| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2543
The LDAP URI is not valid prior to connecting to LDAP. Moreover,
reconnecting to a different server might invalidate the URI.
Move reading the URI after the connection has been established.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ccff8e75940963a0f68f86efcddc37133318abfa)
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2544
Use a dedicated fd instead to work around
https://bugzilla.samba.org/show_bug.cgi?id=11036
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit f00a61b6079d8de81432077a59daf015d85800d2)
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsmb logs to stdout by default. It's much more reasonable to log to
stderr by default.
Please also note:
https://bugzilla.samba.org/show_bug.cgi?id=11036
and:
https://fedorahosted.org/sssd/ticket/2544
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit bb7ddd2be9847bfb07395341c7623da1b104b8a6)
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2542
If the GPO result object was missing completely, we would error out with
a fatal error code. It's more user-friendly to treat the missing object
as if the requested attribute was missing on the provider level.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit fc2cc91a5b645180e53d46436b0d08011aac8d74)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
Currently all child processes use the same arguments, the construction
of argv[] is even hardcoded in exec_child(). Add an extra_args[] array
that extends the common set of argvs so that we can have child-specific
arguments. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
All our child processes duplicated the same code that set up the
debugging all around. Instead of adding yet another copy for the
selinux_child, add a common utility function.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
We had struct io and the associated destructor copied twice in the code
already and need it again in the SELinux provider. Instead of adding
another copy, move the code to a shared subtree under util/
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to only generate the [capaths] section on the IPA server itself,
when running in a trusted setup. But we also found out that the capaths
are often required to make SSO fully work, so it's better to always
generate them.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
| |
deny_size and allow_size were initialized in function
parse_policy_setting_value (output argument).
If function parse_policy_setting_value fails then output arguments
will not initialized and will be used uninitialized in debug macro.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
The variable value could be used uninitialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Talloc context was not used in functions ad_gpo_parse_gpo_child_response
ad_gpo_process_cse_recv, ad_gpo_store_policy_settings.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some internal gpo functions [1] were called just once and with constant
NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used
in these functions[1]. They used constant NDR_SCALARS.
[1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type,
ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision,
ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.
Related:
https://fedorahosted.org/sssd/ticket/2437
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2431
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch prevents problems with user authentication
if gpo is misconfigurated.
[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or
directory) [Internal Error (System error)]
[be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com]
[be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
Reviewed-by: Yassir Elley <yelley@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If case_sensitivity is set to 'preserving', getXXnam
returns name attribute in the same format as
stored in LDAP.
Fixes:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
When the GPO processing tried to advance to the next GPO on encountering
an error, the som_index was not incremented, causing an infinite loop.
Reviewed-by: Yassir Elley <yelley@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
the opts.h files were consuming some #defines from ldap_common.h (such
as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad
practice and break programs that wish to just include the opts.h header.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2185
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|