| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2641
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.
Resolves https://fedorahosted.org/sssd/ticket/2647
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during user lookups. As a result the lifetime of the
group-membership data is updates in those cases. But if the user is not
looked up directly but is resolved as a group member during a group
lookup SSSD does not resolve all group-membership of the user to avoid
deep recursion and eventually a complete enumeration of the user and
group base. In this case the lifetime of the group-memberships should
not be updated because it might be incomplete.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
For the default view all override data is available in the cached user
or group object. Even if separate override data is available it should
not be written into the cache.
Resolves https://fedorahosted.org/sssd/ticket/2630
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When working with older FreeIPA releases the view name might not always
been set. This patch add checks to might sure it is only dereferenced
when set.
Resolves https://fedorahosted.org/sssd/ticket/2604
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2444
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Check if the given name is already fully-qualified instead of adding a
domain name unconditionally.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The 'dom' pointer points to domain of the main object being saved. In
case of group, dom points to the domain where the group resides. But
when saving members, each members might be from a different domain, so we
need to find every member's domain based on the attributes.
Also don't use Yoda style in conditions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Since ghost entries might not be properly removed on the IPA server
(https://fedorahosted.org/sssd/ticket/2567) chances are that during
extdom group lookups a single user is returned multiple time. This patch
removes the duplicates before trying to write the data to the cache.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a user sysdb internally adds a value to SYSDB_GIDNUM for
mpg domain which might cause conflicts with the one we added to users
git GID overrides. With this patch the override GID is added after the
user is created but in the same transaction
Releted to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a typo when calling ldap_parse_result() which prevented
the server-side error message to be used and adds a hint that more
information might be available on the server side.
Fixes: https://fedorahosted.org/sssd/ticket/2456
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the name or the POSIX ID of a user or a group is overridden the
search request for those objects have to check the overide objects first
before looking up the original objects.
This patch adds a new request for the IPA sub-domain users which checks
the overrides first if
- SSSD is running in ipa-server-mode and a name or a POSIX ID is
searched, since we do not override the SIDs we can skip the search in
the override tree here
- if the responder indicates it has not found the corresponding object
in the cache and the input might be an override name or ID and not the
original one of an object.
If an override object was found the SID is extracted from the anchor
attribute and the original object is search by its SID. If no override
object was found the original object is search with the original input
and finally it is checked if an override object exits for the found
object.
Relates to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the IPA provider will check if overrides exists for the
given view during the lookup of users and groups from trusted domains.
In ipa-server-mode the default view is automatically applied and written
to the cache. On IPA clients which use the extdom plugin for user and
group lookups the override data is saved separately and the original
object and the override data are linked with DN attributes for faster
reference.
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK.
But it was tested for -1.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.
The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.
Fixes https://fedorahosted.org/sssd/ticket/2159
and https://fedorahosted.org/sssd/ticket/2041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
|
|
|
|
|
|
|
| |
Function expand_homedir_template had lot of parameters.
After adding new expand option, all function call should be rewritten,
(usually argument NULL will be added)
This patch wraps all necessary arguments to structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
|
|
|
|
| |
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1630
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
|
|
|
|
| |
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
|
| |
This patch add the functionality to handle lookup by SIDs and lookups
for SIDs to the subdomain branch of the IPA ID provider.
|
|
|
|
|
|
|
| |
Currently the POSIX ID or the user name are passed in different
parameters to some calls. The method will get cumbersome and error-prone
if new parameters like, e.g. the SID, are added. This patch adds a union
to hold the different kind of parameters.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1609
|