| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2072
This commit only adds the responder and the needed plumbing. No DBus
related code is in yet.
(cherry picked from commit cb4d5b588e704114b7090678752d33512baa718e)
Conflicts:
src/conf_macros.m4
src/confdb/confdb.h
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 69994add9cd4e57d40b3b7a0b1783ef2d0aa974c)
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3c1899348804713b49ba9c1f2bc782892c47c2fa)
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2114
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 6973f38e624e757587b14f1dbabc3466492d1dac)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Validation of xml files failed with new version of libxml2 (CVE-2014-0191)
make[2]: Entering directory `/builddir/build/BUILD/sssd-1.9.2/src/man'
/usr/bin/xmllint --catalogs --postvalid --nonet --xinclude --noout sss_usermod.8.xml
sss_usermod.8.xml:4: element reference: validity error : No declaration for element reference
sss_usermod.8.xml:5: element title: validity error : No declaration for element title
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b772ceb6e5cdda62aa98d4fc61f4800b9779b74a)
|
| |
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d987dba42894aceff106d557b13812092028cc29)
|
|
|
|
|
|
|
|
|
|
| |
It should be noted that disabling GC does *not* disable lookups from
trusted domains. Disabling GC might be a a good way for admins who wish
to use POSIX attributes in trusted domains and the man page should hint
this option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit fdaaf2525e333af04ee9b48429b6766b5fd6cab6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2252
Currently SSSD chokes when IDs of users change, we don't support ID
changes yet. Because some users were confused about the failures, this
patch adds additional clarification.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
|
| |
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2169
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2154
|
| |
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
|
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
|
|
|
|
|
| |
Many lines in debug_levels.xml violated our line-length conventsions.
This patch provides no functional changes, it simply brings those lines
into compliance.
|
|
|
|
|
|
|
| |
Originally, we planned to deprecate the decimal values for the debug
levels, but that has proven to be too difficult for most users to
understand. Instead, we will document both the simple decimal and
complex bitmask values and recommend the use of the decimal values.
|
| |
|
|
|
|
|
|
| |
Currently the AD provider relies on the presence of the POSIX attributes
in the Global Catalog. This patch mentiones the fact in the sssd-ad(5)
manual page.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2091
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2085
|
| |
|
|
|
|
|
| |
Replace incorrect reference to "sssd-krb5.conf" manpage with the correct
"sssd-krb5" in sssd_krb5_locator_plugin man page source.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2044
|
|
|
|
|
|
|
|
|
|
|
| |
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Partially solves ticket:
https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2005
Some users were confused by our description of min_id/max_id and thought
the limits only applied to returning entries from the NSS responder.
However, the limits are actually enforced on the back end side, so the
entries are not even saved to cache.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1998
Currently using IP address as value of ad_server is not supported, so
the man pages should not mention that as an option.
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1965
After we added a section that clarified what access_provider=ad did,
some users were confused and thought that "ad" was also the default
access provider if "id_provider=ad" was specified.
|
|
|
|
|
|
| |
Option -E/--everething was added to invalide all types of entries.
https://fedorahosted.org/sssd/ticket/1988
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1778
When trying to copy special file, only message is logged now.
|