summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
Commit message (Collapse)AuthorAgeFilesLines
* AD Provider: Fix crash looking up forest on Samba 4Stephen Gallagher2014-04-101-1/+2
| | | | | | | | | | | | We were assuming that the forest had been looked up by netlogon, but this is not available on Samba 4 domains. We need to check that the forest is NULL and force the lookup. Resolves: https://fedorahosted.org/sssd/ticket/2311 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 8653b547d6142b69c62daa3cd74c251b2b9aecb7)
* AD: connect to forest root when downloading the list of subdomainsJakub Hrozek2014-04-021-9/+363
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2285 Only the forest root has the knowledge about all the domains in the forest, the forest leaves only see themselves and the forest root. This patch switches to connecting to the forest root for downloading the trusted domains instead of the server we are connected to. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Continue if sssd failes to check extra membersLukas Slebodnik2014-03-121-0/+1
| | | | | | | | | | | | | | Reported by scan-build for (mi = 0; group_only[mi]; mi++) { ^~~~~~~~~~ warning: Array access (from variable 'group_only') results in a null pointer dereference It can happend if function ad_group_extra_members fails (ret != EOK) Reviewed-by: Simo Sorce <simo@redhat.com> (cherry picked from commit bad65473c4c28ecbf2b6bd374a7ae2d634d57d8d)
* AD: Only connect to GC for subdomain usersJakub Hrozek2014-03-111-0/+17
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2251 By connecting to GC for users from both trusted domains and parent domain, we lose the ability to download the shell and homedir if these are used with ID mapping. This patch changes the user lookups only. Changing the logic for all lookups would break cross-domain group memberships, for example. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
* SUDO: AD providerSumit Bose2014-03-023-0/+80
| | | | | | | | | | | | | | | This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 61804568ce5ede3b1a699cda17c033dd6c23f0e3)
* DP: Provide separate dp_copy_defaults functionJakub Hrozek2014-02-261-8/+8
| | | | | | | https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 90afedb00608547ae1f32aa7aafd552c4b306909)
* AD: Remove dead codeJakub Hrozek2014-02-121-8/+0
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d3436880c0ec1a7776698c739d4a3edc9a6ac57c)
* AD: Only download domains that are set to enumerateJakub Hrozek2014-02-121-1/+5
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 957c55df7a7086166fb3c14cead6a0dab8f574c1)
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-122-4/+47
| | | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
* AD: Establish cross-domain memberships after enumeration finishesJakub Hrozek2014-01-292-22/+379
| | | | | | | | | | | | | | | | Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142
* AD: Enumerate users from GC, other entities from LDAPJakub Hrozek2014-01-291-3/+17
|
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-293-10/+17
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* AD: Store info on whether a subdomain is set to enumerateJakub Hrozek2014-01-291-5/+33
| | | | | | Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.
* AD: Don't mark domain as enumerated twiceJakub Hrozek2014-01-291-13/+0
| | | | | The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.
* AD SRV: use right domain name for CLDAP pingSumit Bose2014-01-281-1/+1
| | | | | | Currently always the name of the configured domain was passed to the CLDAP request. This will fail if the CLDAP request is send to a DC form a different domain.
* LDAP: Don't abort request if no id mapping domain matchesJakub Hrozek2014-01-241-1/+1
| | | | | | | | | If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
* AD: Don't fail the request if ad_account_can_shortcut failsJakub Hrozek2014-01-201-1/+3
|
* AD: Return right error code from netlogon_get_flat_nameLukas Slebodnik2014-01-161-1/+1
| | | | | | | EOK was returned in done section of netlogon_get_flat_name, even if error code was set in variable ret. This patch fixes also warnings from scan-build.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-094-14/+49
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* AD: Enable fallback to LDAP of trusted domainJakub Hrozek2013-12-191-13/+1
| | | | | Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.
* AD: Add a new option to turn off GC lookupsJakub Hrozek2013-12-193-13/+20
| | | | | | | | | | SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-196-41/+70
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: cross-domain membership fixSumit Bose2013-12-192-17/+4
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* Add new option ldap_group_typeSumit Bose2013-12-191-0/+1
|
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* AD: use LDAP for group lookupsSumit Bose2013-12-132-3/+150
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-091-0/+7
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* Initialize sid_str to NULL to avoid freeing random dataJakub Hrozek2013-11-081-1/+1
| | | | | If any function before failed, sss_idmap_free_sid() might have been called with random data.
* free idmapped SIDs correctlyPavel Březina2013-11-072-2/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* AD: Fix ad_access_filter parsing with empty filterJakub Hrozek2013-10-301-0/+8
|
* ad: shortcut if possible during get object by ID or SIDPavel Březina2013-10-301-0/+96
| | | | | | | | | | When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match. Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.
* ad_subdom_store: check ID mapping of the domain not of the parentSumit Bose2013-10-291-2/+2
|
* ad: destroy ptasks when subdomain is removedPavel Březina2013-10-251-0/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-251-0/+11
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-251-4/+4
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Add extended access filterJakub Hrozek2013-10-252-2/+216
| | | | | | | https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.
* AD: Search GC by default during access control, fall back to LDAPJakub Hrozek2013-10-253-10/+163
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-251-2/+20
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-252-0/+2
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-1/+3
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-251-0/+11
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* AD: Prefer GC port from SRV recordLukas Slebodnik2013-10-251-2/+6
| | | | | | | We had a hard coded value of Global Catalog port (3268). Informations from SRV record was ignored. This patch prefer port number from SRV record and hard coded value is used only as a fall back if port number was not initialized.
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-0/+1
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* AD: properly intitialize GC from ad_server optionSumit Bose2013-10-041-1/+1
|
* AD: talk to GC first even for local domain objectsJakub Hrozek2013-09-272-7/+18
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
* ipa_server_mode: write capaths to krb5 include fileSumit Bose2013-09-271-1/+1
| | | | | | | | | | | | If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
* IPA: store forest name for forest member domainsSumit Bose2013-09-271-1/+1
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* AD: Failure to get flat name is not fatalJakub Hrozek2013-09-223-68/+86
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-183-1/+200
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* AD: async request to retrieve master domain infoJakub Hrozek2013-09-184-214/+414
| | | | Adds a reusable async request to download the master domain info.
generated by cgit (git 2.34.1) at 2024-05-24 22:24:39 +0000