| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2618
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2612
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some users are confused about placement of the debug_level directive or
the location of the log files. Clarify both in the man page.
Also add a pointer to sss_debuglevel.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Users often wrongly use SSSD expansions in libkrb5 expansion template
for principals. State explicitly it won't work.
Resolves:
https://fedorahosted.org/sssd/ticket/2528
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Directive AuthorizedKeysCommand should be used in conjunction with
AuthorizedKeysCommandUser.
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2548
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The option description should hint that enabling this option may have a
positive effect on access control, especially with large groups.
See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example
where ignoring the group members helped.
Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
| |
The indentation is automatically in resulting man page. It isn't necessary to
add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map
examples.
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
| |
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2515
|
|
|
|
|
|
|
|
|
|
|
| |
The man page claimed that failing to resolve an user name results in
failure to start SSSD, but it's not the case and shouldn't be, because
marking a user as trusted only elevates privileges, so it's safe to
ignore that failure.
https://fedorahosted.org/sssd/ticket/2530
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add note that these two options are ignored if
journald is used.
https://fedorahosted.org/sssd/ticket/2498
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2462
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2448
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently the uuid attributes for user and groups were removed because
it was found that there are not used at all and that some of them where
causing issues (https://fedorahosted.org/sssd/ticket/2383).
The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
to relate overrides with the original IPA objects. The previous two
patches revert the removal of the uuid attributes from users and groups
with this patch set the default value of these attributes to
ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
leaves them unset for the general LDAP case to avoid issues like the one
from ticket #2383.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the SSH public key override attribute is read from the
FreeIPA server and saved in the cache with the other override data.
Since it is possible to have multiple public SSH keys this override
value does not replace any other data but will be added to existing
values.
Fixes https://fedorahosted.org/sssd/ticket/2454
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2219
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2451
Added a configuration example at the bottom for
'ldap_access_order = lockout'. Also added a line
to note that 'ldap_access_provider = ldap' must
be specified for this feature to work.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2361
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2340
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2442
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
| |
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
changes from previous patch:
* fixed idmapd.conf example (sss plugin name)
* squahsed the rpm spec into one commit
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|