| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
subdomain_inherit = ignore_group_members
in the domain section.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2618
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2612
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some users are confused about placement of the debug_level directive or
the location of the log files. Clarify both in the man page.
Also add a pointer to sss_debuglevel.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Since deny rules are no longer supported on the server, the client
should no longer support them either. Remove the option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Users often wrongly use SSSD expansions in libkrb5 expansion template
for principals. State explicitly it won't work.
Resolves:
https://fedorahosted.org/sssd/ticket/2528
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Directive AuthorizedKeysCommand should be used in conjunction with
AuthorizedKeysCommandUser.
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2548
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The option description should hint that enabling this option may have a
positive effect on access control, especially with large groups.
See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example
where ignoring the group members helped.
Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
|
| |
The indentation is automatically in resulting man page. It isn't necessary to
add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map
examples.
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
| |
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| | |
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2515
|
| |
|
|
|
|
|
|
|
|
|
| |
The man page claimed that failing to resolve an user name results in
failure to start SSSD, but it's not the case and shouldn't be, because
marking a user as trusted only elevates privileges, so it's safe to
ignore that failure.
https://fedorahosted.org/sssd/ticket/2530
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add note that these two options are ignored if
journald is used.
https://fedorahosted.org/sssd/ticket/2498
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2462
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2448
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently the uuid attributes for user and groups were removed because
it was found that there are not used at all and that some of them where
causing issues (https://fedorahosted.org/sssd/ticket/2383).
The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
to relate overrides with the original IPA objects. The previous two
patches revert the removal of the uuid attributes from users and groups
with this patch set the default value of these attributes to
ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
leaves them unset for the general LDAP case to avoid issues like the one
from ticket #2383.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the SSH public key override attribute is read from the
FreeIPA server and saved in the cache with the other override data.
Since it is possible to have multiple public SSH keys this override
value does not replace any other data but will be added to existing
values.
Fixes https://fedorahosted.org/sssd/ticket/2454
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2219
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2451
Added a configuration example at the bottom for
'ldap_access_order = lockout'. Also added a line
to note that 'ldap_access_provider = ldap' must
be specified for this feature to work.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| |
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2361
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
