summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa/ipa_access.c
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-2/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* handle ERR_ACCOUNT_EXPIRED properlyPavel Březina2013-06-171-0/+4
| | | | https://fedorahosted.org/sssd/ticket/1953
* LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek2013-06-071-1/+1
| | | | | | | | | | | | | | | | | | | With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
* Convert sdap_access to new error codesSimo Sorce2013-03-191-10/+11
| | | | Also simplify sdap_access_send to avoid completely fake _send() routines.
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-211-3/+3
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-211-20/+22
| | | | In preparation for making be_req opaque
* Introduce be_req_terminate() helperSimo Sorce2013-01-211-6/+6
| | | | | Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
* Remove domain from be_req structureSimo Sorce2013-01-211-2/+2
|
* Pass domain not be_req to access check functionsSimo Sorce2013-01-211-1/+1
|
* Move hbac_ctx_is_offline()Simo Sorce2013-01-211-0/+6
|
* Remove hbac_ctx_sdap_id_[ctx|op]()Simo Sorce2013-01-211-6/+6
|
* Remove hbac_ctx_ev()Simo Sorce2013-01-211-3/+3
|
* Remove hbac_ctx_be()Simo Sorce2013-01-211-3/+2
|
* Remove sysdb argument from hbac_get_cached_rules()Simo Sorce2013-01-211-4/+2
|
* Remove sysdb arg from [ipa_]hbac_sysdb_save()Simo Sorce2013-01-211-9/+8
| | | | Also make ipa_hbac_save_list() static
* Remove sysdb arg from ipa_hbac_service_info_send()Simo Sorce2013-01-211-1/+0
|
* Remove sysdb argument from ipa_host_info_send()Simo Sorce2013-01-211-1/+0
|
* Add domain argument to sysdb_search_custom()Simo Sorce2013-01-151-1/+3
| | | | Also changes sysdb_search_custom_by_name()
* Make sysdb_custom_subtree_dn() require a domain.Simo Sorce2013-01-151-1/+1
|
* Do not save HBAC rules in subdomain subtreeSumit Bose2012-11-191-10/+0
| | | | | | | | | | | | | | Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-241-1/+0
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-1/+2
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* Modify hbac_get_cached_rules() so it can be used outside of HBAC codeJan Zeleny2012-07-311-14/+17
|
* IPA: Don't hang onto memory longer than necessaryStephen Gallagher2012-07-021-0/+1
| | | | | This request and attached memory would be freed at the end of access-check processing, but it's a waste to keep it around.
* Detect subdomain request in IPA access providerJan Zeleny2012-04-241-0/+10
|
* Accept be_req instead if be_ctx in LDAP access providerJan Zeleny2012-04-241-1/+1
|
* IPA: Initialize hbac_ctx to NULLStephen Gallagher2012-03-121-1/+1
|
* IPA: Check nsAccountLock during PAM_ACCT_MGMTStephen Gallagher2012-03-091-0/+56
| | | | https://fedorahosted.org/sssd/ticket/1227
* IPA hosts refactoringJan Zeleny2012-02-241-18/+6
|
* IPA: Add host info handlerJan Cholasta2012-02-071-1/+1
|
* Separate the host-retrieval code from IPA HBAC to common IPA codeJan Zeleny2012-02-061-16/+40
|
* Implemented support for multiple search bases in HBAC rules and servicesJan Zeleny2012-02-061-29/+5
|
* Support multiple search bases in HBACJan Zeleny2012-01-141-1/+1
|
* Export the function to convert ldb_result to sysdb_attrsJakub Hrozek2011-12-161-1/+1
| | | | It will be reused later in the sudo responder
* Add ipa_hbac_support_srchost option to IPA providerJan Zeleny2011-11-291-0/+4
| | | | | don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-4/+0
|
* IPA access: hostname comparison should be case-insensitiveJakub Hrozek2011-09-281-1/+1
|
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-1/+1
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-151-2/+1
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Fix memory leak in ipa_hbac_evaluate_rulesStephen Gallagher2011-07-291-0/+1
| | | | https://fedorahosted.org/sssd/ticket/933
* Add ipa_hbac_treat_deny_as optionStephen Gallagher2011-07-081-1/+10
| | | | | | By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
* Add ipa_hbac_refresh optionStephen Gallagher2011-07-081-0/+16
| | | | | This option describes the time between refreshes of the HBAC rules on the IPA server.
* Add new HBAC lookup and evaluation routinesStephen Gallagher2011-07-081-124/+380
|
* Remove old HBAC implementationStephen Gallagher2011-07-081-1585/+0
|
* Use realm for basedn instead of IPA domainJakub Hrozek2011-02-281-1/+1
| | | | https://fedorahosted.org/sssd/ticket/807
* Add ipa_hbac_search_base config optionSumit Bose2011-01-191-52/+39
|
* Add ldap_search_enumeration_timeout config optionSumit Bose2011-01-171-3/+3
|
* Add timeout parameter to sdap_get_generic_send()Sumit Bose2011-01-171-22/+31
|
* Fix uninitialized value error in set_local_and_remote_host_infoStephen Gallagher2010-12-171-1/+1
| | | | https://fedorahosted.org/sssd/ticket/725
* Fix unsafe return condition in ipa_access_handlerStephen Gallagher2010-12-171-1/+6
| | | | https://fedorahosted.org/sssd/ticket/718
generated by cgit (git 2.34.1) at 2024-06-21 05:30:10 +0000