| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650)
(cherry picked from commit 602eb710c62c192060debad3062f13677ec3b105)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
subdomain_inherit = ignore_group_members
in the domain section.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
(cherry picked from commit 27d8524cf635d61d93c71539709a30e1205dcaf1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8)
(cherry picked from commit da2d33f81746a9bf8abd97becaf17005e4f89d2c)
|
|
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f80ef0b6ace6b331bcf99e5e5c7d73cfb92c6)
|
|
|
|
|
|
|
|
|
|
|
| |
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8)
|
|
|
|
|
|
|
|
|
|
| |
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9a15eb105d01d9e100e69e9d66fb8e880b228246)
|
|
|
|
|
|
|
|
|
|
|
| |
The man page claimed that failing to resolve an user name results in
failure to start SSSD, but it's not the case and shouldn't be, because
marking a user as trusted only elevates privileges, so it's safe to
ignore that failure.
https://fedorahosted.org/sssd/ticket/2530
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add note that these two options are ignored if
journald is used.
https://fedorahosted.org/sssd/ticket/2498
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2462
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2219
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2442
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some additional checks if the option for replacing
spaces in user and group names is used.
When replacing space with the replacement character it is checked if the
name already contains the replacement character. If it does the
unmodified name is returned because in this case a revers operation
would not be possible.
For the reverse operation is it checked if the input contains both a
space and the replacement character. If this is true the unmodified name
is returned as well, because we have to assume that it is the original
name because otherwise it wouldn't contain both characters.
Additionally a shortcut if the replacement characters is a space and
tests for the new checks are added. The man page is updated accordingly.
Related to https://fedorahosted.org/sssd/ticket/1854 and
https://fedorahosted.org/sssd/ticket/2397 .
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Amend the man page to reflect current behaviour.
https://fedorahosted.org/sssd/ticket/2401
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2359
Reported by Stephan Mueller.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2114
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
This commit only adds the responder and the needed plumbing. No DBus
related code is in yet.
|
|
|
|
|
|
|
|
|
|
| |
Some options are relevant to multiple sections of sssd.conf. This patch adds
new sections for those.
Resolves:
https://fedorahosted.org/sssd/ticket/2218
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
|
| |
|
| |
|
|
|
|
|
|
|
| |
Added and documented option offline_timeout.
Resolves:
https://fedorahosted.org/sssd/ticket/1718
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
|
|
|
|
|
|
|
|
| |
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2005
Some users were confused by our description of min_id/max_id and thought
the limits only applied to returning entries from the NSS responder.
However, the limits are actually enforced on the back end side, so the
entries are not even saved to cache.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
|
|
|
|
|
|
|
|
|
| |
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
|
|
|
|
| |
realmd needs to be able to tag various domains with basic info
when it configures a domain.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1809
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1609
|
|
|
|
|
| |
The description was duplicated on two places, leading to errors where
one was amended but the other was not.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
|
|
| |
intensive
https://fedorahosted.org/sssd/ticket/1732
|
| |
|
|
|
|
|
| |
I noticed that the proxy in auth_provider section of sssd.conf manpage
isn't quoted when all others are.
|