| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1827
|
| |
|
|
|
|
|
|
|
| |
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
| | |
|
| |
|
|
|
| |
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
| |
|
|
|
|
|
|
| |
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
| |
|
|
|
|
|
| |
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory 2008R2 allows only 1500 group members to be
retrieved in a single lookup. However, when we hit such a
situation, we can take advantage of the ASQ lookups, which are not
similarly limited.
With this patch, we will add any members found by ASQ that were
not found by the initial lookup so we will end with a complete
group listing.
https://fedorahosted.org/sssd/ticket/783
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1320
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1307
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1019
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/967
|
| | |
|
| |
|
|
|
| |
There was too much code duplication between
sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.
|
| | |
|
| | |
|
| |
|
|
|
| |
The deref processing would return a single control back. The do-while
loop was harmless but confusing.
|
| |
|
|
|
|
|
|
| |
ldap_create_deref_control_value expects an array of LDAPDerefSpec structures
with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a
single instance of a LDAPDerefSpec structure.
https://fedorahosted.org/sssd/ticket/1050
|
| |
|
|
|
|
| |
Also checks fake users for aliases when storing a real users so that
getgrnam for a RFC2307 group that references a user by his secondary
name followed by getpwnam for this user by his primary name works
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/989
John Hodrien found out that when paging is used while dereferencing an
entry, sssd_be may segfault on the second page.
This was because paging returned the control to sdap_generic_search
multiple times but sssd was freeing dereference control after the first
search invocation. The subsequend sdap searched accessed memory that was
already freed.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/985
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/986
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/877
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/876
|
| |
|
|
|
|
| |
A generic wrapper around ASQ and OpenLDAP dereference searches.
https://fedorahosted.org/sssd/ticket/635
|
| |
|
|
|
|
|
|
| |
This dereference method is supported at least by OpenLDAP and
389DS/RHDS
For more details, see:
http://tools.ietf.org/html/draft-masarati-ldap-deref-00
|
| |
|
|
|
|
| |
For more details on ASQ, see:
http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx
|
| |
|
|
| |
These will be shared by both dereference methods in a later patch.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a private sdap_get_generic_ext_send()/_recv() request that
exposes more of ldap_search_ext options, in particular the server
contols. The existing sdap_generic_search_send()/_recv() request
is now a thin wrapper around the new _ext request.
The other important change is that an entry parsing is a callback now.
That was done in order to allow custom parsing for results such as
OpenLDAP deref or Attribute Scoped Queries.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/643
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
