| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a typo when calling ldap_parse_result() which prevented
the server-side error message to be used and adds a hint that more
information might be available on the server side.
Fixes: https://fedorahosted.org/sssd/ticket/2456
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the name or the POSIX ID of a user or a group is overridden the
search request for those objects have to check the overide objects first
before looking up the original objects.
This patch adds a new request for the IPA sub-domain users which checks
the overrides first if
- SSSD is running in ipa-server-mode and a name or a POSIX ID is
searched, since we do not override the SIDs we can skip the search in
the override tree here
- if the responder indicates it has not found the corresponding object
in the cache and the input might be an override name or ID and not the
original one of an object.
If an override object was found the SID is extracted from the anchor
attribute and the original object is search by its SID. If no override
object was found the original object is search with the original input
and finally it is checked if an override object exits for the found
object.
Relates to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the IPA provider will check if overrides exists for the
given view during the lookup of users and groups from trusted domains.
In ipa-server-mode the default view is automatically applied and written
to the cache. On IPA clients which use the extdom plugin for user and
group lookups the override data is saved separately and the original
object and the override data are linked with DN attributes for faster
reference.
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK.
But it was tested for -1.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.
The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.
Fixes https://fedorahosted.org/sssd/ticket/2159
and https://fedorahosted.org/sssd/ticket/2041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
|
|
|
|
|
|
|
| |
Function expand_homedir_template had lot of parameters.
After adding new expand option, all function call should be rewritten,
(usually argument NULL will be added)
This patch wraps all necessary arguments to structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
|
|
|
|
| |
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1630
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
|
|
|
|
| |
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
|
| |
This patch add the functionality to handle lookup by SIDs and lookups
for SIDs to the subdomain branch of the IPA ID provider.
|
|
|
|
|
|
|
| |
Currently the POSIX ID or the user name are passed in different
parameters to some calls. The method will get cumbersome and error-prone
if new parameters like, e.g. the SID, are added. This patch adds a union
to hold the different kind of parameters.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1609
|
|
|
|
|
|
|
|
|
| |
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
| |
Also remove sysdb_store_domgroup()
|
|
|
|
| |
Also remove sysdb_store_domuser()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
|
|
|
|
|
|
|
|
| |
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
| |
|
|
|
|
|
|
|
|
| |
There are case where the extdom extended operation will return the flat
or NetBIOS name of a domain instead of the DNS domain name. If this name
is available for the current domain we accept it as well.
Related to https://fedorahosted.org/sssd/ticket/1561
|
|
|