| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, group couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2157
If AD matching rule was selected, but the group was empty, the SSSD
accessed random data. Initializing count to zero prevents that.
|
| |
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
| |
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we store subdomain users with correct
domain name.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have group with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent group 5000' and this request goes through data
provider, searching in parent domain first. Even though this
group does not belong to this domain it is found and stored as
ad.pb group.
With this patch we look at group's SID and put it into correct domain.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
| | |
|
| | |
|
| |
|
|
|
| |
struct ldb_message_element.num_values is unsigned
This patch indirectly fixes printf format string warning.
|
| |
|
|
|
|
|
|
| |
In sdap_nested_group_populate_users() username and orignal_dn are
allocated on a temporary memory context. If the corresponding user is
not found in the cache both are added to a hash which is later on
returned to the caller. To avoid a use-after-free when the hash entries
are looked up both must be reassigned to the memory context of the hash.
|
| |
|
|
| |
Coverity ID: 11927
|
| |
|
|
|
|
|
|
|
| |
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
| |
|
|
|
|
|
|
|
|
| |
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
| |
|
|
|
|
| |
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
| |
|
|
|
|
| |
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
| |
|
|
|
|
|
| |
Currently the string representation of a SID is only stored in the cache
for debugging purpose if SID based ID-mapping is used. This patch
unconditionally stores the SID if available to allow SID-to-name
mappings from the cache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1799
One peculiarity of the sysdb_attrs_get_el interface is that if the
attribute does not exist, then the attrs array is reallocated and the
element is created. But in case other pointers are already pointing
into the array, the realloc might invalidate them.
Such case was in the sdap_process_ghost_members function where if
the group had no members, the "gh" pointer requested earlier might have
been invalidated by the realloc in order to create the member element.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1784
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1660
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1755
sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:
If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.
The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
| | |
|
| | |
|
| |
|
|
| |
Also remove sysdb_store_domgroup()
|
| | |
|
| |
|
|
| |
Also remove unused sysdb_search_domuser_by_name()
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
The downside of this approach is that the user is returned as a group
member during getgrgid call as well.
|
| |
|
|
|
|
|
| |
The code would call sysdb_attrs_add_uint32 which added another UID or GID
to the ID=0 we already downloaded from LDAP (0 is the default value) when
ID-mapping an entry. This led to funky behaviour later on when we wanted
to process the ID.
|
| | |
|
| |
|
|
|
|
|
|
| |
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
| | |
|
| |
|
|
|
| |
The element being reallocated is part of the "group_attrs" array, not
attrs.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1647
A logic bug in the LDAP provider causes an attempt to allocate a zero-length
array for group members while processing an empty group. The allocation
would return NULL and saving the empty group would fail.
|
| |
|
|
|
|
| |
Allocating temporary context on NULL helps vind memory leaks with
valgrind and avoid growing memory over time by allocating on a
long-lived context.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1376
|
| | |
|
| |
|
|
|
|
|
|
| |
The ldb_val's length parameter should not include the terminating NULL.
This was causing funky behaviour as the users were saved as binary
attributes.
https://fedorahosted.org/sssd/ticket/1614
|
| |
|
|
|
|
|
| |
The IPA has a defined directory tree structure that allows us to guess
the username from a DN without having to look up the DN in LDAP.
https://fedorahosted.org/sssd/ticket/1319
|
| |
|
|
|
| |
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
| |
|
|
|
|
| |
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
| |
|
|
| |
Coverity #12770
|
| | |
|
