| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1784
|
| |
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
| |
|
|
| |
Also remove unused sysdb_search_domgroup_by_name()
|
| |
|
|
| |
Also remove unused sysdb_search_domuser_by_name()
|
| |
|
|
|
| |
Move it to a private header so it can be reused by other
initgroups C files.
|
| | |
|
| | |
|
| |
|
|
|
| |
These were renamed just ot make sure they are not mistook for IPA
netgroup functions.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/836
|
| |
|
|
|
|
|
|
|
| |
The file has been split in three:
sdap_async_users.c
sdap_async_groups.c
sdap_async_initgroups.c
https://fedorahosted.org/sssd/ticket/864
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This reverts 56d8d19ac9d857580a233d8264e851883b883c67
|
| |
|
|
|
|
| |
Every ldap function that could possibly create a new connection is now
wrapped in a tevent_req. If the connection is created, we will call the
function again after the socket is ready for writing.
|
| |
|
|
| |
sdap_handle for future reference.
|
| |
|
|
|
|
|
|
| |
Under certain circumstances, the openldap libraries will continue
internally trying to reconnect to a connection lost (as during a
cable-pull test). We need to drop the reconnection callbacks when
marking the backend offline in order to guarantee that they are
not called with an invalid sdap_handle.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
| |
|
|
|
|
|
| |
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7.
While this patch applied cleanly, it was uncompilable. Reverting
until it can be properly merged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
| |
|
|
|
|
|
| |
Depending on the version of the OpenLDAP libraries we use two different
schemes to find the file descriptor of the connection to the LDAP
server. This patch removes the related ifdefs from the main code and
introduces helper functions which can handle the specific cases.
|
|
|
Also update BUILD.txt
|
