summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_async_initgroups_ad.c
Commit message (Collapse)AuthorAgeFilesLines
* Use the alternative objectclass in group maps.Michal Zidek2014-09-151-3/+10
| | | | | | | | | | | Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee) (cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)
* AD: process non-posix nested groups using tokenGroupsPavel Reichl2014-09-041-8/+1
| | | | | | | | When initgr is performed for AD supporting tokenGroups, do not skip non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343
* SDAP: Update groups for user just once.Lukas Slebodnik2014-08-261-20/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | The function sdap_ad_tokengroups_update_members finds the differences between list of groups from sysdb and list of groups from LDAP (input argument). For each new group, connections are created between user and group. The other connections are removed. The problem was that in some cases function sdap_ad_tokengroups_update_members was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and sdap_ad_tokengroups_initgr_posix_sids_done). The first call created connection between user and groups resolved from tokengroups and the second call update groups from missing SIDs, but previously created connections were removed. The worst case was when there weren't any missing groups. This behaviour caused missing groups in some cases (for users in child ad domain) This patch join array of groups obtained from token group and array of groups obtained from missing SIDs. The function sdap_ad_tokengroups_update_members is called just once with single array. Resolves: https://fedorahosted.org/sssd/ticket/2407 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 99f53d551a1db5d8023b4271eb691d554257624c)
* SDAP: Use different talloc_context for array of namesLukas Slebodnik2014-08-261-1/+1
| | | | | | | It will be easier to steal whole array to another talloc context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 174e9ec6f88d709b6e9481ed06a322c0fc495842)
* SDAP: Immediately finish request for empty arrayLukas Slebodnik2014-08-261-1/+1
| | | | | | | | | If array of sids is empty we needn't try to resolve them and we can immediately finish request in function sdap_ad_resolve_sids_send This patch is just a small optimisation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 21f2821a4420291c8eb3ee9d427e9e1b0a1d9989)
* ad initgroups: continue if resolved SID is still missingPavel Březina2014-08-141-6/+13
| | | | | | | https://fedorahosted.org/sssd/ticket/2389 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
* ad: update membership after SIDs are resolvedPavel Březina2014-07-241-25/+62
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2385 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ed346bcc84b8a326996e5550771773d8e63f17c2)
* ad: comment ENOENT when id mapping is disabledPavel Březina2014-07-241-0/+3
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e6fa71b990d7068d66b98015ae54aae399cc84f1)
* SDAP: Continue resolving SID even if some failPavel Reichl2014-07-241-1/+6
| | | | | | | | | | | | | Resolving groups obtained via Token-Groups in case of disabled ID mapping may lead to failure as non-posix groups are not resolved. This patch amends sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1614e1b25a98ff2f03648c4bf61d750fb688285a)
* LDAP: tokengroups do not work with id_provider=ldapPavel Reichl2014-07-241-11/+71
| | | | | | | | | | | | | | | | | | | With plain LDAP provider we already have a sdap_handle, so it should be possible that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be skipped and sdap_get_ad_tokengroups_send() can be already send with the sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should only fail if sdom->pvt == NULL and sh == NULL. if find_subdomain_by_sid() failed we can check if there is only one domain in the domain list (state->domain) and in this case continue with this domain since the LDAP provider does not know about sub-domains and hence can only have one configured domain. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-05-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script (identical to commit 83bf46f4066e3d5e838a32357c201de9bd6ecdfd) to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-05-021-80/+80
| | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code (identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150): grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* LDAP: Add a new error code for malformed access control filterJakub Hrozek2014-01-091-2/+2
| | | | | | | https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
* AD: cross-domain membership fixSumit Bose2013-12-191-9/+148
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-191-2/+4
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-181-20/+517
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-181-213/+339
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* Initialize sid_str to NULL to avoid freeing random dataJakub Hrozek2013-11-081-1/+1
| | | | | If any function before failed, sss_idmap_free_sid() might have been called with random data.
* free idmapped SIDs correctlyPavel Březina2013-11-071-0/+2
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* ad: store group in correct tree on initgroups via tokenGroupsPavel Březina2013-09-261-11/+41
| | | | | | | | | If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* Fix formating of variables with type: gid_tLukas Slebodnik2013-09-111-2/+1
|
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-111-1/+1
|
* sysdb_add_incomplete_group: store SID string is availableSumit Bose2013-08-191-1/+1
| | | | | | During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-1/+1
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* Fixing critical format string issues.Lukas Slebodnik2013-05-201-1/+1
| | | | | | --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
* Add domain arg to sysdb group member functionsSimo Sorce2013-01-151-2/+2
|
* Add domain arguments to sysdb_add_group functions.Simo Sorce2013-01-151-2/+4
|
* Add domain to sysdb_search_group_by_gid()Simo Sorce2013-01-151-1/+1
| | | | Also remove unused sysdb_search_domgroup_by_gid()
* Add domain to sysdb_search_group_by_name()Simo Sorce2013-01-151-1/+3
| | | | Also remove unused sysdb_search_domgroup_by_name()
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-151-4/+10
| | | | Also remove unused sysdb_search_domuser_by_name()
* idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek2012-11-281-1/+5
| | | | | | | | When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
* AD: Handle sysdb lookup failure during tokenGroups processingStephen Gallagher2012-09-241-0/+6
|
* AD: Optimize initgroups lookups with tokenGroupsStephen Gallagher2012-09-241-0/+277
| | | | https://fedorahosted.org/sssd/ticket/1355
* LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher2012-06-131-0/+292
generated by cgit (git 2.34.1) at 2024-06-08 03:47:00 +0000