sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	Possible null dereference in SELinux code	Michal Zidek	2014-04-04	1	-2/+2
\| \| \| \| \|	Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 7ac7dec08ec2c82a86fd6a90388993cfcee26da1)
*	IPA: Fix SELinux mapping order memory hierarchy	Jakub Hrozek	2014-04-03	1	-8/+8
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2300 The list of SELinux mapping orders was allocated on tmp_ctx and parsed into an array. The array itself was correctly allocated on mem_ctx but its contents remained on tmp_ctx, leading to a use-after-free error. This patch fixes the memory hierarchy so that both the array and its contents are allocated on mem_ctx. (cherry picked from commit 355b8a655cfcc4e783077d12f76b55da1d23fb87) Reviewed-by: Sumit Bose <sbose@redhat.com>
*	IPA: Use function sysdb_attrs_get_el in safe way	Lukas Slebodnik	2014-03-31	1	-10/+7
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct sysdb_attrs" if attribute is not among available attributes. Array will be enlarged with function talloc_realloc but realloc can move array to another place in memory therefore ldb_message_element should not be used after next call of function sysdb_attrs_get_el sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found); sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found); With netgroups, it is common to omit user or host from netgroup triple. There is very high probability that realloc will be called. it is possible pointer user_found can refer to the old area after the second call of function sysdb_attrs_get_el. Resolves: https://fedorahosted.org/sssd/ticket/2284 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c048657aa2fbb246b5dc199ef6101bfd6e5eeaea)
*	IPA: Write SELinux usernames in the right case	Jakub Hrozek	2014-03-13	1	-5/+21
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2282 Reviewed-by: Michal Židek <mzidek@redhat.com>
*	IPA: Use the correct domain when processing SELinux rules	Jakub Hrozek	2014-03-11	1	-10/+16
\| \| \| \| \| \| \| \| \| \| \|	We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
*	IPA: Use GC for AD initgroup requests	Sumit Bose	2014-03-10	1	-6/+15
\| \| \| \|	Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
*	IPA: Do not save intermediate data to sysdb	Jakub Hrozek	2014-03-05	1	-28/+28
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2264 Reviewed-by: Sumit Bose <sbose@redhat.com>
*	ipa-server-mode: use lower-case user name for home dir	Sumit Bose	2014-03-03	1	-1/+10
\| \| \| \| \| \| \| \| \| \| \| \|	In older IPA server versions where the AD users where looked up by winbind the user name component of the home directory path was always lower case. This still holds for IPA clients as well. To avoid regression this patch makes the user name component lower case as well. Fixes https://fedorahosted.org/sssd/ticket/2263 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
*	IPA: check ranges for collisions before saving them	Sumit Bose	2014-02-26	1	-20/+63
\| \| \| \|	Fixes https://fedorahosted.org/sssd/ticket/2253
*	IPA: refactor idmap code and add test	Sumit Bose	2014-02-26	2	-147/+109
\|
*	IPA: Don't fail if apply_subdomain_homedir returns ENOENT	Jakub Hrozek	2014-02-20	1	-1/+1
\| \| \| \| \|	Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
*	IPA: Don't call tevent_req_post outside _send	Jakub Hrozek	2014-02-20	1	-1/+0
\| \| \| \| \|	Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
*	IPA: default krb5_fast_principal to host/$client@$realm	Pavel Březina	2014-02-17	1	-3/+5
\| \| \| \| \| \| \| \| \|	If krb5_fast_principal is not set in sssd.conf it was set to host/$client, KRB5 default realm was used which doesn't have to be the same as realm used for IPA, thus authentication failed when using FAST. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> (cherry picked from commit e325cabe762fad7d696e014a7fdbb47a5cb8174a)
*	IPA: Default to krb5_use_fast=try	Jakub Hrozek	2014-02-13	2	-1/+28
\| \| \| \| \| \|	Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
*	LDAP: Detect the presence of POSIX attributes	Jakub Hrozek	2014-02-12	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
*	AD: support for subdomain_homedir	Pavel Reichl	2014-02-11	1	-0/+190
\| \| \| \| \| \| \| \| \|	Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
*	LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵	Jakub Hrozek	2014-01-29	1	-3/+5
\| \| \| \| \| \| \| \| \| \|	connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
*	responder: Set forest attribute in AD domains	Pavel Reichl	2014-01-09	1	-1/+1
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2160
*	IPA: fix for recent AD group membership changes	Sumit Bose	2014-01-08	1	-0/+2
\|
*	Add new option ldap_group_type	Sumit Bose	2013-12-19	1	-0/+1
\|
*	Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias	Sumit Bose	2013-12-19	1	-21/+6
\|
*	IPA: Call ipa_ad_subdom_refresh when server mode is initialized	Jakub Hrozek	2013-12-19	1	-6/+14
\| \| \| \| \| \|	ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
*	IPA: Refresh subdomain data structures on startup	Jakub Hrozek	2013-12-18	1	-19/+32
\| \| \| \| \|	Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
*	SUBDOMAINS: Reuse cached results if DP is offline	Jakub Hrozek	2013-12-09	1	-2/+6
\| \| \| \| \| \| \| \| \| \|	If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
*	ipa: destroy cleanup task when subdomain is removed	Pavel Březina	2013-10-25	1	-0/+1
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/1968
*	dp: free sdap domain if subdomain is removed	Pavel Březina	2013-10-25	1	-0/+4
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/1968
*	dp: make subdomains refresh interval configurable	Pavel Březina	2013-10-25	1	-3/+4
\| \| \| \| \| \| \| \| \| \|	This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
*	LDAP: Amend sdap_access_check to allow any connection	Jakub Hrozek	2013-10-25	1	-2/+11
\| \| \| \| \| \| \| \| \|	Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
*	IPA: add trusted domains with missing idrange	Sumit Bose	2013-10-25	1	-0/+137
\| \| \| \| \| \| \| \| \| \|	If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
*	sdap_idmap_domain_has_algorithmic_mapping: add domain name argument	Sumit Bose	2013-10-25	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \|	When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
*	subdomains: first destroy ptask then remove sdom	Pavel Březina	2013-10-24	1	-3/+3
\| \| \| \| \|	be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
*	IPA: add callback to reset subdomain timeouts	Sumit Bose	2013-10-22	1	-0/+23
\| \| \| \|	Fixes https://fedorahosted.org/sssd/ticket/2030
*	IPA server mode: properly initialize ext_groups	Sumit Bose	2013-10-16	1	-1/+2
\|
*	Do not return DP_ERR_FATAL in case of success	Sumit Bose	2013-09-27	1	-1/+5
\|
*	ipa_server_mode: write capaths to krb5 include file	Sumit Bose	2013-09-27	1	-1/+3
\| \| \| \| \| \| \| \| \| \| \| \|	If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
*	IPA: store forest name for forest member domains	Sumit Bose	2013-09-27	1	-1/+86
\| \| \| \| \|	In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
*	IPA: Ignore dns_discovery_domain in server mode	Jakub Hrozek	2013-09-26	1	-0/+36
\| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
*	LDAP: sdap_id_setup_tasks accepts a custom enum request	Jakub Hrozek	2013-09-18	1	-1/+3
\| \| \| \|	AD provider will override the default with its own.
*	util: add sss_idmap_talloc[_free]	Pavel Březina	2013-09-17	1	-14/+3
\| \| \| \|	Remove code duplication.
*	Use right formating to print string	Lukas Slebodnik	2013-09-11	1	-1/+1
\| \| \| \|	format specifies type 'int' but the argument has type 'const char *'
*	Fix formating of variables with type: size_t	Lukas Slebodnik	2013-09-11	7	-10/+12
\|
*	Fix formating of variables with type: ssize_t	Lukas Slebodnik	2013-09-11	1	-2/+2
\|
*	Fix warning missing arguments	Lukas Slebodnik	2013-09-05	1	-1/+1
\|
*	Fix czech specific character in my name	Pavel Březina	2013-09-02	2	-2/+2
\|
*	IPA_HBAC: Explicitelly include header file time.h	Lukas Slebodnik	2013-08-28	1	-0/+1
\| \| \| \| \| \| \| \|	struct hbac_eval_req is defined in header file and it has attribute request_time with type time_t, but header file "time.h" was not included. It was not problem, because time.h was indirectly included by stdlib.h (stdlib.h -> sys/types.h -> time.h) in implementation files, but other platforms can have other dependencies among header files.
*	IPA: Add forgotten declaration	Jakub Hrozek	2013-08-28	1	-0/+1
\| \| \| \|	A conflict between two patches was not resolved correctly
*	IPA: enable enumeration if parent domain enumerates in server mode	Jakub Hrozek	2013-08-28	1	-12/+58
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1963
*	SYSDB: Store enumerate flag for subdomain	Jakub Hrozek	2013-08-28	1	-1/+2
\|
*	LDAP: Make sdap_id_setup_tasks reusable for subdomains	Jakub Hrozek	2013-08-28	1	-1/+1
\| \| \| \| \|	Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
*	DB: remove unused realm parameter from sysdb_master_domain_add_info	Jakub Hrozek	2013-08-28	1	-1/+1
\| \| \| \|	The parameter was not used at all.