summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_async_groups.c
Commit message (Collapse)AuthorAgeFilesLines
* idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek2012-11-281-27/+34
| | | | | | | | When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-211-3/+21
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* LDAP: Refactor saving ghost usersJakub Hrozek2012-11-191-88/+99
|
* LDAP: Better debug logging when saving groupsStephen Gallagher2012-11-191-11/+75
|
* LDAP: use the correct memory contextJakub Hrozek2012-11-191-1/+1
| | | | | The element being reallocated is part of the "group_attrs" array, not attrs.
* LDAP: Fix saving empty groupsJakub Hrozek2012-11-191-2/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
* LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek2012-11-191-1/+1
| | | | | | Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
* LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek2012-11-061-1/+1
| | | | | | | | The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
* Create ghost users when a user DN is encountered in IPAJakub Hrozek2012-10-121-37/+276
| | | | | | | The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-241-1/+1
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-5/+22
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* Fix incorrect error-checkStephen Gallagher2012-07-091-1/+1
| | | | Coverity #12770
* Fix possible segfault in sdap_save_group()Jan Zeleny2012-06-201-2/+11
|
* Fixed debug message in sdap_save_group()Jan Zeleny2012-06-151-1/+1
|
* Fix an issue in ghost usersJan Zeleny2012-06-131-75/+47
| | | | | | | | | | | | | | | | | There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B. The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces. The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
* LDAP: Auto-detect support for the ldap match ruleStephen Gallagher2012-06-131-0/+1
| | | | | | | | This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
* LDAP: Add support for AD chain matching extension in group lookupsStephen Gallagher2012-06-131-9/+153
|
* LDAP: Remove redundant checkStephen Gallagher2012-06-121-11/+0
| | | | | The same block appeared earlier in the function and neither variable could have changed values since.
* Add support for filtering atributesJan Zeleny2012-05-311-5/+5
| | | | | This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
* Ghost members - support in LDAP providerJan Zeleny2012-05-311-186/+286
| | | | | | | | | | | | | | | | | | | | The original approach was to store name and original DN in an object in sysdb. When later referenced as member of a group, it was retrieved by its original DN and the correct information about its sysdb DN was stored in the group object which referenced it. The new approach doesn't use fake user objects, therefore this information has to be reached differently when constructing group memberships. The approach is to store all users to a hash table where original DN is used as the key and username as value. When constructing group memberships, the name is retrieved from this hash table instead of sysdb. This hash table is constructed when retrieving user objects from LDAP server - if the user is not present in sysdb, it is automatically stored in the hash table. Another situation is for rfc2307. Because there is no nesting there, we can construct the SYSDB_GHOST attribute directly and therefore don't need a hash table of ghost users.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-161-1/+1
|
* LDAP: Handle very large Active Directory groupsStephen Gallagher2012-05-101-17/+37
| | | | | | | | | | | | | Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
* LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher2012-05-101-6/+8
| | | | | | | This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
* LDAP: Add helper function to map IDsStephen Gallagher2012-05-031-46/+2
| | | | | This function will also auto-create a new ID map if the domain has not been seen previously.
* LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵Stephen Gallagher2012-05-031-0/+5
| | | | entries
* LDAP: Add helper routine to convert LDAP blob to SID stringStephen Gallagher2012-05-031-20/+4
|
* LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher2012-05-031-18/+105
|
* LDAP: check return value of sysdb_attrs_get_elJakub Hrozek2012-05-021-0/+7
|
* Fixed minor memory leak in ldap providerJan Zeleny2012-04-181-0/+1
|
* Fixed memory context in sdap_fill_memberships()Jan Zeleny2012-04-181-1/+1
|
* Removed unused block of code is sdap_fill_memberships()Jan Zeleny2012-04-181-57/+29
|
* Removed a block of dead code in sdap_async_groups.cJan Zeleny2012-04-181-20/+1
|
* Modifications to simplify list_missing_attrsJan Zeleny2012-02-241-1/+1
|
* LDAP: Only use paging control on requests for multiple entriesStephen Gallagher2012-02-241-5/+10
| | | | | | | | | | The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one
* LDAP: Ignore group member users that do not have name attributesStephen Gallagher2012-02-171-2/+2
| | | | | | | | Instead of failing the group lookup, just skip them. This was impacting some users of ActiveDirectory where not all users had the appropriate attributes. https://fedorahosted.org/sssd/ticket/1169
* Fix memory hierarchy when processing nested group membershipsJakub Hrozek2012-02-141-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1186
* NSS: Add individual timeouts for entry typesStephen Gallagher2012-02-041-7/+7
| | | | https://fedorahosted.org/sssd/ticket/1016
* LDAP: Fix incorrect search timeoutsStephen Gallagher2012-02-041-1/+1
|
* LDAP: Do not fail if RootDSE check cannot determine search basesStephen Gallagher2012-02-041-0/+9
| | | | https://fedorahosted.org/sssd/ticket/1152
* Logically dead code in sdap_nested_group_lookup_groupPavel Březina2011-12-161-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1113
* Use the case sensitivity flag in the LDAP providerJakub Hrozek2011-12-161-2/+2
|
* Refactor saving sdap entitiesJakub Hrozek2011-12-161-39/+10
| | | | | There was too much code duplication between sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.
* Support search bases in RFC2307bis enumerationPavel Březina2011-12-141-10/+145
| | | | https://fedorahosted.org/sssd/ticket/960
* Fix two small bugs in group dereferencingJakub Hrozek2011-11-291-2/+5
|
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-12/+6
|
* Use one transaction instead of two during RFC2307bis group processingJakub Hrozek2011-11-111-31/+55
| | | | https://fedorahosted.org/sssd/ticket/1054
* LDAP: Remove redundant groups from the lookup listStephen Gallagher2011-11-081-23/+0
|
* LDAP: Add support for multiple search bases for group enumerationStephen Gallagher2011-11-021-21/+95
|
* LDAP: Support multiple group search bases (non-enumeration, RFC2307)Stephen Gallagher2011-11-021-13/+62
|
generated by cgit (git 2.34.1) at 2024-04-26 13:24:18 +0000