| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
| |
|
|
|
|
|
|
| |
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
| |
|
|
|
| |
The host record will be fetched if HBAC is used as access provider since
the record is already downloaded and it can be trusted to be valid.
|
| |
|
|
|
| |
If HBAC is active, SELinux code will reuse them instead of downloading
them from the server again.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
| |
|
|
|
|
|
| |
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|
| |
|
|
|
| |
This function is no longer necessary since sysdb interface for copying
elements has been implemented.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1379
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1421
|
| |
|
|
|
| |
We should always download the defaults because even if there are no
rules, we might want to use (or update) the defaults.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1410
|
| |
|
|
|
| |
This will reduce code duplication between the krb5, ipa and ad
providers
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|
| |
|
|
|
| |
This request and attached memory would be freed at the end of
access-check processing, but it's a waste to keep it around.
|
| |
|
|
|
|
|
|
|
|
| |
Adds some option that allows to manually configure a host filter.
ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute
ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces
ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces
ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost
ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
| |
|
|
|
| |
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
| |
|
|
|
|
| |
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/949
|
| |
|
|
|
|
|
| |
This is necessary because in several places in the code, we are
appending to the attrs returned from this value, and if we relied
on the map size macro, we would be appending after the NULL
terminator if one or more attributes were defined as NULL.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176
|
| | |
|
| |
|
|
| |
'info' is optional parameter and can be set to NULL
|
| | |
|
| |
|
|
| |
If the code fell through the loop, ret would have been random value.
|
| |
|
|
| |
* So don't need to handle that case
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
