| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|
| |
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
| |
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
| |
|
|
|
|
|
|
|
|
| |
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
|
| |
|
|
|
|
|
|
|
| |
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
| |
|
|
|
|
|
|
| |
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
|
| |
|
|
|
| |
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1032
|
| |
|
|
|
|
| |
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place.
|
| |
|
|
|
|
| |
This simplifies configuration by eliminating the need to
specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is
not located at /etc/krb5.keytab
|
| |
|
|
|
|
| |
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
|
|
|
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
