| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2613
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2571
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user is a member is a group in a different sub-domain, e.g with
universal groups in AD, the ghost attribute might not be properly
removed from the group object if the user is resolved. The reason is
that only groups from the domain of the user were search for ghost
attributes. This patch increases the search-base to all sub-domains of
the configured SSSD domain.
Resolves https://fedorahosted.org/sssd/ticket/2567
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Two places in sysdb_gpo.c were searching for the GPO result object while
the only difference was the attributes searched for. Remove this
duplication and make the search function static as it's not used outside
the module.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Untested code is risky to change.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
By default user and group overrides use the same attribute name for the
GID and this cause SSSD machinery to add the same value twice which
cause an error in ldb_add() or ldm_modify().
Related to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_search_object_by_sid returns ENOENT if no results are found.
Part od solution for:
https://fedorahosted.org/sssd/ticket/1991
Fixes:
https://fedorahosted.org/sssd/ticket/2520
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing group membership check sysdb for group members from
extern domain and include them in newly processed group membership as
extern members are curently found only when initgroups() is called.
Resolves:
https://fedorahosted.org/sssd/ticket/2492
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_get_bool() return ENOENT if no result is found.
Unit test for sysdb_get_bool() & sysdb_set_bool() was added.
This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by
sysdb_has_enumerated().
Resolves:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Currently some manual steps are needed on a FreeIPA to switch from one
view to another. With this patch the IPA provider checks at startup if
the view name changed and does the needed steps automatically. Besides
saving the new view name this includes removing the old view data and
marking the user and group entries as invalid.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
sysdb_idmap_get_mappings returns ENOENT if no results were found.
Part od solution for:
https://fedorahosted.org/sssd/ticket/1991
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the SSH public key override attribute is read from the
FreeIPA server and saved in the cache with the other override data.
Since it is possible to have multiple public SSH keys this override
value does not replace any other data but will be added to existing
values.
Fixes https://fedorahosted.org/sssd/ticket/2454
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
With the new parameter an attribute list other than the default one can
be used.
Override attributes with multiple values (e.g. SSH public keys) are now
supported as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add another attribute with is needs for override processing
to the attribute list of sysdb_get_user_attr_with_views(). With two
attribute it does not seem useful to check for existence and add each of
the attributes conditionally. With this patch they are added
unconditionally if the domain has views. Additionally the attributes are
not removed in the end because it is expected that they do not cause any
harm.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Sysdb must be accessible for the nonroot sssd
processes.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Fix debug messages where '\n' was wrongly followed by '.'.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Make sure that the original name of an object without any overrides
applied is returned by sid2name requests.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Override-aware replacements for the corresponding ldb_msg_find_* calls.
First it is check if an override value is available before the original
value is returned.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
View-aware drop-in replacements for sysdb_getpwnam() and
sysdb_getpwuid().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_search_user_override_by_name() and
sysdb_search_group_override_by_name() search for overrides in the given
view.
sysdb_add_overrides_to_object() adds the data from the override object
to the original object and makes them available for further processing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The information about view is read from the cache and added to the
domain structs accordingly.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The default view is special in the sense that it is the baseline for
every other view and that it always applies even if there is no view
defined. To avoid useless additional processing the default view
overrides are written directly to the corresponding cached object.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_attrs_add_val_safe() works like sysdb_attrs_add_val() but checks
if the attribute value to add already exists. In this case the value
list is not changed. This is useful if values are added from different
sources at different times to avoid LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS
errors from ldb_modify() later on.
sysdb_attrs_add_string_safe() does the same for string arguments
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new request to the nss responder which follows the
same flow as a SSS_NSSGETSIDBYNAME request but returns more data than
just the SID. The data is returned as pairs of \0-terminated strings
where the first string is the sysdb attribute name and the second the
corresponding value.
The main use case is on the FreeIPA server to make additional user and
group data available to the extdom plugin which then send this data to
SSSD running on FreeIPA clients.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2340
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Name of subdomain users is stored with domain part in the sysdb.
We need to use fully qualified names for those user so we can
look them up.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The sysdb.c should be reserved for utility and setup functions. Search
functions belong to sysdb_search.c Keeping functions in specialized
modules helps to maintain nice dependencies and in overall makes unit
testing easier.
Moreover, the function was not unit tested, which needed fixing.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently sysdb_search_group_by_name uses an optimization which might
fail in case-insensitive environments. The DN of the group object is
generated with the help of the given name. Since the DN is
case-sensitive a group lookup will fail if different cases are used.
sysdb_search_user_by_name already handles case-insensitive searches well
and sysdb_search_group_by_name should use the same scheme.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
In the uid=0 case (to obtain new free id) only uidNumber and gidNumber
attributes got written, but not the additonal provided attributes like
alias or others.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|