summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
Commit message (Collapse)AuthorAgeFilesLines
* AD: Change level of debug messageLukas Slebodnik2014-11-111-1/+1
| | | | | | | The end of dnf update is not an operation failure it is just a usefull debug message. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Revert "LDAP: Remove unused option ldap_group_uuid"Sumit Bose2014-11-061-0/+1
| | | | | | This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_user_uuid"Sumit Bose2014-11-061-0/+1
| | | | | | This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Remove more code duplication setting up child processesJakub Hrozek2014-11-051-21/+2
| | | | | | | | All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Remove code duplication of struct ioJakub Hrozek2014-11-051-40/+3
| | | | | | | | We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/ Reviewed-by: Michal Židek <mzidek@redhat.com>
* GPO: Terminate request on errorJakub Hrozek2014-10-221-0/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Always write capathsJakub Hrozek2014-10-161-1/+1
| | | | | | | | | We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* GPO: Do not use output argument if function failedLukas Slebodnik2014-10-131-4/+4
| | | | | | | | | deny_size and allow_size were initialized in function parse_policy_setting_value (output argument). If function parse_policy_setting_value fails then output arguments will not initialized and will be used uninitialized in debug macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Fail if we cannot retrieve gpo from cache.Lukas Slebodnik2014-10-131-0/+6
| | | | | | The variable value could be used uninitialized. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: fail if there is problem with storing gpo into sysdbLukas Slebodnik2014-10-131-0/+14
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: remove unused talloc contextsLukas Slebodnik2014-10-031-11/+8
| | | | | | | Talloc context was not used in functions ad_gpo_parse_gpo_child_response ad_gpo_process_cse_recv, ad_gpo_store_policy_settings. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* GPO: Use argument ndg_flags instead of constantLukas Slebodnik2014-10-031-6/+6
| | | | | | | | | | | | Some internal gpo functions [1] were called just once and with constant NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used in these functions[1]. They used constant NDR_SCALARS. [1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type, ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision, ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD-GPO resolve conflicting policy settings correctlyYassir Elley2014-10-021-499/+412
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD GPO: Fix incorrect return of EACCESStephen Gallagher2014-10-021-2/+2
| | | | | | | | | | | | In the access providers, we expect to receive ERR_ACCESS_DENIED when access is denied, but we were returning EACCES here. The effect was the same, except that it presented ultimately as a system error instead of a proper denial. Related: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Add a missing break statement to the GPO codeJakub Hrozek2014-09-291-1/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD GPO: Fix incorrect sAMAccountName selectionStephen Gallagher2014-09-291-2/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add alternative objectClass to group attribute mapsMichal Zidek2014-09-151-0/+1
| | | | | | | | | | | | | In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: delete stale GPOsYassir Elley2014-09-081-0/+36
| | | | | | https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: processing changes for gpo_map_* optionsYassir Elley2014-09-085-23/+460
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: config changes for gpo_map_* optionsYassir Elley2014-09-082-0/+17
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Ignore all errors if gpo is in permissive mode.Lukas Slebodnik2014-09-021-1/+18
| | | | | | | | | | | | | | | This patch prevents problems with user authentication if gpo is misconfigurated. [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target. [sdap_id_op_destroy] (0x4000): releasing operation connection [ad_gpo_access_done] (0x0040): GPO-based access control failed. [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or directory) [Internal Error (System error)] [be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com] [be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com] Reviewed-by: Yassir Elley <yelley@redhat.com>
* SDAP: new option - DN to ppolicy on LDAPPavel Reichl2014-08-271-0/+1
| | | | | | | | | | To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD-GPO: ad_gpo changes for offline gpo supportYassir Elley2014-08-131-23/+149
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: add ad_gpo_cache_timeout optionYassir Elley2014-07-315-97/+191
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: only download policy files if gpo version changesYassir Elley2014-07-302-197/+560
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* case_sensitivity = preservingMichal Zidek2014-07-291-3/+27
| | | | | | | | | | | If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD: Increment som_index when advancing to the next GPOJakub Hrozek2014-07-291-0/+2
| | | | | | | When the GPO processing tried to advance to the next GPO on encountering an error, the som_index was not incremented, causing an infinite loop. Reviewed-by: Yassir Elley <yelley@redhat.com>
* AD: Check return value of ad_gpo_evaluate_daclJakub Hrozek2014-07-291-2/+7
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Remove unused option ldap_user_uuidLukas Slebodnik2014-07-251-1/+0
| | | | | | | | | | | | | | | | | | | | | | There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Remove unused option ldap_group_uuidLukas Slebodnik2014-07-251-1/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Remove unused option ldap_netgroup_uuidLukas Slebodnik2014-07-251-2/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: rename find_subdomain_by_namePavel Reichl2014-07-223-5/+5
| | | | | | | | | The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: rename find_subdomain_by_sidPavel Reichl2014-07-221-1/+1
| | | | | | | | | The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ad_handle_acct_info_step: fix typoPavel Březina2014-07-211-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: Store policy settings in local filesYassir Elley2014-07-202-350/+403
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: add missing debug-to-stderr option to gpo_childSumit Bose2014-07-201-0/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PROVIDERS: Add ldap_common.h to opts.h of each providerJakub Hrozek2014-07-081-0/+1
| | | | | | | | the opts.h files were consuming some #defines from ldap_common.h (such as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad practice and break programs that wish to just include the opts.h header. Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD-GPO: Add support for gpo permissive modeYassir Elley2014-07-011-2/+18
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Use ldap_url_parse to extract hostname from ldap uriYassir Elley2014-07-011-5/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD-GPO: Add gpo-smb implementation in gpo_child processYassir Elley2014-07-012-11/+1514
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: cleanup redundant #define statementsPavel Reichl2014-06-184-17/+11
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2185 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add option to disable use of Token-GroupsPavel Reichl2014-06-021-0/+1
| | | | | | | | | | | Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: Fix some failure modes in ad_gpo.cYassir Elley2014-05-301-9/+18
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD-GPO: Remove dependency on libsamba-securityYassir Elley2014-05-233-27/+585
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Initialize user_map_cnt in server modeJakub Hrozek2014-05-221-0/+1
| | | | | | | | | | | user_map_cnt was initialized when all the traditional back ends are initialized. However, for the server mode, we simply copy the defaults and the count was left zeroed, which led to crashes. Down the road, we should consider tying the map and the attribute count together (see ticket #2336) Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Implemented LDAP component of GPO-based access controlYassir Elley2014-05-1311-45/+2458
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Do not remove non-root domains when looking up root domainJakub Hrozek2014-05-131-3/+22
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2322 When the AD subdomains code looked up the root domain subsequently (after the domain list was already populated), the non-root domains might have been removed along with their respective tasks, because the root domain lookup only ever matched a single root domain. This could cause havoc especially during login when different lookups for different domains might be going on during user group refresh. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Make LDAP extra attributes available to IPA and ADSumit Bose2014-05-021-5/+6
| | | | | | | https://fedorahosted.org/sssd/ticket/2073 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Make it possible to extend an attribute mapJakub Hrozek2014-05-022-0/+10
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD Provider: bug-fix uninitialized variablePavel Reichl2014-04-301-1/+2
| | | | | | ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned. Reviewed-by: Sumit Bose <sbose@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-13 20:11:44 +0000