summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa/ipa_s2n_exop.c
Commit message (Collapse)AuthorAgeFilesLines
* views: Add is_default_view helper functionMichal Židek2015-07-021-10/+4
| | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: do not add domain name unconditionallySumit Bose2015-05-061-0/+2
| | | | | | | | | | | Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: update initgr expire timestamp conditionallySumit Bose2015-05-051-8/+11
| | | | | | | | | | | | | | | Newer versions of the extdom plugin return the full list of group-memberships during user lookups. As a result the lifetime of the group-membership data is updates in those cases. But if the user is not looked up directly but is resolved as a group member during a group lookup SSSD does not resolve all group-membership of the user to avoid deep recursion and eventually a complete enumeration of the user and group base. In this case the lifetime of the group-memberships should not be updated because it might be incomplete. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do initgroups if extdom exop supports itSumit Bose2015-05-051-3/+0
| | | | | | | | | | | | | | Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: fix segfault in ipa_s2n_exopAron Parsons2015-04-291-1/+1
| | | | | | | | can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: use sysdb_attrs_add_string_safe to add group memberSumit Bose2015-04-271-2/+3
| | | | | | | | The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not try to save override data for the default viewSumit Bose2015-04-271-5/+10
| | | | | | | | | | For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: set EINVAL if dn can't be linearizedPavel Reichl2015-03-191-0/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: make sure output variable is setSumit Bose2015-03-191-1/+3
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA idviews: check if view name is setSumit Bose2015-03-171-1/+4
| | | | | | | | | | When working with older FreeIPA releases the view name might not always been set. This patch add checks to might sure it is only dereferenced when set. Resolves https://fedorahosted.org/sssd/ticket/2604 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: make sure extdom expo data is availableSumit Bose2015-03-131-0/+5
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: do not treat missing sub-domain users as errorSumit Bose2015-03-131-3/+7
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2444 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_s2n_save_objects: properly handle fully-qualified group namesSumit Bose2015-01-301-1/+1
| | | | | | | | | | Check if the given name is already fully-qualified instead of adding a domain name unconditionally. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use attr's dom for users, tooJakub Hrozek2015-01-261-11/+11
| | | | | | | | | | | The 'dom' pointer points to domain of the main object being saved. In case of group, dom points to the domain where the group resides. But when saving members, each members might be from a different domain, so we need to find every member's domain based on the attributes. Also don't use Yoda style in conditions. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: process_members() add ghosts only onceSumit Bose2015-01-261-2/+4
| | | | | | | | | | | Since ghost entries might not be properly removed on the IPA server (https://fedorahosted.org/sssd/ticket/2567) chances are that during extdom group lookups a single user is returned multiple time. This patch removes the duplicates before trying to write the data to the cache. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-231-2/+14
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: fix GID overrride for mpg domainsSumit Bose2015-01-211-1/+20
| | | | | | | | | | | When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLISTSumit Bose2015-01-141-0/+14
| | | | | | | Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve missing membersSumit Bose2015-01-141-14/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()Sumit Bose2015-01-141-50/+50
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: process_members() optionally return missing members listSumit Bose2015-01-141-18/+67
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing breakSumit Bose2015-01-141-0/+1
| | | | | | | The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2014-12-171-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle groups from different domainsLukas Slebodnik2014-12-171-2/+16
| | | | | | | | | | | When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: verify group memberships of trusted domain usersSumit Bose2014-12-171-1/+144
| | | | | | | | | | | | Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Handle IPA groups returned from extop pluginJakub Hrozek2014-11-241-4/+9
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Handle NULL members in process_members()Jakub Hrozek2014-10-221-0/+6
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ipa: improve error reporting for extdom LDAP exopSumit Bose2014-10-221-3/+6
| | | | | | | | | | This patch fixes a typo when calling ldap_parse_result() which prevented the server-side error message to be used and adds a hint that more information might be available on the server side. Fixes: https://fedorahosted.org/sssd/ticket/2456 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: search overrides for user and group requestsSumit Bose2014-10-161-21/+62
| | | | | | | | | | | | | | | | | | | | | | | | | If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* views: get overrides during user and group lookupsSumit Bose2014-10-161-57/+305
| | | | | | | | | | | | | | With this patch the IPA provider will check if overrides exists for the given view during the lookup of users and groups from trusted domains. In ipa-server-mode the default view is automatically applied and written to the cache. On IPA clients which use the extdom plugin for user and group lookups the override data is saved separately and the original object and the override data are linked with DN attributes for faster reference. Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: make IPA ID context available to extdom client codeSumit Bose2014-10-161-1/+8
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* add_v1_group_data: fix for empty members listSumit Bose2014-10-141-16/+25
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Fix error handling after talloc_ber_flattenLukas Slebodnik2014-10-121-2/+1
| | | | | | | The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK. But it was tested for -1. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add support for new extdom plugin versionSumit Bose2014-09-301-87/+802
| | | | | | | | | | | | | | | | | | | Initially the extdom plugin was only used to translate SIDs of AD user and groups to names or POSIX IDs. On IPA clients group memberships were resolved with the help of the PAC in the Kerberos ticket which required that the user has logged in at least once. Home directory and the login shell were auto generated. The new version of the extdom plugin can return the complete list of group memberships of a user and the list of all members of a group. Additionally the gecos field, home directory and login shell are returned together with an optional list of key-value pairs for arbitrary data which is written unmodified to the cache. Fixes https://fedorahosted.org/sssd/ticket/2159 and https://fedorahosted.org/sssd/ticket/2041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Add option to expand homedir template formatLukas Slebodnik2014-06-021-0/+1
| | | | | | | | | LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853
* NSS: Refactor expand_homedir_templateLukas Slebodnik2014-06-021-7/+10
| | | | | | | | Function expand_homedir_template had lot of parameters. After adding new expand option, all function call should be rewritten, (usually argument NULL will be added) This patch wraps all necessary arguments to structure.
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-121-58/+58
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-191-21/+6
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)Michal Zidek2013-11-151-4/+3
|
* Include header file in implementation module.Lukas Slebodnik2013-09-241-0/+1
| | | | | Declarations of public functions was in header files, but header files was not included in implementation file.
* ipa_s2n_get_user_done: make sure ALIAS name is lower caseSumit Bose2013-08-191-2/+18
| | | | Fixes https://fedorahosted.org/sssd/ticket/1630
* ipa_s2n_get_user_done: free group_attrs as wellSumit Bose2013-08-191-0/+1
|
* Use GID if subdomain is not MPGJakub Hrozek2013-07-291-1/+8
| | | | | | | https://fedorahosted.org/sssd/ticket/2032 In non-MPG subdomains (such as those that manage their IDs manually with POSIX attributes), we need to set the GID ourself.
* Add utility functions for formatting fully-qualified namesJakub Hrozek2013-05-301-4/+4
| | | | | | Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
* Add SID related lookups to IPA subdomainsSumit Bose2013-05-031-29/+202
| | | | | This patch add the functionality to handle lookup by SIDs and lookups for SIDs to the subdomain branch of the IPA ID provider.
* Use struct to hold different types of request parametersSumit Bose2013-05-021-17/+14
| | | | | | | Currently the POSIX ID or the user name are passed in different parameters to some calls. The method will get cumbersome and error-prone if new parameters like, e.g. the SID, are added. This patch adds a union to hold the different kind of parameters.
* Remove unused attribute listSumit Bose2013-05-021-3/+0
|
* Allow using flatname for subdomain home dir templateJakub Hrozek2013-04-101-1/+2
| | | | https://fedorahosted.org/sssd/ticket/1609