| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Fix debug messages where '\n' was wrongly followed by '.'.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use the alternative group objectclass in queries.
Fixes:
https://fedorahosted.org/sssd/ticket/2436
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When group was posix and id mapping was enabled then variable gid was
used uninitialized.
Valgrind error:
Conditional jump or move depends on uninitialised value(s)
at 0x13F1A1D7: sdap_nested_group_hash_group (sdap_async_nested_groups.c:279)
by 0x13F1DAA1: sdap_nested_group_send (sdap_async_nested_groups.c:718)
by 0x13F1998D: sdap_get_groups_process (sdap_async_groups.c:1847)
by 0x13F0F9CE: sdap_get_generic_ext_done (sdap_async.c:1467)
by 0x13F0EE9F: sdap_process_result (sdap_async.c:357)
by 0x54ABFBE: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.20)
by 0x54ACFC9: ??? (in /usr/lib64/libtevent.so.0.9.20)
by 0x54AB6B6: ??? (in /usr/lib64/libtevent.so.0.9.20)
by 0x54A7F2C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.20)
by 0x54A80CA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.20)
by 0x54AB656: ??? (in /usr/lib64/libtevent.so.0.9.20)
by 0x5283872: server_loop (server.c:587)
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
This reverts commit 08145755f66e83c304e11228c2b610a09576dd81.
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the LDAP schema was set to a different value than AD and ID mapping
was enabled, the value of ret was not defined.
Make sure we define ret for the condition below with the
default for ID mapping which is 'no GID'
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_attrs_get_el() cannot return ENOENT. Even if the requested member
doesn't exist, an empty element is created instead. This patch changes
the code to use sysdb_attrs_get_el_ext() which returns ENOENT.
The code only ever worked because we forgot to check the return value of
sdap_nested_group_split_members(). When the empty attribute reached
sdap_nested_group_split_members(), the function returned ENOMEM and
count == 0. The caller used to only check the value of count, not the
retval.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Don't fail if num_missing is 0.
Resolves:
https://fedorahosted.org/sssd/ticket/2369
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Don't call tevent_req_done after tevent_req_error (for the same request).
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2341
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
| |
|
|
|
| |
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
talloc_realloc(..., 0) calls talloc_free() and returns NULL.
If we process group that contains only users, we errornously
return ENOMEM.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1894
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
| | |
|
|
|
https://fedorahosted.org/sssd/ticket/1784
1. initialization (main-req), returns members of input group
2. evaluate group members (group)
3. perform individual search (no-deref) or dereference attribute (deref)
4a. no-deref
1. perform a lookup depending on the type of the member object
2. all direct members are evaluated first
3. then we step down in nesting level and evaluate nested groups
4b. deref
1. perform a dereference lookup on member attribute
2. all direct members are evaluated first
3. then we step down in nesting level and evaluate nested groups
Tevent request flow:
main-req
|
group
|------------------------|
no-deref deref
| |
|----|------|---------| |
user group unknown recurse recurse
/ \ | | | ... | | | ...
user group group group
|
