sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	AUTOFS: IPA provider	Jakub Hrozek	2012-02-07	1	-0/+14
\|
*	IPA: Add host info handler	Jan Cholasta	2012-02-07	1	-0/+1
\|
*	Update shadowLastChanged attribute during LDAP password change	Jan Zeleny	2012-02-06	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1019
*	Session target in IPA provider	Jan Zeleny	2012-02-06	1	-0/+17
\|
*	Implemented support for multiple search bases in HBAC rules and services	Jan Zeleny	2012-02-06	1	-0/+1
\|
*	AUTOFS: LDAP provider	Jakub Hrozek	2012-02-05	1	-1/+1
\|
*	NSS: Add individual timeouts for entry types	Stephen Gallagher	2012-02-04	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1016
*	IPA: Add support for services lookups (non-enum)	Stephen Gallagher	2012-01-31	1	-1/+3
\|
*	LDAP: Add option to disable paging control	Stephen Gallagher	2012-01-18	1	-1/+1
\| \| \| \|	Fixes https://fedorahosted.org/sssd/ticket/967
*	SUDO Integration - periodical update of rules in data provider	Pavel Březina	2012-01-17	1	-1/+1
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)
*	SUDO Integration - LDAP configuration options	Pavel Březina	2011-12-16	1	-1/+1
\|
*	Add sdap_connection_expire_timeout option	Stephen Gallagher	2011-12-12	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1036
*	Fixed IPA netgroup processing	Jan Zeleny	2011-12-09	1	-0/+1
\| \| \| \| \| \| \| \|	In case IPA netgroup had indirect member hosts, they wouldn't be detected. This patch also modifies debug messages for easier debugging in the future.
*	Add ldap_sasl_minssf option	Jan Zeleny	2011-12-08	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1075
*	Add ipa_hbac_support_srchost option to IPA provider	Jan Zeleny	2011-11-29	1	-0/+1
\| \| \| \| \|	don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
*	IPA migration fixes	Jakub Hrozek	2011-11-29	1	-0/+1
\| \| \| \| \| \| \|	* use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924
*	New IPA ID context	Jan Zeleny	2011-11-23	1	-1/+6
\|
*	Added and modified options for IPA netgroups	Jan Zeleny	2011-11-23	1	-0/+23
\|
*	Support to request canonicalization in LDAP/IPA provider	Jan Zeleny	2011-11-02	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/957
*	Add support to request canonicalization on krb AS requests	Jan Zeleny	2011-11-02	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/957
*	Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON	Jakub Hrozek	2011-08-26	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/978
*	Check DNS records before updating	Jakub Hrozek	2011-07-11	1	-0/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/802
*	Add ipa_hbac_treat_deny_as option	Stephen Gallagher	2011-07-08	1	-0/+1
\| \| \| \| \| \|	By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
*	Add ipa_hbac_refresh option	Stephen Gallagher	2011-07-08	1	-0/+1
\| \| \| \| \|	This option describes the time between refreshes of the HBAC rules on the IPA server.
*	Use dereference when processing RFC2307bis nested groups	Jakub Hrozek	2011-05-20	1	-1/+1
\| \| \| \| \| \| \| \|	Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799
*	Add ldap_page_size configuration option	Stephen Gallagher	2011-04-27	1	-1/+1
\|
*	Modify principal selection for keytab authentication	Jan Zeleny	2011-04-25	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
*	Allow new option to specify principal for FAST	Jan Zeleny	2011-04-25	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/700
*	Add krb5_realm to the basic IPA options	Stephen Gallagher	2011-02-22	1	-0/+1
\| \| \| \| \| \| \|	Previously, this was only handled by the internal LDAP and Kerberos providers, but this wasn't available early enough to properly handle setting up the krb5_service for failover and creating the krb5info files.
*	Allow krb5_realm to override ipa_domain	Stephen Gallagher	2011-02-22	1	-1/+2
\| \| \| \| \| \|	It is possible to set up FreeIPA servers where the Kerberos realm differs from the IPA domain name. We need to allow setting the krb5_realm explicitly to handle this.
*	Add option to disable TLS for LDAP authsssd-1_5_1	Stephen Gallagher	2011-01-27	1	-1/+1
\| \| \| \| \|	Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
*	Add ldap_tls_{cert,key,cipher_suite} config options	Tyson Whitehead	2011-01-20	1	-1/+1
\| \| \| \|	Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
*	Add ipa_hbac_search_base config option	Sumit Bose	2011-01-19	1	-0/+1
\|
*	Add ldap_search_enumeration_timeout config option	Sumit Bose	2011-01-17	1	-1/+1
\|
*	Add support for FAST in krb5 provider	Sumit Bose	2010-12-07	1	-1/+1
\|
*	Add ldap_chpass_uri config option	Sumit Bose	2010-12-06	1	-1/+1
\|
*	Add new account expired rule to LDAP access provider	Sumit Bose	2010-12-06	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
*	Add support for automatic Kerberos ticket renewal	Sumit Bose	2010-12-03	1	-1/+1
\|
*	Add krb5_lifetime option	Sumit Bose	2010-12-03	1	-1/+1
\|
*	Add krb5_renewable_lifetime option	Sumit Bose	2010-12-03	1	-1/+1
\|
*	Add ldap_deref option	Sumit Bose	2010-10-22	1	-1/+1
\|
*	Add option to limit nested groups	Simo Sorce	2010-10-18	1	-1/+1
\|
*	Add infrastructure to LDAP provider for netgroup support	Sumit Bose	2010-10-13	1	-1/+1
\|
*	Add KDC to the list of LDAP options	Jakub Hrozek	2010-10-13	1	-1/+1
\|
*	Remove krb5_changepw_principal option	Jakub Hrozek	2010-06-14	1	-1/+1
\| \| \| \|	Fixes: #531
*	Add ldap_access_filter option	Stephen Gallagher	2010-05-27	1	-1/+1
\| \| \| \| \| \| \| \| \| \|	This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
*	Add support for delayed kinit if offline	Sumit Bose	2010-05-26	1	-1/+1
\| \| \| \| \| \| \|	If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
*	Add ldap_krb5_ticket_lifetime option	Sumit Bose	2010-05-16	1	-1/+1
\|
*	Add dynamic DNS updates to FreeIPA	Stephen Gallagher	2010-05-16	1	-0/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
*	New version of IPA auth and password migration	Sumit Bose	2010-05-16	1	-1/+7
\| \| \| \| \| \| \| \| \|	The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.