summaryrefslogtreecommitdiffstats
path: root/src/db
Commit message (Collapse)AuthorAgeFilesLines
* sudo: sanitize filter valuesrhel-6.8Pavel Březina2015-08-311-2/+13
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150)
* IPA: allow initgroups by UUID for FreeIPA usersSumit Bose2015-05-061-11/+21
| | | | | | | | | | | | | If a FreeIPA user is searched with the help of an override name the UUID from the override anchor is used to search the user. Currently the initgroups request only allows searches by SID or name. With this patch a UUID can be used as well. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 0f9c28eb52d2b45c8a97f709308dc11377831b8c) (cherry picked from commit 3b00bcd8b6d53d33207005c4e7a631b6a241d300)
* IPA: enhance ipa_initgr_get_overrides_send()Sumit Bose2015-05-061-0/+5
| | | | | | | | | | | This patch makes ipa_initgr_get_overrides_send() public and add support to search overrides by UUID or by SID. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 145578006684481434ced78461ab8d1c3570f478) (cherry picked from commit 58a19d50888b1a7da0ee78b49e7d3dcbebc8614d)
* IPA: allow initgroups by SID for AD usersSumit Bose2015-04-291-8/+16
| | | | | | | | | | | | If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit f70a1adbfc30b9acc302027439fb8157e0c6ea2a)
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-272-0/+58
| | | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4619742836ec22edf8f9d274d928bc896c5b0883)
* Log reason in debug message why ldb_modify failedLukas Slebodnik2015-03-137-9/+63
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 04d138472cc086fb7961f0d378852b09961b1a33)
* be_refresh: support groupsPavel Březina2015-03-082-0/+10
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 61c8d13e55ebafc28da1b0b5ad9ae578d687e288)
* be_refresh: support usersPavel Březina2015-03-082-0/+9
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e77d6366ff9e49dbbb607f1709f1ae4190b99489)
* Add missing new lines to debug messagesLukas Slebodnik2015-02-183-5/+5
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Add UUID when saving incomplete groupsJakub Hrozek2015-01-302-0/+7
| | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2571 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 108db0e3b9e06e530364ef8228634f5e3f6bd3b5)
* sysdb: remove ghosts in all sub-domains as wellSumit Bose2015-01-231-2/+3
| | | | | | | | | | | | | | If a user is a member is a group in a different sub-domain, e.g with universal groups in AD, the ghost attribute might not be properly removed from the group object if the user is resolved. The reason is that only groups from the domain of the user were search for ghost attributes. This patch increases the search-base to all sub-domains of the configured SSSD domain. Resolves https://fedorahosted.org/sssd/ticket/2567 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
* sysdb: fix group members with overridden namesSumit Bose2015-01-132-11/+63
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fbcdc08722aa8ed17c4b114e01fbb37c02cfb2fe)
* TESTS: Cover sysdb_gpo.c with unit testsJakub Hrozek2015-01-081-0/+2
| | | | | | | Untested code is risky to change. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit ee8dccf5f0a7de4aba16ab73a53872df9a65175c)
* IPA: do not try to add override gid twiceSumit Bose2014-12-171-1/+7
| | | | | | | | | | By default user and group overrides use the same attribute name for the GID and this cause SSSD machinery to add the same value twice which cause an error in ldb_add() or ldm_modify(). Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SYSDB: sysdb_search_object_by_sid returns ENOENTPavel Reichl2014-12-172-60/+10
| | | | | | | | | | | | sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-131-0/+2
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: retain external membersPavel Reichl2014-12-132-0/+89
| | | | | | | | | | | | When processing group membership check sysdb for group members from extern domain and include them in newly processed group membership as extern members are curently found only when initgroups() is called. Resolves: https://fedorahosted.org/sssd/ticket/2492 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: sysdb_get_bool() return ENOENT & unit testsPavel Reichl2014-12-021-1/+8
| | | | | | | | | | | | | sysdb_get_bool() return ENOENT if no result is found. Unit test for sysdb_get_bool() & sysdb_set_bool() was added. This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by sysdb_has_enumerated(). Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* views: allow view name change at startupSumit Bose2014-11-251-8/+4
| | | | | | | | | | Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_invalidate_overrides()Sumit Bose2014-11-252-0/+126
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_delete_view_tree()Sumit Bose2014-11-252-0/+36
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_search_object_by_uuid()Sumit Bose2014-11-202-0/+84
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: sysdb_idmap_get_mappings returns ENOENTPavel Reichl2014-11-191-6/+5
| | | | | | | | | sysdb_idmap_get_mappings returns ENOENT if no results were found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Views: apply user SSH public key overrideSumit Bose2014-11-051-11/+27
| | | | | | | | | | | | | With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_add_overrides_to_object: add new parameter and multi-value supportSumit Bose2014-11-053-25/+43
| | | | | | | | | | With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_get_user_attr_with_views: add mandatory override attributesSumit Bose2014-11-051-39/+8
| | | | | | | | | | | | This patch add another attribute with is needs for override processing to the attribute list of sysdb_get_user_attr_with_views(). With two attribute it does not seem useful to check for existence and add each of the attributes conditionally. With this patch they are added unconditionally if the domain has views. Additionally the attributes are not removed in the end because it is expected that they do not cause any harm. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: Allow calling chown on the sysdb file from monitorMichal Zidek2014-10-222-0/+30
| | | | | | | | Sysdb must be accessible for the nonroot sssd processes. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix debug messages - trailing '.'Pavel Reichl2014-10-221-2/+2
| | | | | | Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add sysdb_get_user_attr_with_viewsPavel Březina2014-10-202-0/+118
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add sysdb_search_[user|group]_override_attrs_by_namePavel Březina2014-10-202-25/+51
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sysdb: add sysdb_enumpw/grent_with_views()Sumit Bose2014-10-202-0/+96
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sid2name: return name without views appliedSumit Bose2014-10-201-0/+1
| | | | | | | Make sure that the original name of an object without any overrides applied is returned by sid2name requests. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_viewsSumit Bose2014-10-203-0/+311
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_initgroups_with_views()Sumit Bose2014-10-202-0/+119
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64Sumit Bose2014-10-202-0/+131
| | | | | | | | Override-aware replacements for the corresponding ldb_msg_find_* calls. First it is check if an override value is available before the original value is returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_getpwnam/uid_with_views()Sumit Bose2014-10-203-0/+286
| | | | | | | View-aware drop-in replacements for sysdb_getpwnam() and sysdb_getpwuid(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add overide lookup callsSumit Bose2014-10-202-1/+308
| | | | | | | | | | | sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add view data to domainsSumit Bose2014-10-201-0/+116
| | | | | | | The information about view is read from the cache and added to the domain structs accordingly. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: sysdb_apply_default_overrideSumit Bose2014-10-162-13/+199
| | | | | | | | | The default view is special in the sense that it is the baseline for every other view and that it always applies even if there is no view defined. To avoid useless additional processing the default view overrides are written directly to the corresponding cached object. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_attrs_add_val_safe() and sysdb_attrs_add_string_safe()Sumit Bose2014-10-162-2/+42
| | | | | | | | | | | | sysdb_attrs_add_val_safe() works like sysdb_attrs_add_val() but checks if the attribute value to add already exists. In this case the value list is not changed. This is useful if values are added from different sources at different times to avoid LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS errors from ldb_modify() later on. sysdb_attrs_add_string_safe() does the same for string arguments Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_store_overrideSumit Bose2014-10-162-0/+290
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: add view support and get view nameSumit Bose2014-10-161-0/+4
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_update_view_name()Sumit Bose2014-10-162-0/+192
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: add SSS_NSS_GETORIGBYNAME requestSumit Bose2014-10-141-0/+7
| | | | | | | | | | | | | | | This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NSS: UPN as a template expansion for homedir mappingsPavel Reichl2014-10-121-0/+2
| | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2340 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_get_user_attr: use fqn for subdomain usersPavel Březina2014-10-091-2/+11
| | | | | | | | Name of subdomain users is stored with domain part in the sysdb. We need to use fully qualified names for those user so we can look them up. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.cJakub Hrozek2014-10-063-53/+55
| | | | | | | | | | | The sysdb.c should be reserved for utility and setup functions. Search functions belong to sysdb_search.c Keeping functions in specialized modules helps to maintain nice dependencies and in overall makes unit testing easier. Moreover, the function was not unit tested, which needed fixing. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO resolve conflicting policy settings correctlyYassir Elley2014-10-022-55/+331
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* sysdb: sysdb_search_group_by_name should work like sysdb_search_user_by_nameSumit Bose2014-09-171-43/+42
| | | | | | | | | | | | Currently sysdb_search_group_by_name uses an optimization which might fail in case-insensitive environments. The DN of the group object is generated with the help of the given name. Since the DN is case-sensitive a group lookup will fail if different cases are used. sysdb_search_user_by_name already handles case-insensitive searches well and sysdb_search_group_by_name should use the same scheme. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: Write additional attrs in sysdb_add_userDaniel Gollub2014-09-171-1/+2
| | | | | | | | In the uid=0 case (to obtain new free id) only uidNumber and gidNumber attributes got written, but not the additonal provided attributes like alias or others. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-07-15 04:36:18 +0000