| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Unit testing the utilities to become another user requires the use of
the cwrap libraries. This patch augments our build system with macros to
detect the nss_wrapper and and uid_wrapper libraries.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
|
|
|
| |
This patch adds everything what is needed to build the MIT Kerberos
localauth plugin if the used version of MIT Kerberos supports it. It
does not implement the plugin.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move the check for libini_config >= 1.1.0 from samba.m4 to
libini_config.m4 to have them all in one place, simplifying maintenance.
Set boolean variables for every detected version and use one of them in
samba.m4 instead.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Check for lowest versions of libini_config first, instead of the highest ones
in libini_config.m4. Define HAVE_LIBINI_CONFIG_V* for lower versions when
higher versions are present. Simplify preprocessor branching in sss_ini.c
accordingly.
This prepares libini_config.m4 for addition of a check for one more version of
libini_config.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use separate shell variable name prefixes for checks of separate libnl
versions, as repeated invocations of PKG_CHECK_MODULES with the same
prefix are not generally supposed to have an effect.
This prevents bugs similar to https://fedorahosted.org/sssd/ticket/2388
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use separate shell variable name prefixes for checks of separate
libini_config versions, as repeated invocations of PKG_CHECK_MODULES
with the same prefix are not generally supposed to have an effect.
Otherwise only the checks before and including the first one defining
both *_CFLAGS and *_LIBS variables will be done and all that follow will
assume success. This happens on RHEL6.5, where both "pkg-config
--cflags" and "pkg-config --libs" for ini_config produce non-empty
output and successful check for v0.6.1 results in incorrectly successful
check for v1.1.0.
Resolves:
https://fedorahosted.org/sssd/ticket/2388
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Specify minimum required libini_config version in a message in samba.m4
explaining the need for the library.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Remove substitution of *_OBJ variables (e.g. POPT_OBJ or PCRE_OBJ) from
configure scripts as they don't seem to be set or used by anything.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configure script failed with python3
checking for python... /usr/bin/python
checking for python version... 3.3
checking for python platform... linux
checking for python script directory... ${prefix}/lib/python3.3/site-packages
checking for python extension module directory... ${exec_prefix}/lib64/python3.3/site-packages
checking for headers required to compile python extensions... File "<string>", line 1
import sys; print sys.prefix
^
SyntaxError: invalid syntax
File "<string>", line 1
import sys; print sys.exec_prefix
^
SyntaxError: invalid syntax
not found
configure: error: Could not find python headers
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
| |
Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam.
This patch conditionally define macros for these function if they are not
available. Compatible macros use standard functions vsyslog, getlogin
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Samba 4 libraries are necessary for building {ad, ipa} provider,
but samba4 needn't be available on older distributions.
This patch add possibility to build SSSD without {ad, ipa} provider
and thus without Samba 4 libraries.
The script configure have new argument --with-samba with default value yes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There are cases when MIT Kerberos is installed with includes in a subdirectory of /usr/include (or /usr/local/include).
In such case we have to properly use KRB5_CFLAGS to reach them.
https://fedorahosted.org/sssd/ticket/2226
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
pac responder was not properly detected with krb5 1.12 library
|
| |
|
|
|
|
|
|
|
|
| |
cifs-idmap plugin is enabled by default, but required header file cifsidmap.h
needn't be available on other distributions. It was not clear that cifs-idmap
plugin is optional feature of sssd. With this patch, configure will recommend
to build sssd without cifs idmap plugin if cifsidmap.h is not available.
Resolves:
https://fedorahosted.org/sssd/ticket/2125
|
| |
|
|
|
|
| |
If openldap is not built with sasl support
libsss_ad.so will not be linked with libsasl2 although
sasl_client_init is called by function ad_sasl_initialize.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1534
|
| | |
|
| |
|
|
|
| |
Even if HAVE_SYSTEMD_LOGIN is set to 0 #ifdef will still see it as
defined.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use systemd-lgin in preference to check if the user is logged in or not.
Fall back to the old method if no systemd-login support is available at compile
time or if it returns a fatal error, and can't determine the status of the user
on its own.
This will allow to consider a user really active (in order to reuse or refresh
crdentials) only if it really is logged into the system, and not just if one
of the user's processes is stuck around.
Resolves:
https://fedorahosted.org/sssd/ticket/2084
|
| | |
|
| |
|
|
|
| |
This tests dlopens and resolves all symbols to make sure there are no missing
symbols in our provider modules.
|
| |
|
|
|
|
|
|
|
| |
We checked only header file "sys/inotify" for detection whether inotify
works. Some platforms do not have built in inotify, but contain library,
which provides inotify-compatible interface.
This patch adds more robust detection of inotify in configuration time and
appends linker flags to Makefile if inotify is provided by library.
|
| |
|
|
|
|
|
|
| |
We used pkg-config only as a fallback if header files was not found,
but detection of library failed in case of available header file and
linking problem (missing -Ldir).
This patch prefers pkg-config.
|
| |
|
|
|
| |
We check whether HAVE_INTPTR_T is defined in definition of macro
discard_const_p, but autootols macro AC_CHECK_TYPE did not generate it.
|
| |
|
|
|
|
|
|
|
| |
If $libdir is not in default library path libunistring cannot be
found. (pkg-config can not be used in this case).
This patch helps to search libunistring in "$libdir" directory.
In refactoring part, indentation was updated to be more readable
and some duplicated parts were removed.
|
| | |
|
| |
|
|
|
| |
AC_MSG_RESULT was not used everywhere after AC_MSG_CHECKING.
Therefore two lines from configure output was mixed in some cases.
|
| |
|
|
|
| |
Detect directory with python libraries and add this
directory to the list of directories to be searched for linker.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1032
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1786
Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/812
Update the monitor code to be using the new libnl3 API.
Changed configure option
--with-libnl
By default, it tries to build with libnl3, if not found, then with
libnl1, if this isn't found either, build proceeds without libnl, just
with warning.
Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given
version, if not found, configure ends with error.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It is possible to enable/disable checking in LDB memberof plugin
whether it was built against the same version of LDB that is present
on the system. This feature is turned off by default
and enabled in Fedora/RHEL spec file.
https://fedorahosted.org/sssd/ticket/1813
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
| |
|
|
|
|
|
| |
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
| |
|
|
|
|
| |
This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher.
To allow sssd to be compiled on platform with lower version of MIT
Kerberos a replacement call is added. Please note that on those
platform the replacement call will only return an error. If the
krb5_find_authdata functionality is really needed on those platform it
must be implemented by a different patch.
|
| | |
|
