| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/967
Conflicts:
src/config/SSSDConfig.py
src/config/etc/sssd.api.d/sssd-ipa.conf
src/config/etc/sssd.api.d/sssd-ldap.conf
src/man/sssd-ldap.5.xml
src/providers/ipa/ipa_common.c
src/providers/ipa/ipa_common.h
src/providers/ldap/ldap_common.c
src/providers/ldap/sdap.h
|
|
|
|
|
| |
For older platforms, do not add the 'realm' line in
the update message
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1024
|
|
|
|
|
|
|
| |
Adds a configure option to set the distribution default as well as
an sssd.conf option to override it.
https://fedorahosted.org/sssd/ticket/980
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
|
|
|
|
|
|
|
|
| |
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Prevent segfault if vetoed_shells are specified without allowed_shells
https://fedorahosted.org/sssd/ticket/954
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new option to override primary GID number
https://fedorahosted.org/sssd/ticket/742
Add a new option to override home directory value
https://fedorahosted.org/sssd/ticket/551
Add new options to override shell value
https://fedorahosted.org/sssd/ticket/742
Conflicts:
src/conf_macros.m4
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/807
|
|
|
|
|
|
| |
In some automatic build environments the lists of translated man pages
were not generated properly because ls put multiple file names into a
single single.
|
|
|
|
| |
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
| |
Earlier patch for strings was incomplete
|
| |
|
|
|
|
| |
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
| |
|
|
|
|
|
| |
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
|
|
|
|
| |
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixed several typos
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
|
|
|
| |
Translated a couple of strings from manpages into Czech. Makes the
manpage translation patch testable.
|
|
|
|
|
|
|
|
|
| |
Utilizes PO4A to extract translatable strings from Docbook XML sources
and allows translators to submit ordinary .PO files. PO4A then generates
translated Docbook documents that can be used to generate translated end
user documentation.
https://fedorahosted.org/sssd/ticket/297
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/670
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we would wait for ten seconds before starting an
enumeration. However, this meant that on the first startup (before
we had run our first enumeration) there was a ten-second window
where clients would immediately get back a response with no
entries instead of blocking until the enumeration completed.
With this patch, SSSD will now run an enumeration immediately upon
startup. Further startups will retain the ten-second delay so as
not to slow down system bootups.
https://fedorahosted.org/sssd/ticket/616
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/691
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/665
|
|
|
|
|
|
| |
Currently sssd does not support authentication via GSSAPI. I think it
is not necessary to support it, because if GSSAPI is possible Kerberos
should be use for authentication.
|