| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new request to the nss responder which follows the
same flow as a SSS_NSSGETSIDBYNAME request but returns more data than
just the SID. The data is returned as pairs of \0-terminated strings
where the first string is the sysdb attribute name and the second the
corresponding value.
The main use case is on the FreeIPA server to make additional user and
group data available to the extdom plugin which then send this data to
SSSD running on FreeIPA clients.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In IPA we sometimes need to use posixGroup and
sometimes groupOfNames objectclass to query the
groups. This patch adds the possibility to specify
alternative objectclass in group maps. By
default it is only set for IPA.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2418
According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a
Windows Server 2012 R2 has a functional level set to '6'. We need to
support that value in order for tokenGroups to be functional.
For more information on the functional levels, please refer to:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
To check value of pwdLockout attribute on LDAP server, DN of ppolicy
must be set.
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.
|
| |
|
|
|
|
|
|
|
| |
Create new set of attributes to be used when processing non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This function was not used since 2009. Unused and untested function
would just rot, better to remove it completely.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
No caller directly accessed this parameter. Moreover, it seemed useless
since the same data is available as SYSDB_ORIGINAL_DN in the attributes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. Remembering
base dn in domain object gives us the ability to simply lookup
correct domain by comparing object dn with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
| |
|
|
|
|
| |
Instead of always performing the cleanup on the main domain, the task
now accepts a sdap_domain structure to perform the cleanup on. This
change will make the cleanup task reusable for subdomains.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1942
Identity providers other than LDAP need to customize the enumeration in
different ways while sharing the way the task is scheduled etc. The
easiest way to accomplish it is to leverage the recently introduced
ptask framework.
|
| |
|
|
|
|
|
|
|
|
|
| |
The LDAP enumeration was too closely tied to the LDAP identity provider.
Because some providers might need special handling such as refresh the
master domain record before proceeding with the enumeration itself, this
patch splits the request itself to a separate async request and lets the
ldap_id_enum.c module only configure this new request.
Also move the enum timestamp to sdap_domain to make the enum tracking
per sdap domain. The cleanup timestamp will be moved in another patch.
|
| |
|
|
|
|
|
|
|
| |
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
| |
|
|
|
|
|
|
|
| |
The AD subdomains will only use default options values. This patch
introduces a new utility function sdap_copy_map() that copies the
default options map.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
| |
|
|
|
|
|
| |
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
| |
|
|
|
|
|
|
|
| |
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
| |
|
|
| |
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1660
|
| |
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
| |
|
|
|
|
|
|
|
| |
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
| |
|
|
|
|
|
| |
The code would call sysdb_attrs_add_uint32 which added another UID or GID
to the ID=0 we already downloaded from LDAP (0 is the default value) when
ID-mapping an entry. This led to funky behaviour later on when we wanted
to process the ID.
|
| | |
|
| |
|
|
|
|
| |
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
| |
|
|
|
|
| |
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
| |
|
|
|
|
|
|
|
|
| |
Adds some option that allows to manually configure a host filter.
ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute
ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces
ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces
ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost
ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
|
| | |
|
