summaryrefslogtreecommitdiffstats
path: root/src/db
Commit message (Collapse)AuthorAgeFilesLines
* Make IPA SELinux provider aware of subdomain usersJakub Hrozek2013-09-032-4/+7
| | | | Fixes https://fedorahosted.org/sssd/ticket/1892
* Only try to relink ghost users if we're not enumeratingJakub Hrozek2013-04-291-0/+9
| | | | | | | | https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user.
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-262-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* SYSDB: Expire group if adding ghost users fails with EEXISTJakub Hrozek2013-01-231-2/+36
|
* SYSDB: make the sss_ldb_modify_permissive function publicJakub Hrozek2013-01-232-2/+11
|
* sudo responder: change num_rules type from size_t to uint32_tPavel Březina2013-01-222-5/+5
| | | | | | | | https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
* LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek2013-01-212-7/+29
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
* SYSDB: Split a function to read all SELinux mapsJakub Hrozek2013-01-082-23/+49
|
* SYSDB: Remove duplicate selinux definesJakub Hrozek2013-01-082-5/+1
|
* Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXISTSumit Bose2013-01-081-0/+1
| | | | | | | | Currently only the LDB error code indicating that an entry already exists is translated to EEXIST. To make debugging easier and return a better indication of the reason for an error in the logs this patch translates the LDB error code for an already existing attribute or value to EEXIST as well.
* SYSDB: Modify ghosts in permissive modeOndrej Kos2013-01-071-1/+33
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1714 The attempt to delete all ghosts for users name and aliases was failing, resulting into failure of whole user-add operation. In permissive mode, the attempts to delete non-existent entries are not interpreted as error.
* Fix a 'shadows a global declaration' warningSumit Bose2012-12-191-2/+2
|
* SYSDB: Add API to invalidate all map objectsJakub Hrozek2012-12-182-0/+94
| | | | This sysdb API will be used later to invalidate the autofs maps
* SYSDB: fix copy-n-paste errorJakub Hrozek2012-12-181-1/+1
|
* sudo: support generalized time formatPavel Březina2012-12-132-13/+34
| | | | | | | https://fedorahosted.org/sssd/ticket/1712 The timestamp doesn't have to be in the form yyyymmddHHMMSSZ any more. It can be in any form of generalized time format.
* sudo: include primary group in user group listPavel Březina2012-12-131-1/+41
| | | | https://fedorahosted.org/sssd/ticket/1677
* sysdb_get_sudo_user_info() initialize attrs on declarationPavel Březina2012-12-131-4/+3
|
* SYSDB: More debugging during the conversion to ghost usersJakub Hrozek2012-12-121-0/+9
| | | | | | | We've been hitting situations where the sysdb conversion failed. Unfortunately, the current code doesn't include enough debugging info to pinpoint the failing entries. This patch adds more DEBUG statements for each processed entry.
* SYSDB: Move misplaced assignmentJakub Hrozek2012-12-101-2/+1
|
* Null pointer dereferenced.Michal Zidek2012-11-281-96/+100
| | | | https://fedorahosted.org/sssd/ticket/1674
* Uninitialized pointer readMichal Zidek2012-11-281-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1673
* SYSDB: Don't operate with aliases same as nameOndrej Kos2012-11-261-0/+6
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1628 When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-203-9/+41
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* SYSDB: Use the add_string convenience functions for managing ghost user ↵Jakub Hrozek2012-11-201-24/+9
| | | | | | | attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.
* Handle conversion to fully qualified usernamesSimo Sorce2012-11-193-1/+98
| | | | | | | In subdomains we have to use fully qualified usernames. Unfortunately we have no other good option than simply removing caches for users of subdomains. This is because the memberof plugin does not support the rename operation.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-193-1/+52
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* Simplify writing db update functionsSimo Sorce2012-11-191-421/+192
| | | | | | Add functions to automate setting versions numbers in the db, also decrease chances of error in copying and pasting code, by setting the version number only once when we commence the upgrade.
* Display more information on DB version crashOndrej Kos2012-11-192-2/+64
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.
* SYSDB: Do not touch the member attribute during conversion to ghost usersJakub Hrozek2012-11-131-11/+0
| | | | | | | | | We attempted to delete the member attributes of groups that contained a particular user during the sysdb upgrade, but obviously, this cannot work for nested groups as the member attribute is present for direct parents only. As a result, we were getting failures during the upgrade. https://fedorahosted.org/sssd/ticket/1631
* Add pac_user_get_grp_info() to read current group membershipsSumit Bose2012-11-101-0/+1
| | | | | | | | | | | | To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
* sysdb: add sysdb_base_dn()Sumit Bose2012-10-262-0/+5
| | | | | Add a help function which returns the ldb_dn object for the base dn of the cache.
* sysdb: look for ranges in the parent treeSumit Bose2012-10-261-1/+4
| | | | | | Make sure the right sub-tree in the cache is used to search for ranges. Sub-domain trees do not have range objects only the tree of the parent domain.
* SSH: When host keys are removed from LDAP, remove them from the cache as wellJan Cholasta2012-10-121-36/+34
| | | | https://fedorahosted.org/sssd/ticket/1574
* SSH: Expire hosts in known_hostsJan Cholasta2012-10-055-3/+179
|
* SSH: Refactor sysdb and related codeJan Cholasta2012-10-052-85/+182
|
* sysdb_master_domain_get_info: fix copy-and-paste errorSumit Bose2012-10-011-2/+2
|
* DB: Use TALLOC_CTX for talloc contextJakub Hrozek2012-09-241-10/+10
| | | | A couple of sysdb functions used "void *" in place of a TALLOC_CTX.
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-245-76/+58
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* AUTOFS: convert the existing autofs entries during a sysdb upgradeJakub Hrozek2012-09-243-1/+144
|
* AUTOFS: Use both key and value in entry RDNJakub Hrozek2012-09-242-11/+40
| | | | | | This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map.
* AUTOFS: Add entry objects below map objectsJakub Hrozek2012-09-244-146/+64
| | | | | | | | https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.
* DB: Cancel transaction in sysdb_store_user if sysdb_add_user failsJakub Hrozek2012-09-201-1/+8
|
* LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno.Michal Zidek2012-09-201-0/+2
|
* SELinux: Always use the default if it exists on the serverJakub Hrozek2012-09-131-2/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
* DB: Always write the SELinux object to sysdbJakub Hrozek2012-09-131-70/+8
| | | | | | There's no point in checking if the object already exists because we always wipe the whole sysdb subtree. We were also immediatelly cancelling the transaction because we'd jump to goto, even though it was with EOK.
* SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}Jakub Hrozek2012-09-102-2/+5
|
* SYSDB: Commit transaction in sysdb_store_userJakub Hrozek2012-09-051-17/+19
|
* Unify usage of sysdb transactions (part 2).Michal Zidek2012-09-049-270/+330
|
* SYSDB: Make sysdb_attrs_get_el_int() publicStephen Gallagher2012-08-212-8/+10
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Only create the SELinux login file if there are mappings on the serverJakub Hrozek2012-08-161-6/+1
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.
generated by cgit (git 2.34.1) at 2024-05-05 03:04:17 +0000