summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
* IPA: ipa_resolve_user_list_send() take care of overridesSumit Bose2015-01-131-10/+8
| | | | | | | | Currently ipa_resolve_user_list_send() only looks up the related user objects but do not check for overrides. This patch tries to fix this. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit eab17959df71341073f946c533f59fc5e593b35c)
* IPA: resolve ghost members if a non-default view is appliedSumit Bose2015-01-132-0/+213
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 765d9075bb1e10ae0f09b6c2701bfd50aeb423d4)
* IPA: add get_be_acct_req_for_user_name()Sumit Bose2015-01-132-0/+18
| | | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d32b165fad7b89462f49c82349e1df5a2343afa2)
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-131-2/+1
| | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2015-01-131-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle groups from different domainsLukas Slebodnik2015-01-131-2/+16
| | | | | | | | | | | When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: verify group memberships of trusted domain usersSumit Bose2015-01-131-1/+144
| | | | | | | | | | | | Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-131-0/+1
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-031-1/+2
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: only update view data if it really changedSumit Bose2014-12-031-50/+66
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make krb5 provider view awareSumit Bose2014-12-031-0/+13
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: allow view name change at startupSumit Bose2014-11-261-16/+81
| | | | | | | | | | Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-253-0/+10
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Handle IPA groups returned from extop pluginJakub Hrozek2014-11-251-4/+9
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: check overrrides for IPA users as wellSumit Bose2014-11-203-4/+432
| | | | | | | | | Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make get_object_from_cache() publicSumit Bose2014-11-202-4/+10
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add get_be_acct_req_for_uuid()Sumit Bose2014-11-202-6/+40
| | | | | | | | | | This new call creates the needs data for a lookup by UUID which is needed when trying to find the original object for an IPA override object. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-202-0/+65
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix uuid defaultsSumit Bose2014-11-191-2/+2
| | | | | | | | | | | | | | | | | | Recently the uuid attributes for user and groups were removed because it was found that there are not used at all and that some of them where causing issues (https://fedorahosted.org/sssd/ticket/2383). The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute to relate overrides with the original IPA objects. The previous two patches revert the removal of the uuid attributes from users and groups with this patch set the default value of these attributes to ipaUniqueID from the IPA provider, to objectGUID for the AD provider and leaves them unset for the general LDAP case to avoid issues like the one from ticket #2383. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_group_uuid"Sumit Bose2014-11-191-0/+1
| | | | | | This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_user_uuid"Sumit Bose2014-11-191-0/+1
| | | | | | This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Store right username to selinux child contextLukas Slebodnik2014-11-071-1/+1
| | | | | | Wrong name would be used with fully qualified names. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux_child: Do not ignore return values.Michal Zidek2014-11-071-0/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-052-20/+661
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Views: apply user SSH public key overrideSumit Bose2014-11-052-0/+2
| | | | | | | | | | | | | With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: inherit ldap_user_extra_attrs to AD subdomainsSumit Bose2014-11-051-0/+31
| | | | | | | | | | | | | | Currently the component of the IPA provider which reads the AD user and group attributes in ipa-server-mode uses default settings for the LDAP related attributes. As a result even if ldap_user_extra_attrs is defined in sssd.conf no extra attributes are read from AD. With the patch the value if ldap_user_extra_attrs is inherited to the AD subdomains to allow them to read extra attributes as well. Related to https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: use ipaUserGroup object class for groupsPavel Březina2014-11-051-1/+1
| | | | | | | | | | | | | dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class of IPA groups from posixGroups to more general groupOfNames. However, this object class is used also for roles, permissions and privileges which caused SSSD to consider those objects to be groups as well during initgroups. Resolves: https://fedorahosted.org/sssd/ticket/2471 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Don't fail the request when BE doesn't find the objectJakub Hrozek2014-11-051-4/+6
| | | | | | | | The IPA subdomain code treated ENOENT as a fatal error, which resulted in a loud error message and the whole request being aborted. This patch ignores ENOENT. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Handle NULL members in process_members()Jakub Hrozek2014-10-221-0/+6
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ipa_subdomains_handler_master_done: initialize reply_countSumit Bose2014-10-221-1/+1
| | | | | | | | This patch should mainly silence a false-positive Coverity warning but since further processing depends on this variable I think it is a good idea anyways. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* ipa: improve error reporting for extdom LDAP exopSumit Bose2014-10-221-3/+6
| | | | | | | | | | This patch fixes a typo when calling ldap_parse_result() which prevented the server-side error message to be used and adds a hint that more information might be available on the server side. Fixes: https://fedorahosted.org/sssd/ticket/2456 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: fix issues with older servers not supporting viewsSumit Bose2014-10-223-6/+27
| | | | | | | | | Older FreeIPA servers which do not know about the ipaAssignedIDView attribute will return an error during the LDAP dereference request because SSSD marks LDAP extensions as critical. In this case we keep the view name empty and skip override lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use set_seuser instead of writing selinux login fileMichal Zidek2014-10-221-134/+48
| | | | | | | | | Remove the write/remove_selinux login file functions and use set_seuser instead. This patch will require change in selinux policy. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Always write capathsJakub Hrozek2014-10-161-3/+1
| | | | | | | | | We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* views: search overrides for user and group requestsSumit Bose2014-10-165-101/+601
| | | | | | | | | | | | | | | | | | | | | | | | | If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* views: get overrides during user and group lookupsSumit Bose2014-10-163-102/+522
| | | | | | | | | | | | | | With this patch the IPA provider will check if overrides exists for the given view during the lookup of users and groups from trusted domains. In ipa-server-mode the default view is automatically applied and written to the cache. On IPA clients which use the extdom plugin for user and group lookups the override data is saved separately and the original object and the override data are linked with DN attributes for faster reference. Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* views: add ipa_get_ad_override_send()Sumit Bose2014-10-162-0/+262
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: add view support and get view nameSumit Bose2014-10-166-28/+328
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: make IPA ID context available to extdom client codeSumit Bose2014-10-164-5/+16
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* add_v1_group_data: fix for empty members listSumit Bose2014-10-141-16/+25
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Fix error handling after talloc_ber_flattenLukas Slebodnik2014-10-121-2/+1
| | | | | | | The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK. But it was tested for -1. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add support for new extdom plugin versionSumit Bose2014-09-301-87/+802
| | | | | | | | | | | | | | | | | | | Initially the extdom plugin was only used to translate SIDs of AD user and groups to names or POSIX IDs. On IPA clients group memberships were resolved with the help of the PAC in the Kerberos ticket which required that the user has logged in at least once. Home directory and the login shell were auto generated. The new version of the extdom plugin can return the complete list of group memberships of a user and the list of all members of a group. Additionally the gecos field, home directory and login shell are returned together with an optional list of key-value pairs for arbitrary data which is written unmodified to the cache. Fixes https://fedorahosted.org/sssd/ticket/2159 and https://fedorahosted.org/sssd/ticket/2041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use GC for group lookups in server modeJakub Hrozek2014-09-251-5/+9
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Add alternative objectClass to group attribute mapsMichal Zidek2014-09-151-1/+2
| | | | | | | | | | | | | In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: process non-posix nested groupsPavel Reichl2014-09-081-1/+1
| | | | | | | | | | Do not expect objectClass to be posixGroup but rather more general groupofnames. Resolves: https://fedorahosted.org/sssd/ticket/2343 Reviewed-by: Michal Židek <mzidek@redhat.com>
* SSS_CACHE: Allow sss_cache tool to flush SSH hosts cacheWilliam B2014-09-051-2/+2
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: new option - DN to ppolicy on LDAPPavel Reichl2014-08-271-0/+1
| | | | | | | | | | To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-17 02:13:10 +0000