| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee)
(cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)
|
|
|
|
|
|
|
|
| |
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
|
|
|
|
|
|
|
|
| |
Do not expect objectClass to be posixGroup but rather more general
groupofnames.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 69994add9cd4e57d40b3b7a0b1783ef2d0aa974c)
|
|
|
|
|
|
|
|
|
|
|
| |
Remove premature call of tevent_req_done() from sdap_get_initgr_done().
Request is correctly marked as done at sdap_get_initgr_pgid().
Resolves:
https://fedorahosted.org/sssd/ticket/2334
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script (identical to commit
83bf46f4066e3d5e838a32357c201de9bd6ecdfd) to update DEBUG* macro
invocations, which use literal numbers for levels, to use bitmask macros
instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code
(identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150):
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
|
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| |
|
|
|
|
|
|
| |
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
|
|
|
|
| |
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
|
|
|
| |
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
| |
|
|
|
|
|
|
| |
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
|
|
|
|
|
|
|
| |
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
|
|
|
|
|
|
|
|
| |
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
|
|
|
|
|
|
| |
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
|
|
|
|
|
| |
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1660
|
|
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
|
|
|
|
| |
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
| |
|
|
|
|
| |
The sysdb context is already available through the 'domain' structure.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1761
The function tried to be smart and realloc only when needed, but that
only lead to hard-to find bugs where the logic would not allocate the
proper space. Remove the reallocation and prefer readability over speed
in this case.
|
| |
|
| |
|
| |
|
|
|
|
| |
Also remove unused sysdb_search_domgroup_by_name()
|
|
|
|
| |
Also remove unused sysdb_search_domuser_by_name()
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1695
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1355
|
|
|
|
|
|
| |
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
| |
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
|
|
|
|
| |
group members with groups outside nesting limit.
https://fedorahosted.org/sssd/ticket/1194
|
|
|
|
|
|
|
|
| |
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
| |
|
|
|
|
|
| |
Move it to a private header so it can be reused by other
initgroups C files.
|
| |
|
|
|
|
|
|
|
| |
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(),
not sdap_initgr_nested_recv(). By coincidence both recv functions
happened to be identical, but if one or the other changed, this
would break unexpectedly.
|