summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Handle bad results from c-ares lookupStephen Gallagher2012-12-061-1/+11
| | | | | | | | | In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
* fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina2012-11-271-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-211-1/+0
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek2012-11-201-47/+8
| | | | | The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
* Do not save HBAC rules in subdomain subtreeSumit Bose2012-11-192-13/+16
| | | | | | | | | | | | | | Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-191-4/+50
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* subdomains: check request type on one place onlyPavel Březina2012-11-141-6/+0
| | | | The check is now held only in ipa_get_subdomain_account_info_send().
* Run IPA subdomain provider if IPA ID provider is configuredSumit Bose2012-11-141-1/+67
| | | | | | | | | | | | | | | | | | | | | | | | To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
* Clarify debug message about initgroups and subdomainsSumit Bose2012-11-121-0/+7
| | | | | | | | | | | | | | | | The initgroups request is not handled by the IPA provider for subdomain users on purpose because the group membership information is not available on the IPA server but will be directly written to the cache when the PAC of the user is processed. The old generic debug message "Invalid sub-domain request type" might be misleading. This patch adds a specific message for the initgroups case "Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache." and increase the debug level so that typically this message is not shown anymore because it is expected behaviour. Fixes https://fedorahosted.org/sssd/ticket/1610
* Make sub-domains case-insensitiveSumit Bose2012-11-051-2/+23
| | | | | | | | | | Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.
* krb5_auth_send: check for sub-domainsSumit Bose2012-11-051-6/+0
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* subdomain-id: Generate homedir only for users not groupsSumit Bose2012-11-051-10/+12
|
* Allow extdom exop to return flat domain name as wellSumit Bose2012-10-124-4/+37
| | | | | | | | There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561
* SSH: Refactor sysdb and related codeJan Cholasta2012-10-051-2/+16
|
* Fix default upper limit of slicesOndrej Kos2012-10-041-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-243-10/+4
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* Failover: use _srv_ when no primary server is definedPavel Březina2012-09-171-10/+3
| | | | https://fedorahosted.org/sssd/ticket/1521
* SELinux: Always use the default if it exists on the serverJakub Hrozek2012-09-131-9/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
* netgroup: resolve hostgroup membership correctlyPavel Březina2012-09-121-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/1519 IPA host refactoring changed mapping of memberOf attribute which caused SSSD being unable to retrieve membership of hostgroup when being interpreted as netgroup.
* Fix: IPv6 address with square brackets doesn't work.Michal Zidek2012-08-231-0/+7
| | | | https://fedorahosted.org/sssd/ticket/1365
* Unify usage of sysdb transactionsMichal Zidek2012-08-234-5/+25
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* Consolidation of functions that make realm upper-caseOndrej Kos2012-08-232-25/+3
|
* Duplicate detection in fail over did not work.Michal Zidek2012-08-151-1/+6
| | | | https://fedorahosted.org/sssd/ticket/1472
* SRV resolution for backup servers should not be permitted.Michal Zidek2012-08-091-1/+9
| | | | https://fedorahosted.org/sssd/ticket/1463
* Change default for ldap_idmap_range_min to 200000Jakub Hrozek2012-08-091-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1462
* IPA: Securely set umask for mkstemp in subdomain providerStephen Gallagher2012-08-061-0/+3
| | | | https://fedorahosted.org/sssd/ticket/1457
* IPA: Do not attempt to close the same file twiceStephen Gallagher2012-08-061-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1456
* Create a domain-realm mapping for krb5.conf to be includedJakub Hrozek2012-08-011-0/+135
| | | | | | | | When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings
* Add automatic periodic retrieval of subdomainsSimo Sorce2012-08-011-1/+44
|
* Add online callback to enumerate subdomainsSimo Sorce2012-08-011-24/+49
|
* Limit refreshes keeping track of last refresh timeSimo Sorce2012-08-011-26/+46
|
* Change refreshing of subdomainsSimo Sorce2012-08-011-65/+156
| | | | | | | | | This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.
* Expose an initializer function from subdomainSimo Sorce2012-08-013-32/+46
| | | | | | Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.
* Add realm paramter to subdomain listSimo Sorce2012-08-011-0/+27
| | | | This will be used later for setting domain_realm mappings in krb5.conf
* Use a more tractable name for subdomain requestSimo Sorce2012-08-011-7/+5
| | | | | I am all for readable names, but there is a tradeof between expressing purpose and compactness.
* 80 col and style fixesSimo Sorce2012-08-011-20/+48
| | | | | | | Something like this: sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb; really is not readable, and we always discourage using obfuscated C, please refrain in future.
* Make structure initializer more readableSimo Sorce2012-08-011-7/+15
|
* Fix wrong elements used in comparisonSimo Sorce2012-08-011-1/+1
|
* Change subdomain_infoSimo Sorce2012-08-011-6/+6
| | | | | Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
* Primary server support: new option in IPA providerJan Zeleny2012-08-013-4/+6
| | | | | | This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: new options in krb5 providerJan Zeleny2012-08-011-0/+3
| | | | | | This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: new option in ldap providerJan Zeleny2012-08-011-0/+2
| | | | | | This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.
* Primary server support: IPA adaptationJan Zeleny2012-08-013-35/+77
| | | | | | This patch adds support for the primary server functionality into IPA provider. No backup servers are added at the moment, just the basic support is in place.
* Primary server support: basic support in failover codeJan Zeleny2012-08-011-1/+1
| | | | | | | | Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
* Support fetching of host from sysdb in SELinux codeJan Zeleny2012-07-311-11/+55
| | | | | The host record will be fetched if HBAC is used as access provider since the record is already downloaded and it can be trusted to be valid.
* Support fetching of HBAC rules from sysdb in SELinux codeJan Zeleny2012-07-311-14/+47
| | | | | If HBAC is active, SELinux code will reuse them instead of downloading them from the server again.
* Modify hbac_get_cached_rules() so it can be used outside of HBAC codeJan Zeleny2012-07-312-14/+22
|
* Renamed session provider to selinux providerJan Zeleny2012-07-274-47/+47
|
* Provide counter of possible matches in SELinux IPA providerJan Zeleny2012-07-251-6/+6
| | | | | | The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.
* Fix linking of HBAC rules and SELinux user mapsJan Zeleny2012-07-251-0/+13
| | | | | | | Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
generated by cgit (git 2.34.1) at 2024-05-05 14:09:40 +0000