| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
|
|
|
|
| |
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1258
|
|
|
|
|
|
|
|
|
|
| |
We were never freeing "result" if it was allocated by
ldap_result(). We were also not freeing "errmsg" if it was
allocated but ldap_parse_result() returned an error.
Also disambiguate error messages from ldap_parse_result() and
error messages from sss_ldap_get_diagnostic_msg() since they use
differing memory-management functions.
|
|
|
|
|
|
|
|
| |
If we can't reach the RootDSE, let's just proceed as if it's
unavailable with reasonable defaults. If we fail later on, that's
fine.
Fixes https://fedorahosted.org/sssd/ticket/1257
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1214
|
|
|
|
|
|
|
|
| |
In a heavy load environment, sometimes the failover service record
would be updated and free the URI value. We need to guarantee that
this URI string remains valid throughout the entire request.
https://fedorahosted.org/sssd/ticket/1139
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1036
|
|
|
|
| |
Also add a default case to protect against bad input
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1100
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1075
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/957
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
|
|
|
|
|
| |
In some cases, where there would be no response from the LDAP server,
there would be no R/W events on the LDAP fd, so
sdap_async_sys_connect_done would never be called.
This patch adds a tevent timer that cancels the connection after
SDAP_NETWORK_TIMEOUT seconds.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/940
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/643
|
|
|
|
|
|
|
| |
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
sdap_cli_connect_recv_ext() checks if the failover server is not set to
determine if the backend is offline. To make this work properly if
multiple servers are defined the failover server must be set to NULL if
all servers are checked.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This reverts 56d8d19ac9d857580a233d8264e851883b883c67
|
| |
|
|
|
|
|
|
| |
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
|
|
|
|
|
| |
Every ldap function that could possibly create a new connection is now
wrapped in a tevent_req. If the connection is created, we will call the
function again after the socket is ready for writing.
|
|
|
|
|
| |
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
|
| |
|
| |
|
| |
|
|
|
|
| |
sdap_handle for future reference.
|