summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/ldap_id.c
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: return sdap search return code to IDJakub Hrozek2013-06-071-34/+87
| | | | | | | | By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-19/+49
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* LDAP: Pass in a connection to ID functionsJakub Hrozek2013-06-071-20/+39
| | | | | | | Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.
* LDAP: Refactor account info handler into a tevent requestJakub Hrozek2013-06-071-155/+201
| | | | | | | | | | | | The sdap account handler was a function with its own private callback that directly called the back end handlers. This patch refactors the handler into a new tevent request that the current sdap handler calls. This refactoring would allow the caller to specify a custom sdap connection for use by the handler and optionally retry the same request with another connection inside a single per-provider handler. No functional changes are present in this patch.
* LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek2013-06-071-5/+5
| | | | | | | | | | | | | | | | | | | With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
* Intermittent fix for get_user_and_group_users_doneSumit Bose2013-06-061-3/+0
| | | | | | | | | | | users_get_recv() never returns ENOENT. In general it should return EOK in the case no matching user was found. But since I forget to handle a SID based filter properly in sdap_get_users_process() an error is returned in this case which makes get_user_and_group_users_done() work as expected with this patch. There is an upcoming enhancement to users_get_recv() which I'm planning to use for a full fix.
* Remove unneeded commentJakub Hrozek2013-05-281-1/+0
|
* Add SID related requests to the LDAP providerSumit Bose2013-05-271-5/+230
| | | | | | | | | | | The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to the LDAP provider. Since the AD and the IPA provider use the same code they support those request now as well. Besides allowing that users and groups can be searched by the SID as well the new request allows to search users and groups in one run, i.e. if there is not user matching the search criteria groups are searched as well.
* Add secid filter to responder-dp protocolSumit Bose2013-05-021-0/+6
| | | | | This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-201-0/+39
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-211-1/+1
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-211-10/+16
| | | | In preparation for making be_req opaque
* Remove sysdb as a be context structure memberSimo Sorce2013-01-211-3/+3
| | | | The sysdb context is already available through the 'domain' structure.
* Add domain argument to sysdb_delete_group()Simo Sorce2013-01-151-2/+4
| | | | Also remove sysdb_delete_domgroup()
* Add domain argument to sysdb_delete_user()Simo Sorce2013-01-151-3/+5
| | | | Also remove sysdb_delete_domuser()
* Fix comment on wrong lineSimo Sorce2012-12-051-1/+1
|
* Use an entry type mask macro to filter entry typesSimo Sorce2012-12-041-1/+1
| | | | | Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
* LDAP: Remove double breakJakub Hrozek2012-11-191-1/+0
|
* Add ignore_group_members option.Paul B. Henson2012-11-151-1/+8
| | | | https://fedorahosted.org/sssd/ticket/1376
* Clean up cache on server reinitializationPavel Březina2012-08-231-0/+45
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.
* ldap provider: add sudo usn valuePavel Březina2012-06-291-0/+2
|
* Add support for filtering atributesJan Zeleny2012-05-311-6/+6
| | | | | This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
* LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher2012-05-101-3/+3
| | | | | | | This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
* LDAP: Enable looking up id-mapped groups by GIDStephen Gallagher2012-05-031-2/+45
|
* LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher2012-05-031-11/+20
|
* LDAP: Enable looking up id-mapped users by UIDStephen Gallagher2012-05-031-6/+43
|
* LDAP: Add enumeration support for servicesStephen Gallagher2012-01-311-0/+2
|
* LDAP: Add support for service lookups (non-enum)Stephen Gallagher2012-01-311-0/+30
|
* Pass sdap_id_ctx to online check from IPA providerJakub Hrozek2011-12-191-17/+40
|
* Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connectionsJakub Hrozek2011-11-291-1/+2
|
* Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA providerJakub Hrozek2011-11-251-2/+13
| | | | | This was causing a segfault during HBAC processing and any ID lookups except for netgroups
* Renamed some LDAP routinesJan Zeleny2011-11-231-2/+2
| | | | | These were renamed just ot make sure they are not mistook for IPA netgroup functions.
* LDAP: Add support for multiple search bases for group enumerationStephen Gallagher2011-11-021-1/+2
|
* LDAP: Add support for multiple search bases for user enumerationStephen Gallagher2011-11-021-1/+2
|
* LDAP: Convert ldap_*_search_filterStephen Gallagher2011-11-021-32/+12
| | | | | | Instead of making this a global option for all user lookups, make it only used if the search base is passed without an explicit filter.
* LDAP: Support multiple group search bases (non-enumeration, RFC2307)Stephen Gallagher2011-11-021-1/+3
|
* LDAP: Support multiple user search bases (non-enumeration)Stephen Gallagher2011-11-021-0/+1
|
* Use explicit base 10 for converting strings to integersJakub Hrozek2011-10-031-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1013
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-7/+5
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-151-9/+4
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Fix returning groups when gidNumber attribute is not orderedJakub Hrozek2011-08-041-1/+3
| | | | https://fedorahosted.org/sssd/ticket/951
* Explicitly ignore groups with gidNumber=0Jakub Hrozek2011-07-271-1/+1
| | | | https://fedorahosted.org/sssd/ticket/916
* Fixed lastUSN checking improvementsJan Zeleny2011-05-041-3/+6
| | | | | | | | This patch fixes some issues with setting lastUSN attribute and it adds check against the highest user/group USN after enumeration to keep better track of the real highest USN. Optimal solution here would be to schedule a check of rootDSE entry right after the enumeration finishes, but for the moment this is good enough.
* Add last usn checking after reconnectionJan Zeleny2011-04-191-1/+16
| | | | | | | | | | | When reconnecting to the LDAP server supporting USNs (either because of new incomming id operation or invokation of callback responsible for checking status of the backend), detect whether the highest USN is lower than the one SSSD has recorded. If so, setup enumeration/cleanup to refresh potentionally changed account information in the SSSD cache. Related ticket: https://fedorahosted.org/sssd/ticket/734
* Add user and group search LDAP filter optionsJakub Hrozek2011-04-191-13/+32
| | | | https://fedorahosted.org/sssd/ticket/647
* Do not throw a DP error when failing to delete a nonexistent entityStephen Gallagher2011-04-151-4/+4
|
* Require existence of GID number and name in group searchesStephen Gallagher2011-03-141-3/+6
| | | | https://fedorahosted.org/sssd/ticket/824
* Remove cached user entry if initgroups returns ENOENTStephen Gallagher2011-02-181-0/+11
| | | | | This behavior was present for getpwnam() but was lacking for initgroups.
* Add the user's primary group to the initgroups lookupStephen Gallagher2011-01-211-5/+6
| | | | | The user may not be a direct member of their primary group, but we still want to make sure that group is cached on the system.
* Add timeout parameter to sdap_get_generic_send()Sumit Bose2011-01-171-2/+6
|
generated by cgit (git 2.34.1) at 2024-05-11 12:34:41 +0000