summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/ldap_common.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix uninitialized pointer read in sdap_gssapi_get_default_realm()Jakub Hrozek2011-09-201-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1003
* Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek2011-08-291-1/+2
| | | | https://fedorahosted.org/sssd/ticket/978
* Use the default Kerberos realm for LDAP with GSSAPI authJakub Hrozek2011-08-291-3/+55
| | | | https://fedorahosted.org/sssd/ticket/970
* Rewrite HBAC rule evaluatorStephen Gallagher2011-08-041-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943
* Do not add a NULL host parsed from LDAP URIJakub Hrozek2011-08-041-1/+8
| | | | https://fedorahosted.org/sssd/ticket/911
* Fix TLS/SSL validation after switch to ldap_init_fdSumit Bose2011-07-131-33/+9
| | | | | | | | | | | | | | Add sockaddr_storage to sdap_service Add sdap_call_conn_cb() to call add connection callback directly Use name based URI instead of IP address based URIs Use ldap_init_fd() instead of ldap_initialize() if available Do not access state after tevent_req_done() is called. Call ldap_install_tls() on ldaps connections
* Honor the TTL value of SRV record lookupsJakub Hrozek2011-07-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Add new resolv_hostent data structure and utility functions Resolve hosts by name from files into resolv_hostent Resolve hosts by name from DNS into resolv_hostent Switch resolver to using resolv_hostent and honor TTL Conflicts: src/providers/fail_over.c Provide TTL structure names for c-ares < 1.7 https://fedorahosted.org/sssd/ticket/898 In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to ares_addrttl/ares_addr6ttl so they are in the ares_ namespace. Because they are committed to stable ABI, the contents are the same, just the name changed -- so it is safe to just #define the new name for older c-ares version in case the new one is not detected in configure time.
* Properly support IPv6 in LDAP URIs for IPA and LDAP providersJakub Hrozek2011-06-021-6/+56
| | | | | | | | | | | | | | | | | Add utility function to return IP address as string Add a utility function to escape IPv6 address for use in URIs Use escaped IP addresses in LDAP provider Escape IPv6 IP addresses in the IPA provider https://fedorahosted.org/sssd/ticket/880 Fix bad merge We merged in a patch, but missed that it missed a dependency added by another earlier patch.
* Enable paging support for LDAPStephen Gallagher2011-05-241-1/+2
|
* Make "password" the default for ldap_default_authtok_typeStephen Gallagher2011-05-241-1/+1
|
* Never remove gecos from the sysdb cachesssd-1.5.1-28.el6Stephen Gallagher2011-04-121-0/+9
| | | | | Now that gecos can come from either the 'gecos' or 'cn' attributes, we need to ensure that we never remove it from the cache.
* Do not attempt to use START_TLS on SSL connectionsStephen Gallagher2011-02-151-0/+9
| | | | | | | Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
* Add option to disable TLS for LDAP authsssd-1_5_1Stephen Gallagher2011-01-271-1/+5
| | | | | Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
* Delete attributes that are removed from LDAPStephen Gallagher2011-01-211-0/+117
| | | | | | | | Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750
* Add ldap_tls_{cert,key,cipher_suite} config optionsTyson Whitehead2011-01-201-0/+3
| | | | Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* Add LDAP expire policy base RHDS/IPA attributeSumit Bose2011-01-191-2/+4
| | | | | The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
* Add LDAP expire policy based on AD attributesSumit Bose2011-01-191-2/+6
| | | | | | The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
* Add ldap_search_enumeration_timeout config optionSumit Bose2011-01-171-2/+3
|
* Convert obfuscated password once at startupSumit Bose2011-01-061-0/+41
|
* Add authorizedService supportStephen Gallagher2010-12-211-2/+4
| | | | https://fedorahosted.org/sssd/ticket/670
* Start first enumeration immediatelyStephen Gallagher2010-12-171-3/+28
| | | | | | | | | | | | | | Previously, we would wait for ten seconds before starting an enumeration. However, this meant that on the first startup (before we had run our first enumeration) there was a ten-second window where clients would immediately get back a response with no entries instead of blocking until the enumeration completed. With this patch, SSSD will now run an enumeration immediately upon startup. Further startups will retain the ten-second delay so as not to slow down system bootups. https://fedorahosted.org/sssd/ticket/616
* Fix uninitialized value error in sdap_account_expired_shadow()Sumit Bose2010-12-141-2/+2
| | | | https://fedorahosted.org/sssd/ticket/726
* Replace krb5_kdcip by krb5_server in LDAP providerSumit Bose2010-12-071-3/+11
|
* ldap: Use USN entries if available.Simo Sorce2010-12-071-2/+6
| | | | Otherwise fallback to the default modifyTimestamp indicator
* ldap: add checks to determine if USN features are available.Simo Sorce2010-12-071-5/+5
|
* Add ldap_chpass_uri config optionSumit Bose2010-12-061-1/+9
|
* Add new account expired rule to LDAP access providerSumit Bose2010-12-061-1/+3
| | | | | | | | | | | | | | Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
* Make string_to_shadowpw_days() publicSumit Bose2010-12-061-0/+34
|
* Allow protocol fallback for SRV queriesJakub Hrozek2010-12-011-3/+2
| | | | https://fedorahosted.org/sssd/ticket/691
* Properly document ldap_purge_cache_timeoutStephen Gallagher2010-11-151-1/+9
| | | | Also allow it to be disabled entirely
* Make ldap_search_base a non-mandatory optionSumit Bose2010-11-041-35/+25
|
* Add ldap_deref optionSumit Bose2010-10-221-1/+12
|
* Add option to limit nested groupsSimo Sorce2010-10-181-1/+2
|
* Add infrastructure to LDAP provider for netgroup supportSumit Bose2010-10-131-2/+38
|
* Initialize kerberos service for GSSAPIJakub Hrozek2010-10-131-0/+171
|
* Add KDC to the list of LDAP optionsJakub Hrozek2010-10-131-0/+1
|
* Remove remainder of now unused global LDAP connection handle.eindenbom2010-07-091-171/+0
|
* Add dns_discovery_domain optionJakub Hrozek2010-06-301-1/+0
| | | | | | | | | | | | The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479
* Disable connection callbacks when going onlineStephen Gallagher2010-06-091-0/+10
| | | | | | | | Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.
* Add ldap_access_filter optionStephen Gallagher2010-05-271-1/+2
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
* Add offline callback to disconnect global SDAP handleSumit Bose2010-05-271-1/+9
|
* Add ldap_krb5_ticket_lifetime optionSumit Bose2010-05-161-1/+2
|
* Use service discovery in backendsJakub Hrozek2010-05-071-8/+49
| | | | | | | | | Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
* Better handle sdap_handle memory from callers.Simo Sorce2010-05-031-1/+1
| | | | | | | | | | | | | Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
* Fix check for values of expiration limitsJakub Hrozek2010-02-251-1/+1
| | | | | There were inconsistencies between what sssd.conf manpage said and what the code enforces.
* Better cleanup task handlingJakub Hrozek2010-02-231-1/+46
| | | | | | | | | | | | | | | | Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391
* Do not check entries during cleanup taskJakub Hrozek2010-02-231-2/+2
| | | | | | | Do not attempt to validate expired entries in cache, just delete them. Also increase the cache timeouts. Fixes: #331
* Rename server/ directory to src/Stephen Gallagher2010-02-181-0/+589
Also update BUILD.txt
generated by cgit (git 2.34.1) at 2024-05-09 16:29:43 +0000