summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
Commit message (Collapse)AuthorAgeFilesLines
* dp: make subdomains refresh interval configurablePavel Březina2013-10-251-4/+4
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Add extended access filterJakub Hrozek2013-10-252-2/+216
| | | | | | | https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.
* AD: Search GC by default during access control, fall back to LDAPJakub Hrozek2013-10-253-10/+163
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-251-2/+20
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-252-0/+2
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-1/+3
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-251-0/+11
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* AD: Prefer GC port from SRV recordLukas Slebodnik2013-10-251-2/+6
| | | | | | | We had a hard coded value of Global Catalog port (3268). Informations from SRV record was ignored. This patch prefer port number from SRV record and hard coded value is used only as a fall back if port number was not initialized.
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-0/+1
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* AD: properly intitialize GC from ad_server optionSumit Bose2013-10-041-1/+1
|
* AD: talk to GC first even for local domain objectsJakub Hrozek2013-09-272-7/+18
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
* ipa_server_mode: write capaths to krb5 include fileSumit Bose2013-09-271-1/+1
| | | | | | | | | | | | If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
* IPA: store forest name for forest member domainsSumit Bose2013-09-271-1/+1
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* AD: Failure to get flat name is not fatalJakub Hrozek2013-09-223-68/+86
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-183-1/+200
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* AD: async request to retrieve master domain infoJakub Hrozek2013-09-184-214/+414
| | | | Adds a reusable async request to download the master domain info.
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-171-11/+3
| | | | Remove code duplication.
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-111-2/+2
|
* AD: Rename parametrized #defineJakub Hrozek2013-09-051-3/+3
|
* ad srv: prefer servers that are in the same domain as clientPavel Březina2013-09-051-0/+89
| | | | https://fedorahosted.org/sssd/ticket/2001
* Fix czech specific character in my namePavel Březina2013-09-022-2/+2
|
* SYSDB: Store enumerate flag for subdomainJakub Hrozek2013-08-281-2/+2
|
* LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek2013-08-281-1/+1
| | | | | Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
* DB: remove unused realm parameter from sysdb_master_domain_add_infoJakub Hrozek2013-08-281-1/+1
| | | | The parameter was not used at all.
* krb5: Fetch ccname template from krb5.confStephen Gallagher2013-08-281-1/+1
| | | | | | | | | | | | | In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
* AD: Use the correct include guardJakub Hrozek2013-08-191-3/+3
|
* AD: Cast SASL callbacks to propper typeOndrej Kos2013-08-091-1/+3
| | | | | | The initialization of ad_sasl_callbacks raised an incompatible pointer type warning. This was caused because the cyrus-sasl API hasa changed. The callback function list needs to be cast now.
* sssd_ad: Add hackish workaround for sasl ad_compatSimo Sorce2013-08-061-0/+41
| | | | | | | | | This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040
* KRB5: Do not send PAC in server modeJakub Hrozek2013-07-231-0/+1
| | | | | | | | The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
* AD: Set the bool value same as default value in optsJakub Hrozek2013-07-191-4/+4
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2023 When the option values are copied using dp_opt_copy_map, the .val member is used if it's not NULL. At the same time, the bool options are never NULL, unlike integers or strings that can have special NULL-like values such as NULL_STRING. This effectively means that when copying a bool option, the .val member is always used. But in the AD maps, some .val fields were set differently from the .def_val fields. The effect was that when the AD subdomain provider was initialized from IPA subdomain provider using only the defaults, some options (notably referral chasing) were set to a value that didn't make sense for the AD provider. This patch makes sure that for all boolean option, the .val is always the same as .def_val.
* IPA: Look up AD users directly if IPA server mode is onJakub Hrozek2013-06-282-2/+13
| | | | | | | | https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.
* AD: Move storing sdap_domain for subdomain to generic LDAP codeJakub Hrozek2013-06-281-65/+1
| | | | | | | | Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* AD: initialize failover with custom realm, domain and failover serviceJakub Hrozek2013-06-283-28/+41
| | | | | | | | | | This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962
* AD: decouple ad_id_ctx initializationJakub Hrozek2013-06-283-102/+285
| | | | | | | | | The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* Save mpg state for subdomainsSumit Bose2013-06-281-1/+3
| | | | | | The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.
* Replace new_subdomain() with find_subdomain_by_name()Sumit Bose2013-06-281-3/+2
| | | | | | new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
* Add now options ldap_min_id and ldap_max_idSumit Bose2013-06-281-0/+2
| | | | | | | Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.
* AD: Write out domain-realm mappingsJakub Hrozek2013-06-271-0/+7
| | | | | This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
* AD: kinit with the local DC even when talking to a GCJakub Hrozek2013-06-262-4/+21
| | | | | | | | We tried to use the GC address even for kinit which gave us errors like: "Realm not local to KDC while getting initial credentials". This patch adds a new AD_GC service that is only used for ID lookups, any sort of Kerberos operations are done against the local servers.
* Use forest for GC SRV lookupsSumit Bose2013-06-261-12/+40
| | | | https://fedorahosted.org/sssd/ticket/1973
* handle ERR_ACCOUNT_EXPIRED properlyPavel Březina2013-06-171-0/+4
| | | | https://fedorahosted.org/sssd/ticket/1953
* Fix allocation checkJakub Hrozek2013-06-171-1/+1
|
* AD: Remove ad_options->auth options referenceJakub Hrozek2013-06-141-1/+0
| | | | | The options are stored in ad_options->auth_ctx->opts, this member was completely unused and confusing.
* AD: Fix segfault in DEBUG messageJakub Hrozek2013-06-141-1/+1
|
* Use the correct talloc context when creating AD subdomainsJakub Hrozek2013-06-121-1/+1
| | | | | sdom was only ever guaranteed to be set when a new domain was being created. sditer is a valid pointer in both cases, so just use that.
* Fix allocation check in the AD providerJakub Hrozek2013-06-111-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1976
* A new option krb5_use_kdcinfoJakub Hrozek2013-06-102-14/+27
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
* providers: refresh expired netgroupsPavel Březina2013-06-101-0/+10
| | | | https://fedorahosted.org/sssd/ticket/1713
* AD: Store trusted AD domains as subdomainsJakub Hrozek2013-06-071-2/+364
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/364 Looks up trusted domain objects in the LDAP and stores them as AD subdomains. Currently only trusted domains that run NT5 or newer from the same forest are looked up and stored.
* AD ID lookups - choose GC or LDAP as appropriateJakub Hrozek2013-06-071-1/+262
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1557 Some lookups should be performed from GC only -- for example trusted users are only present in the Global Catalog, while some lookups should be performed from LDAP only as not all objects or attributes are replicated to Global Catalog. This patch adds a generic failover mechanism for identity lookups in the AD provider that allows to choose the appropriate source and even fail over to the other source if available.
generated by cgit (git 2.34.1) at 2024-05-27 10:06:32 +0000