summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_async_initgroups.c
Commit message (Collapse)AuthorAgeFilesLines
* Use the alternative objectclass in group maps.Michal Zidek2014-09-151-11/+39
| | | | | | | | | | | Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee) (cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)
* AD: process non-posix nested groups w/o tokenGroupsPavel Reichl2014-09-041-5/+1
| | | | | | | | When initgr is performed for AD not supporting tokenGroups, do not filter out groups without gid attribute or with gid equal to zero. Resolves: https://fedorahosted.org/sssd/ticket/2343
* IPA: process non-posix nested groupsPavel Reichl2014-09-041-1/+1
| | | | | | | | Do not expect objectClass to be posixGroup but rather more general groupofnames. Resolves: https://fedorahosted.org/sssd/ticket/2343
* LDAP: Make it possible to extend an attribute mapJakub Hrozek2014-06-031-2/+4
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add option to disable use of Token-GroupsPavel Reichl2014-06-021-2/+5
| | | | | | | | | | | | Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 69994add9cd4e57d40b3b7a0b1783ef2d0aa974c)
* LDAP: fix - find primary group by gidPavel Reichl2014-06-021-1/+0
| | | | | | | | | | | Remove premature call of tevent_req_done() from sdap_get_initgr_done(). Request is correctly marked as done at sdap_get_initgr_pgid(). Resolves: https://fedorahosted.org/sssd/ticket/2334 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90)
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-05-021-73/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script (identical to commit 83bf46f4066e3d5e838a32357c201de9bd6ecdfd) to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-05-021-164/+164
| | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code (identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150): grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* AD: cross-domain membership fixSumit Bose2013-12-191-3/+47
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-181-5/+5
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-181-8/+8
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-0/+4
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* LDAP: Allow searching subdomain during RFC2307bis initgroupsJakub Hrozek2013-09-271-9/+11
| | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 Until now, the POSIX-compliant initgroups would only be able to search the parent domain. Since we want to allow using POSIX attributes from AD subdomains as well, we should allow searching a custom sdap_domain.
* LDAP: Require ID numbers when ID mapping is offJakub Hrozek2013-09-271-4/+55
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
* sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2013-09-261-16/+49
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-111-7/+10
|
* sysdb_add_incomplete_group: store SID string is availableSumit Bose2013-08-191-8/+17
| | | | | | During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
* save_rfc2307bis_user_memberships: use fq names for subdomainsSumit Bose2013-08-191-0/+16
| | | | | For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.
* sdap_add_incomplete_groups: use fully qualified name if neededSumit Bose2013-08-191-4/+14
| | | | | For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones.
* sdap_get_initgr_done: use the right SID to get a GIDSumit Bose2013-08-191-1/+2
|
* Fix memory context for a state memberSumit Bose2013-08-071-1/+1
| | | | | | primary_name was allocated on a temporary memory context but as it is a member of the state struct it should belong to the memory context of the state.
* LDAP: Use domain-specific name where appropriateJakub Hrozek2013-07-241-27/+24
| | | | | | | | | The subdomain users user FQDN in their name attribute. However, handling of whether to use FQDN in the LDAP code was not really good. This patch introduces a utility function and converts code that was relying on user/group names matching to this utility function. This is a temporary fix until we can refactor the sysdb API in #2011.
* Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mappingSumit Bose2013-06-281-7/+13
| | | | | | | | | | Currently the decision if external or algorithmic mapping should be used in the LDAP or AD provider was based on the value of the ldap_id_mapping config option. Since now all information about ID mapping is handled by libsss_idmap the check for this options can be replace with a call which checks the state via libss_idmap. https://fedorahosted.org/sssd/ticket/1961
* LDAP: return sdap search return code to IDJakub Hrozek2013-06-071-2/+2
| | | | | | | | By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-8/+10
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* LDAP: Pass in a connection to ID functionsJakub Hrozek2013-06-071-1/+4
| | | | | | | Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.
* LDAP: If deref search fails, try again without derefJan Cholasta2013-03-211-1/+11
| | | | https://fedorahosted.org/sssd/ticket/1660
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-201-2/+15
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Removing unused declaration of functions and variable.Lukas Slebodnik2013-03-191-10/+0
| | | | | | Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
* Fix initialization of multiple variablesOndrej Kos2013-03-131-1/+1
|
* Remove sysdb as a be context structure memberSimo Sorce2013-01-211-1/+1
| | | | The sysdb context is already available through the 'domain' structure.
* LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek2013-01-151-12/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
* Add domain arguemnt to sysdb_get_real_name()Simo Sorce2013-01-151-1/+2
|
* Add domain arg to sysdb group member functionsSimo Sorce2013-01-151-5/+7
|
* Add domain arguments to sysdb_add_group functions.Simo Sorce2013-01-151-2/+2
|
* Add domain to sysdb_search_group_by_name()Simo Sorce2013-01-151-6/+12
| | | | Also remove unused sysdb_search_domgroup_by_name()
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-151-10/+22
| | | | Also remove unused sysdb_search_domuser_by_name()
* LDAP: remove dead assignmentJakub Hrozek2012-12-101-1/+0
|
* LDAP: Continue adjusting group membership even if there is nothing to addJakub Hrozek2012-12-051-2/+1
| | | | https://fedorahosted.org/sssd/ticket/1695
* sdap_add_incomplete_groups(): fix ret may be uninitialized warningPavel Březina2012-09-241-1/+1
|
* AD: Optimize initgroups lookups with tokenGroupsStephen Gallagher2012-09-241-4/+20
| | | | https://fedorahosted.org/sssd/ticket/1355
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-27/+47
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* Remove compilation warning: ret may be uninitializedPavel Březina2012-08-211-0/+2
|
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-4/+14
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* When ldap_group_nesting_level was reached, the LDAP provider tried to link ↵Michal Zidek2012-08-101-1/+45
| | | | | | group members with groups outside nesting limit. https://fedorahosted.org/sssd/ticket/1194
* LDAP: Auto-detect support for the ldap match ruleStephen Gallagher2012-06-131-1/+3
| | | | | | | | This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
* LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher2012-06-131-9/+20
|
* LDAP: Make sdap_initgr_common_store() non-staticStephen Gallagher2012-06-121-7/+7
| | | | | Move it to a private header so it can be reused by other initgroups C files.
* LDAP: Add helper function to get list of a user's groups from sysdbStephen Gallagher2012-06-121-33/+64
|
* LDAP: Fix incorrect switch statement in sdap_get_initgr_done()Stephen Gallagher2012-06-121-1/+1
| | | | | | | SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(), not sdap_initgr_nested_recv(). By coincidence both recv functions happened to be identical, but if one or the other changed, this would break unexpectedly.
generated by cgit (git 2.34.1) at 2024-06-06 13:14:51 +0000