summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
Commit message (Collapse)AuthorAgeFilesLines
* GPO: Extract server hostname after connectingJakub Hrozek2015-01-131-29/+29
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ccff8e75940963a0f68f86efcddc37133318abfa)
* GPO: Don't use stdout for output in gpo_childJakub Hrozek2015-01-133-6/+12
| | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit f00a61b6079d8de81432077a59daf015d85800d2)
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-131-1/+1
| | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
* GPO: Set libsmb debugging to stderrJakub Hrozek2015-01-131-0/+1
| | | | | | | | | | | | | libsmb logs to stdout by default. It's much more reasonable to log to stderr by default. Please also note: https://bugzilla.samba.org/show_bug.cgi?id=11036 and: https://fedorahosted.org/sssd/ticket/2544 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit bb7ddd2be9847bfb07395341c7623da1b104b8a6)
* GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()Jakub Hrozek2015-01-131-1/+4
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2542 If the GPO result object was missing completely, we would error out with a fatal error code. It's more user-friendly to treat the missing object as if the requested attribute was missing on the provider level. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit fc2cc91a5b645180e53d46436b0d08011aac8d74)
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-131-0/+1
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-031-1/+1
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-253-0/+10
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Revert "LDAP: Remove unused option ldap_group_uuid"Sumit Bose2014-11-191-0/+1
| | | | | | This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_user_uuid"Sumit Bose2014-11-191-0/+1
| | | | | | This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Remove more code duplication setting up child processesJakub Hrozek2014-11-051-21/+2
| | | | | | | | All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Remove code duplication of struct ioJakub Hrozek2014-11-051-40/+3
| | | | | | | | We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/ Reviewed-by: Michal Židek <mzidek@redhat.com>
* GPO: Terminate request on errorJakub Hrozek2014-10-221-0/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Always write capathsJakub Hrozek2014-10-161-1/+1
| | | | | | | | | We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* GPO: Do not use output argument if function failedLukas Slebodnik2014-10-131-4/+4
| | | | | | | | | deny_size and allow_size were initialized in function parse_policy_setting_value (output argument). If function parse_policy_setting_value fails then output arguments will not initialized and will be used uninitialized in debug macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Fail if we cannot retrieve gpo from cache.Lukas Slebodnik2014-10-131-0/+6
| | | | | | The variable value could be used uninitialized. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: fail if there is problem with storing gpo into sysdbLukas Slebodnik2014-10-131-0/+14
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: remove unused talloc contextsLukas Slebodnik2014-10-031-11/+8
| | | | | | | Talloc context was not used in functions ad_gpo_parse_gpo_child_response ad_gpo_process_cse_recv, ad_gpo_store_policy_settings. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* GPO: Use argument ndg_flags instead of constantLukas Slebodnik2014-10-031-6/+6
| | | | | | | | | | | | Some internal gpo functions [1] were called just once and with constant NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used in these functions[1]. They used constant NDR_SCALARS. [1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type, ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision, ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD-GPO resolve conflicting policy settings correctlyYassir Elley2014-10-021-499/+412
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD GPO: Fix incorrect return of EACCESStephen Gallagher2014-10-021-2/+2
| | | | | | | | | | | | In the access providers, we expect to receive ERR_ACCESS_DENIED when access is denied, but we were returning EACCES here. The effect was the same, except that it presented ultimately as a system error instead of a proper denial. Related: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Add a missing break statement to the GPO codeJakub Hrozek2014-09-291-1/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD GPO: Fix incorrect sAMAccountName selectionStephen Gallagher2014-09-291-2/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add alternative objectClass to group attribute mapsMichal Zidek2014-09-151-0/+1
| | | | | | | | | | | | | In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: delete stale GPOsYassir Elley2014-09-081-0/+36
| | | | | | https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: processing changes for gpo_map_* optionsYassir Elley2014-09-085-23/+460
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: config changes for gpo_map_* optionsYassir Elley2014-09-082-0/+17
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Ignore all errors if gpo is in permissive mode.Lukas Slebodnik2014-09-021-1/+18
| | | | | | | | | | | | | | | This patch prevents problems with user authentication if gpo is misconfigurated. [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target. [sdap_id_op_destroy] (0x4000): releasing operation connection [ad_gpo_access_done] (0x0040): GPO-based access control failed. [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or directory) [Internal Error (System error)] [be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com] [be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com] Reviewed-by: Yassir Elley <yelley@redhat.com>
* SDAP: new option - DN to ppolicy on LDAPPavel Reichl2014-08-271-0/+1
| | | | | | | | | | To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD-GPO: ad_gpo changes for offline gpo supportYassir Elley2014-08-131-23/+149
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: add ad_gpo_cache_timeout optionYassir Elley2014-07-315-97/+191
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: only download policy files if gpo version changesYassir Elley2014-07-302-197/+560
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* case_sensitivity = preservingMichal Zidek2014-07-291-3/+27
| | | | | | | | | | | If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD: Increment som_index when advancing to the next GPOJakub Hrozek2014-07-291-0/+2
| | | | | | | When the GPO processing tried to advance to the next GPO on encountering an error, the som_index was not incremented, causing an infinite loop. Reviewed-by: Yassir Elley <yelley@redhat.com>
* AD: Check return value of ad_gpo_evaluate_daclJakub Hrozek2014-07-291-2/+7
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Remove unused option ldap_user_uuidLukas Slebodnik2014-07-251-1/+0
| | | | | | | | | | | | | | | | | | | | | | There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Remove unused option ldap_group_uuidLukas Slebodnik2014-07-251-1/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Remove unused option ldap_netgroup_uuidLukas Slebodnik2014-07-251-2/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: rename find_subdomain_by_namePavel Reichl2014-07-223-5/+5
| | | | | | | | | The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: rename find_subdomain_by_sidPavel Reichl2014-07-221-1/+1
| | | | | | | | | The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ad_handle_acct_info_step: fix typoPavel Březina2014-07-211-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: Store policy settings in local filesYassir Elley2014-07-202-350/+403
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: add missing debug-to-stderr option to gpo_childSumit Bose2014-07-201-0/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PROVIDERS: Add ldap_common.h to opts.h of each providerJakub Hrozek2014-07-081-0/+1
| | | | | | | | the opts.h files were consuming some #defines from ldap_common.h (such as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad practice and break programs that wish to just include the opts.h header. Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD-GPO: Add support for gpo permissive modeYassir Elley2014-07-011-2/+18
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Use ldap_url_parse to extract hostname from ldap uriYassir Elley2014-07-011-5/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD-GPO: Add gpo-smb implementation in gpo_child processYassir Elley2014-07-012-11/+1514
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: cleanup redundant #define statementsPavel Reichl2014-06-184-17/+11
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2185 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add option to disable use of Token-GroupsPavel Reichl2014-06-021-0/+1
| | | | | | | | | | | Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: Fix some failure modes in ad_gpo.cYassir Elley2014-05-301-9/+18
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>