| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.
Resolves https://fedorahosted.org/sssd/ticket/2647
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a)
(cherry picked from commit 226224c91971247f60a86d9c46dd1402f5c29e8a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during user lookups. As a result the lifetime of the
group-membership data is updates in those cases. But if the user is not
looked up directly but is resolved as a group member during a group
lookup SSSD does not resolve all group-membership of the user to avoid
deep recursion and eventually a complete enumeration of the user and
group base. In this case the lifetime of the group-memberships should
not be updated because it might be incomplete.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843)
(cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
(cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
|
|
|
|
|
|
|
|
|
| |
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c520f40d1a2d77cf1d413451b5682297733521ed)
|
|
|
|
|
|
|
|
|
|
| |
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 625cff0b0938538e51fdd3b2d985e6082b492ea5)
(cherry picked from commit 7752046aea558e4fbf057d4efc9aea1a61b1e009)
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the default view all override data is available in the cached user
or group object. Even if separate override data is available it should
not be written into the cache.
Resolves https://fedorahosted.org/sssd/ticket/2630
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2ab9a4538eb2e1a255e645f7efdcfd6bb722d265)
(cherry picked from commit 3453e4734d2f7738034af61edb7d33c0c7095d8a)
|
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 131da4d9f40e0e407d7bcae18ff16507976bc6c7)
(cherry picked from commit e8f5e135b4d389a1ae224da174c15dfe66b30810)
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit abb093b4ae10f2a5748bf9f194bf76794002eba0)
(cherry picked from commit ee3cd052a2aca57040a9b435def5442922f8af76)
|
|
|
|
|
|
|
|
|
|
|
| |
When working with older FreeIPA releases the view name might not always
been set. This patch add checks to might sure it is only dereferenced
when set.
Resolves https://fedorahosted.org/sssd/ticket/2604
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8be0cf3eea892e13410c13abb030322599ca1b4f)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ee9ac32485483beece872d6fcb3096fa77a004b)
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2444
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3e9712c2fdbba8f9cd25886943331e76e0b2cedd)
|
|
|
|
|
|
|
|
|
|
|
| |
Check if the given name is already fully-qualified instead of adding a
domain name unconditionally.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9ad346318dc2cc5d5a340d8d981ddfdcc6f632da)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'dom' pointer points to domain of the main object being saved. In
case of group, dom points to the domain where the group resides. But
when saving members, each members might be from a different domain, so we
need to find every member's domain based on the attributes.
Also don't use Yoda style in conditions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b2c5e98def89a0c3d16f5cf7e07ce2020338b540)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since ghost entries might not be properly removed on the IPA server
(https://fedorahosted.org/sssd/ticket/2567) chances are that during
extdom group lookups a single user is returned multiple time. This patch
removes the duplicates before trying to write the data to the cache.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 60f11e2fa1f63cd40ebace525ad823b0360fac94)
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a user sysdb internally adds a value to SYSDB_GIDNUM for
mpg domain which might cause conflicts with the one we added to users
git GID overrides. With this patch the override GID is added after the
user is created but in the same transaction
Releted to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ba818cc39dfe94c2b8613f4badf7912811f0f737)
|
|
|
|
|
|
|
|
| |
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62d919aea98edd1095f6a22241903d4c045b46ed)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3cd287313d93e29f9754feb46017dba2a039affd)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f1f22df95996390f63266ebacb624e521d934592)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 942ebb62c8df766a22271103abd518ddae02ea3a)
|
|
|
|
|
|
|
|
| |
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6046d23b3e90102fb3c796737ced03fb5a60fea)
|
|
|
|
|
|
|
|
|
|
| |
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
|
|
|
|
|
|
|
|
|
| |
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a typo when calling ldap_parse_result() which prevented
the server-side error message to be used and adds a hint that more
information might be available on the server side.
Fixes: https://fedorahosted.org/sssd/ticket/2456
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the name or the POSIX ID of a user or a group is overridden the
search request for those objects have to check the overide objects first
before looking up the original objects.
This patch adds a new request for the IPA sub-domain users which checks
the overrides first if
- SSSD is running in ipa-server-mode and a name or a POSIX ID is
searched, since we do not override the SIDs we can skip the search in
the override tree here
- if the responder indicates it has not found the corresponding object
in the cache and the input might be an override name or ID and not the
original one of an object.
If an override object was found the SID is extracted from the anchor
attribute and the original object is search by its SID. If no override
object was found the original object is search with the original input
and finally it is checked if an override object exits for the found
object.
Relates to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the IPA provider will check if overrides exists for the
given view during the lookup of users and groups from trusted domains.
In ipa-server-mode the default view is automatically applied and written
to the cache. On IPA clients which use the extdom plugin for user and
group lookups the override data is saved separately and the original
object and the override data are linked with DN attributes for faster
reference.
Related to https://fedorahosted.org/sssd/ticket/2375
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK.
But it was tested for -1.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the extdom plugin was only used to translate SIDs of AD user
and groups to names or POSIX IDs. On IPA clients group memberships were
resolved with the help of the PAC in the Kerberos ticket which required
that the user has logged in at least once. Home directory and the login
shell were auto generated.
The new version of the extdom plugin can return the complete list of
group memberships of a user and the list of all members of a group.
Additionally the gecos field, home directory and login shell are
returned together with an optional list of key-value pairs for arbitrary
data which is written unmodified to the cache.
Fixes https://fedorahosted.org/sssd/ticket/2159
and https://fedorahosted.org/sssd/ticket/2041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
|
|
|
|
|
|
|
| |
Function expand_homedir_template had lot of parameters.
After adding new expand option, all function call should be rewritten,
(usually argument NULL will be added)
This patch wraps all necessary arguments to structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
|
|
|
|
| |
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1630
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2032
In non-MPG subdomains (such as those that manage their IDs manually with
POSIX attributes), we need to set the GID ourself.
|
|
|
|
|
|
| |
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
|
| |
This patch add the functionality to handle lookup by SIDs and lookups
for SIDs to the subdomain branch of the IPA ID provider.
|
|
|
|
|
|
|
| |
Currently the POSIX ID or the user name are passed in different
parameters to some calls. The method will get cumbersome and error-prone
if new parameters like, e.g. the SID, are added. This patch adds a union
to hold the different kind of parameters.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1609
|
|
|
|
|
|
|
|
|
| |
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|