summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/ldap_common.h
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Fetch users and groups using wildcardsJakub Hrozek2015-07-151-0/+3
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviourJakub Hrozek2015-06-141-0/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Skip enumeration requests in IPA and AD providers as wellJakub Hrozek2015-06-011-0/+3
| | | | | | | | | | | | | | Checking the enum request in the underlying LDAP provider to skip it might be too late as the richer IPA or AD providers depend on having a useful result when the sdap request finishes. Move the enumeration check earlier instead and allow directly in the IPA or AD handler. Related: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP/AD: do not resolve group members during tokenGroups requestSumit Bose2015-03-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* be_refresh: add sdap_refresh_initPavel Březina2015-03-081-8/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap_handle_acct_req_send: remove be_reqPavel Březina2015-03-081-1/+1
| | | | | | | | | | | be_req was used only as a talloc context for subreq. This memory context was replace by state of the parent request which is more suitable for tevent coding style. This change will allow us to use this function in be_refresh where none be_req is available. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* be_refresh: refresh all domains in backendPavel Březina2015-03-081-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-291-8/+9
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* sdap: add sdap_domain_get_by_dn()Pavel Březina2013-10-301-0/+4
| | | | | | | | This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* dp: convert cleanup task to be_ptaskPavel Březina2013-10-251-3/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-251-0/+3
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-251-0/+2
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-181-0/+11
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-181-2/+14
| | | | AD provider will override the default with its own.
* LDAP: Store cleanup timestamp after initial cleanupJakub Hrozek2013-09-111-1/+1
| | | | | | When the SSSD changes serves (and hence lastUSN) we perform a cleanup as well. However, after recent changes, we didn't set the cleanup timestamp correctly, which made the lastUSN logic fail.
* LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek2013-08-281-1/+6
| | | | | Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
* LDAP: Make the cleanup task reusable for subdomainsJakub Hrozek2013-08-281-5/+5
| | | | | | Instead of always performing the cleanup on the main domain, the task now accepts a sdap_domain structure to perform the cleanup on. This change will make the cleanup task reusable for subdomains.
* LDAP: Make cleanup synchronousJakub Hrozek2013-08-281-0/+1
| | | | | | The LDAP cleanup request was asynchronous for no good reason, probably a leftover from the days of async sysdb. This patch makes it sychronous again, removing a lot of uneeded code.
* LDAP: Convert enumeration to the ptask APIJakub Hrozek2013-08-281-1/+3
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1942 Identity providers other than LDAP need to customize the enumeration in different ways while sharing the way the task is scheduled etc. The easiest way to accomplish it is to leverage the recently introduced ptask framework.
* LDAP: Move the ldap enum request to its own reusable moduleJakub Hrozek2013-08-281-5/+0
| | | | | | | | | | | The LDAP enumeration was too closely tied to the LDAP identity provider. Because some providers might need special handling such as refresh the master domain record before proceeding with the enumeration itself, this patch splits the request itself to a separate async request and lets the ldap_id_enum.c module only configure this new request. Also move the enum timestamp to sdap_domain to make the enum tracking per sdap domain. The cleanup timestamp will be moved in another patch.
* AD: Move storing sdap_domain for subdomain to generic LDAP codeJakub Hrozek2013-06-281-0/+4
| | | | | | | | Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* providers: refresh expired netgroupsPavel Březina2013-06-101-0/+8
| | | | https://fedorahosted.org/sssd/ticket/1713
* LDAP: split a function to create search basesJakub Hrozek2013-06-071-0/+6
| | | | | This function will be used later to fill the sdap_domain structures with search bases.
* LDAP: return sdap search return code to IDJakub Hrozek2013-06-071-8/+13
| | | | | | | | By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-0/+16
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* LDAP: Pass in a connection to ID functionsJakub Hrozek2013-06-071-3/+7
| | | | | | | Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.
* LDAP: Refactor account info handler into a tevent requestJakub Hrozek2013-06-071-8/+9
| | | | | | | | | | | | The sdap account handler was a function with its own private callback that directly called the back end handlers. This patch refactors the handler into a new tevent request that the current sdap handler calls. This refactoring would allow the caller to specify a custom sdap connection for use by the handler and optionally retry the same request with another connection inside a single per-provider handler. No functional changes are present in this patch.
* LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek2013-06-071-5/+22
| | | | | | | | | | | | | | | | | | | With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
* Remove unneeded parameter of setup_child and namespace itJakub Hrozek2013-05-201-1/+1
| | | | | setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.
* LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek2012-11-191-0/+7
| | | | | The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
* Clean up cache on server reinitializationPavel Březina2012-08-231-0/+9
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.
* Primary server support: LDAP adaptationJan Zeleny2012-08-011-1/+2
| | | | | | This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.
* sudo ldap provider: load host filter configuration on initPavel Březina2012-06-291-1/+4
| | | | | | | We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).
* LDAP: Add helper routine to convert LDAP blob to SID stringStephen Gallagher2012-05-031-0/+6
|
* LDAP: Enable looking up ID-mapped users by nameStephen Gallagher2012-05-031-0/+1
|
* Modifications to simplify list_missing_attrsJan Zeleny2012-02-241-1/+0
|
* IPA: Add ipa_parse_search_base()Stephen Gallagher2012-02-231-0/+5
| | | | | | | | | | Previously, we were using sdap_parse_search_base() for setting up the search_base objects for use in IPA. However, this was generating unfriendly log messages about unknown search base types. This patch creates a new common_parse_search_base() routine that can be used with either LDAP or IPA providers. https://fedorahosted.org/sssd/ticket/1151
* AUTOFS: IPA providerJakub Hrozek2012-02-071-0/+3
|
* AUTOFS: LDAP providerJakub Hrozek2012-02-051-0/+5
|
* Move BUILD_SUDO outside the generic LDAP source filesJakub Hrozek2012-02-041-8/+4
| | | | Avoid #ifdefs in the general part of the code
* LDAP: Add support for service lookups (non-enum)Stephen Gallagher2012-01-311-0/+12
|
* SUDO Integration - periodical update of rules in data providerPavel Březina2012-01-171-0/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)
* Pass sdap_id_ctx to online check from IPA providerJakub Hrozek2011-12-191-0/+2
|
* SUDO integration - LDAP providerPavel Březina2011-12-161-0/+5
|
* SUDO Integration - LDAP configuration optionsPavel Březina2011-12-161-0/+5
|
* Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA providerJakub Hrozek2011-11-251-0/+1
| | | | | This was causing a segfault during HBAC processing and any ID lookups except for netgroups
* Modified sdap_parse_search_base()Jan Zeleny2011-11-231-2/+1
|
* Renamed some LDAP routinesJan Zeleny2011-11-231-5/+5
| | | | | These were renamed just ot make sure they are not mistook for IPA netgroup functions.
* LDAP: Add parser for multiple search basesStephen Gallagher2011-11-021-0/+5
|
* Make sdap_get_id_specific_filter() more strictStephen Gallagher2011-11-021-2/+2
|
generated by cgit (git 2.34.1) at 2024-06-22 13:29:31 +0000