sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	AD: Add extended access filter	Jakub Hrozek	2013-10-25	1	-1/+4
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.
*	AD: Search GC by default during access control, fall back to LDAP	Jakub Hrozek	2013-10-25	1	-2/+3
\| \| \| \| \| \| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
*	AD: Use the ad_access_filter if it's set	Jakub Hrozek	2013-10-25	1	-2/+20
\| \| \| \| \| \| \| \| \|	Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
*	AD: Download master domain info when enumerating	Jakub Hrozek	2013-09-18	1	-1/+5
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
*	AD: async request to retrieve master domain info	Jakub Hrozek	2013-09-18	1	-1/+1
\| \| \| \|	Adds a reusable async request to download the master domain info.
*	LDAP: Make sdap_id_setup_tasks reusable for subdomains	Jakub Hrozek	2013-08-28	1	-1/+1
\| \| \| \| \|	Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
*	AD: Cast SASL callbacks to propper type	Ondrej Kos	2013-08-09	1	-1/+3
\| \| \| \| \| \|	The initialization of ad_sasl_callbacks raised an incompatible pointer type warning. This was caused because the cyrus-sasl API hasa changed. The callback function list needs to be cast now.
*	sssd_ad: Add hackish workaround for sasl ad_compat	Simo Sorce	2013-08-06	1	-0/+41
\| \| \| \| \| \| \| \| \|	This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040
*	KRB5: Do not send PAC in server mode	Jakub Hrozek	2013-07-23	1	-0/+1
\| \| \| \| \| \| \| \|	The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
*	AD: initialize failover with custom realm, domain and failover service	Jakub Hrozek	2013-06-28	1	-1/+5
\| \| \| \| \| \| \| \| \| \|	This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962
*	AD: decouple ad_id_ctx initialization	Jakub Hrozek	2013-06-28	1	-21/+9
\| \| \| \| \| \| \| \| \|	The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962
*	Fix allocation check	Jakub Hrozek	2013-06-17	1	-1/+1
\|
*	Fix allocation check in the AD provider	Jakub Hrozek	2013-06-11	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1976
*	providers: refresh expired netgroups	Pavel Březina	2013-06-10	1	-0/+10
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1713
*	AD: Add additional service to support Global Catalog lookups	Jakub Hrozek	2013-06-07	1	-5/+11
\| \| \| \| \| \| \| \| \| \| \| \|	When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.
*	LDAP: sdap_id_ctx might contain several connections	Jakub Hrozek	2013-06-07	1	-26/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
*	Remove unneeded parameter of setup_child and namespace it	Jakub Hrozek	2013-05-20	1	-1/+1
\| \| \| \| \|	setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.
*	AD: read flat name and SID of the AD domain	Sumit Bose	2013-05-07	1	-0/+31
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468
*	AD: Always initialize ID mapping	Jakub Hrozek	2013-05-03	1	-5/+3
\| \| \| \| \| \|	Because we now always store SIDs in the LDAP provider, we also need to always initialize the ID mapping context even if ID mapping itself is off.
*	Active Directory dynamic DNS updates	Jakub Hrozek	2013-05-03	1	-0/+8
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.
*	DNS sites support - add AD SRV plugin	Pavel Březina	2013-05-02	1	-5/+25
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1032
*	DNS sites support - use SRV DNS lookup plugin in all providers	Pavel Březina	2013-04-10	1	-0/+10
\| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1032 We set a plugin during an initialization of ID provider, which is an authoritative provider for a plugin choice. The plugin is set only once. When other provider is initalized (e.g. id = IPA, sudo = LDAP), we do not overwrite the plugin. Since sssm_*_id_init() is called from all module constructors, this patch relies on the fact, that ID provider is initialized before all other providers.
*	AD context was set to null due to type mismatch	Ondrej Kos	2012-08-23	1	-1/+1
\|
*	Primary server support: new option in AD provider	Jan Zeleny	2012-08-01	1	-1/+3
\| \| \| \| \| \|	This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.
*	Primary server support: AD adaptation	Jan Zeleny	2012-08-01	1	-1/+1
\| \| \| \| \| \|	This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.
*	AD: Add AD access-control provider	Stephen Gallagher	2012-07-06	1	-0/+56
\| \| \| \| \|	This patch adds support for checking whether a user is expired or disabled in AD.
*	AD: Add AD auth and chpass providers	Stephen Gallagher	2012-07-06	1	-0/+85
\| \| \| \| \| \|	These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
*	AD: Add AD identity provider	Stephen Gallagher	2012-07-06	1	-0/+184
	This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.