summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* ipa: destroy cleanup task when subdomain is removedPavel Březina2013-10-251-0/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-251-0/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-251-3/+4
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-2/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* IPA: add trusted domains with missing idrangeSumit Bose2013-10-251-0/+137
| | | | | | | | | | If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-1/+1
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* subdomains: first destroy ptask then remove sdomPavel Březina2013-10-241-3/+3
| | | | | be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
* IPA: add callback to reset subdomain timeoutsSumit Bose2013-10-221-0/+23
| | | | Fixes https://fedorahosted.org/sssd/ticket/2030
* IPA server mode: properly initialize ext_groupsSumit Bose2013-10-161-1/+2
|
* Do not return DP_ERR_FATAL in case of successSumit Bose2013-09-271-1/+5
|
* ipa_server_mode: write capaths to krb5 include fileSumit Bose2013-09-271-1/+3
| | | | | | | | | | | | If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
* IPA: store forest name for forest member domainsSumit Bose2013-09-271-1/+86
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* IPA: Ignore dns_discovery_domain in server modeJakub Hrozek2013-09-261-0/+36
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-181-1/+3
| | | | AD provider will override the default with its own.
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-171-14/+3
| | | | Remove code duplication.
* Use right formating to print stringLukas Slebodnik2013-09-111-1/+1
| | | | format specifies type 'int' but the argument has type 'const char *'
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-117-10/+12
|
* Fix formating of variables with type: ssize_tLukas Slebodnik2013-09-111-2/+2
|
* Fix warning missing argumentsLukas Slebodnik2013-09-051-1/+1
|
* Fix czech specific character in my namePavel Březina2013-09-022-2/+2
|
* IPA_HBAC: Explicitelly include header file time.hLukas Slebodnik2013-08-281-0/+1
| | | | | | | | struct hbac_eval_req is defined in header file and it has attribute request_time with type time_t, but header file "time.h" was not included. It was not problem, because time.h was indirectly included by stdlib.h (stdlib.h -> sys/types.h -> time.h) in implementation files, but other platforms can have other dependencies among header files.
* IPA: Add forgotten declarationJakub Hrozek2013-08-281-0/+1
| | | | A conflict between two patches was not resolved correctly
* IPA: enable enumeration if parent domain enumerates in server modeJakub Hrozek2013-08-281-12/+58
| | | | https://fedorahosted.org/sssd/ticket/1963
* SYSDB: Store enumerate flag for subdomainJakub Hrozek2013-08-281-1/+2
|
* LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek2013-08-281-1/+1
| | | | | Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
* DB: remove unused realm parameter from sysdb_master_domain_add_infoJakub Hrozek2013-08-281-1/+1
| | | | The parameter was not used at all.
* ipa-server-mode: add IPA group memberships to AD usersSumit Bose2013-08-283-8/+1004
| | | | | | | | | | | | | | | | When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962
* IPA: Enable AD sites when in server modeJakub Hrozek2013-08-283-2/+70
| | | | | | https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally
* krb5: Fetch ccname template from krb5.confStephen Gallagher2013-08-281-1/+1
| | | | | | | | | | | | | In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
* ipa_s2n_get_user_done: make sure ALIAS name is lower caseSumit Bose2013-08-191-2/+18
| | | | Fixes https://fedorahosted.org/sssd/ticket/1630
* ipa_s2n_get_user_done: free group_attrs as wellSumit Bose2013-08-191-0/+1
|
* Check whether servername is not empty string.Lukas Slebodnik2013-08-191-1/+1
| | | | Previous check was wrong, servername cannot be NULL.
* Use GID if subdomain is not MPGJakub Hrozek2013-07-291-1/+8
| | | | | | | https://fedorahosted.org/sssd/ticket/2032 In non-MPG subdomains (such as those that manage their IDs manually with POSIX attributes), we need to set the GID ourself.
* Fix possible dereference of a NULL pointer.Lukas Slebodnik2013-07-231-1/+1
| | | | | | We check if function ipa_get_ad_id_ctx returns NULL, but function ipa_get_ad_id_ctx could never return NULL. This issue was found by scan-build.
* KRB5: Do not send PAC in server modeJakub Hrozek2013-07-231-1/+7
| | | | | | | | The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
* Fix the default FQDN formatJakub Hrozek2013-07-191-1/+1
| | | | | | Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake.
* IPA: warn if full_name_format is customized in server modeJakub Hrozek2013-07-191-0/+17
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.
* IPA: Look up AD users directly if IPA server mode is onJakub Hrozek2013-06-284-4/+155
| | | | | | | | https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.
* IPA: Create and remove AD id_ctx for subdomains discovered in server modeJakub Hrozek2013-06-281-0/+182
| | | | | | | | | When IPA server mode is on, then this patch will create an ad_id_ctx for each subdomain discovered in IPA provider. The ID context is needed to perform direct lookups using the AD provider. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* IPA: Initialize server mode ctx if server mode is onJakub Hrozek2013-06-284-0/+62
| | | | | | | | | | This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* IPA: Add a server mode optionJakub Hrozek2013-06-282-0/+2
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set.
* Save mpg state for subdomainsSumit Bose2013-06-281-3/+10
| | | | | | The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.
* IPA: read ranges before subdomainsSumit Bose2013-06-281-29/+27
| | | | | | | Since FreIPA will start to support external mapping for trusted domains as well the range type for the domain must be know before the domain object is created. The reason is that external mapping will not use magic private groups (mpg) while algorithmic mapping will use them.
* Replace new_subdomain() with find_subdomain_by_name()Sumit Bose2013-06-282-7/+5
| | | | | | new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
* Add support for new ipaRangeType attributeSumit Bose2013-06-283-6/+36
| | | | | | | | | Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961
* Add ipa_idmap_init()Sumit Bose2013-06-283-1/+275
| | | | | | Use the sdap_idmap context for the IPA provider as well. https://fedorahosted.org/sssd/ticket/1961
* Add now options ldap_min_id and ldap_max_idSumit Bose2013-06-281-0/+2
| | | | | | | Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.
* SSH: When host is removed from LDAP, remove it from the cache as wellJan Cholasta2013-06-271-1/+8
| | | | https://fedorahosted.org/sssd/ticket/1949
* AD: Write out domain-realm mappingsJakub Hrozek2013-06-271-164/+3
| | | | | This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
* krb5: do not send pac for IPA users from the local domainSumit Bose2013-06-251-0/+1
| | | | | | | | | | | | | So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
generated by cgit (git 2.34.1) at 2024-05-27 21:19:08 +0000