hrozek2013-10-221-3/+0
|
* Include external headers with #include <foo.h>Jakub Hrozek2013-10-221-4/+5
| | | | | | I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.
* IPA: store forest name for forest member domainsSumit Bose2013-09-271-0/+1
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* Add a new option to control subdomain enumerationJakub Hrozek2013-08-282-0/+16
|
* Fix the default FQDN formatJakub Hrozek2013-07-191-2/+2
| | | | | | Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake.
* IPA: warn if full_name_format is customized in server modeJakub Hrozek2013-07-191-0/+2
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.
* Fix some doxygen warningsSumit Bose2013-06-111-2/+0
|
* back end: add refresh expired records periodic taskPavel Březina2013-06-102-0/+14
| | | | | | https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
* DB: Switch to new libini_config APIOndrej Kos2013-04-261-227/+120
| | | | | | | https://fedorahosted.org/sssd/ticket/1786 Since we need to support the old interface as well, the configure scritp is modified and correct ini interface is chosen.
* Init failover with be_res optionsJakub Hrozek2013-04-031-4/+0
|
* Don't treat 0 as default for pam_pwd_expiration warningJakub Hrozek2013-03-011-1/+2
|
* Fix the krb5 password expiration warningJakub Hrozek2013-02-211-1/+7
| | | | https://fedorahosted.org/sssd/ticket/1808
* Change the way domains are linked.Simo Sorce2013-02-102-10/+4
| | | | | | | | | | | | | | | | | | | - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
* Add ability to disable domainsSimo Sorce2013-02-101-0/+2
|
* Add function get_next_domain()Simo Sorce2013-02-101-1/+1
| | | | | | | Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
* Add realm info to sss_domain_infoSimo Sorce2013-02-101-0/+1
|
* Convert the value of pwd_exp_warning to secondsJakub Hrozek2013-01-221-5/+6
| | | | | | | | When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
* Move mpg flag to the domain where it belongsSimo Sorce2013-01-152-0/+4
| | | | | A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.
* failover: Protect against empty host namesMichal Zidek2013-01-021-1/+1
| | | | | | | | | | Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484
* Add ignore_group_members option.Paul B. Henson2012-11-152-0/+11
| | | | https://fedorahosted.org/sssd/ticket/1376
* Allow setting the default_shell option per-domain as wellJakub Hrozek2012-10-182-0/+11
| | | | https://fedorahosted.org/sssd/ticket/1583
* SSH: Expire hosts in known_hostsJan Cholasta2012-10-051-0/+2
|
* Add new option default_domain_suffixSumit Bose2012-10-011-0/+1
|
* Renamed session provider to selinux providerJan Zeleny2012-07-271-1/+1
|
* NSS: Add override_shell optionStephen Gallagher2012-07-202-0/+12
| | | | | | | | | If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
* pac responder: limit access by checking UIDsSumit Bose2012-07-101-0/+1
| | | | | | | | | | | | A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
* CONFDB: Add the ability to set a boolean value in the confdbStephen Gallagher2012-07-062-0/+80
|
* confdb: add entry_cache_sudo_timeout optionPavel Březina2012-06-292-0/+13
|
* Set default for subdomain_homedirSumit Bose2012-06-252-1/+3
|
* PAC responder: add basic infrastructureSumit Bose2012-06-211-0/+3
| | | | | This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.
* Move some debug lines to new debug log levelsStef Walter2012-06-201-1/+1
| | | | | | | * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
* Make the client idle timeout configurableStephen Gallagher2012-06-181-0/+2
|
* Make re_expression and full_name_format per domain optionsStef Walter2012-06-121-2/+5
| | | | | | | | | | | * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
* Allow fast memcache timeout to be configurableJan Zeleny2012-06-101-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1318
* Bad check for id_provider=local and access_provider=permitAriel Barria2012-05-111-1/+1
| | | | | | documentation-access_provider Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* NSS: Add default_shell optionStephen Gallagher2012-05-091-0/+1
| | | | | | | This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289
* NSS: Add fallback_homedir optionStephen Gallagher2012-05-092-4/+18
| | | | | | | | This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-042-0/+21
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* fix copy and paste error in commentPavel Březina2012-04-241-1/+1
|
* SSH: Add support for hashed known_hostsJan Cholasta2012-04-241-0/+2
| | | | https://fedorahosted.org/sssd/ticket/1203