summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* sysdb: try dealing with binary-content attributessssd-1-8Jan Engelhardt2013-02-262-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* SSSD fails to store users if any of the requested attribute is empty.Michal Zidek2013-02-211-0/+6
| | | | https://fedorahosted.org/sssd/ticket/1440
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-291-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* LDAP: Check validity of naming_contextJakub Hrozek2013-01-291-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* LDAP: Handle empty namingContexts values safelyStephen Gallagher2013-01-291-0/+8
| | | | | | | | Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
* FO: Check server validity before setting statussssd-1_8_5Jakub Hrozek2012-10-032-8/+17
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* Fixed wrong number in shadowLastChangeJan Zeleny2012-09-071-1/+2
| | | | | The attribute is supposed to contain number of days since the epoch, not the number of seconds.
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-4/+14
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-221-1/+2
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-221-0/+15
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Warn to syslog when dereference requests failAriel Barria2012-05-221-2/+2
|
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-162-2/+2
|
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-05-091-15/+18
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek2012-05-071-4/+9
| | | | | | | | | | | | Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
* Read sysdb attribute name, not LDAP attribute map nameJakub Hrozek2012-05-031-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1320
* Get the RootDSE after binding if not successfull beforeJakub Hrozek2012-04-201-26/+104
| | | | https://fedorahosted.org/sssd/ticket/1258
* sdap_check_aliases must not error when detects the same userJakub Hrozek2012-04-201-13/+31
| | | | https://fedorahosted.org/sssd/ticket/1307
* Clean up log messages about keytab_nameStephen Gallagher2012-04-051-7/+12
| | | | | | | | | There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
* LDAP services: Save lowercased protocol names in case-insensitive domainsJakub Hrozek2012-03-291-1/+17
| | | | https://fedorahosted.org/sssd/ticket/1260
* LDAP: Fix memory leaks in synchronous_tls_setupStephen Gallagher2012-03-261-8/+10
| | | | | | | | | | We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.
* LDAP services: Keep the protocol aroundJakub Hrozek2012-03-261-0/+1
|
* LDAP: Add better error logging when ldap_result() failsStephen Gallagher2012-03-211-1/+3
|
* LDAP: Errors retrieving the RootDSE should not be fatalStephen Gallagher2012-03-161-15/+8
| | | | | | | | If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257
* Fix uninitialized variableJakub Hrozek2012-03-161-1/+1
|
* Missing debug message if sdap_sudo_refresh_set_timer failsPavel Březina2012-03-091-1/+5
| | | | https://fedorahosted.org/sssd/ticket/1238
* LDAP: Make sdap_access_send/recv publicStephen Gallagher2012-03-092-12/+17
| | | | We want to consume this in the IPA provider.
* Fix nested groups processingJakub Hrozek2012-03-081-26/+60
| | | | | | | Instead of keeping the number of parent groups in "state" and having to reset the count when moving to another group on the same level, keep track of the all groups on a particular level along with their parents and parent count.
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-082-3/+6
|
* krb5_child: set debugging soonerJakub Hrozek2012-03-061-11/+17
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-062-9/+9
| | | | https://fedorahosted.org/sssd/ticket/1214
* Use proper errno codeJakub Hrozek2012-03-051-1/+1
|
* IPA: Set the DNS discovery domain to match ipa_domainStephen Gallagher2012-03-011-1/+2
| | | | https://fedorahosted.org/sssd/ticket/1217
* LDAP: Remove unnecessary filter sanitizeStephen Gallagher2012-02-261-11/+5
| | | | | | The orig_dn here isn't being passed to a filter and therefore must not be santized, as the sanitization process would break DNs that contain (among other things) parentheses.
* Modifications to simplify list_missing_attrsJan Zeleny2012-02-248-44/+21
|
* Delete missing attributes from netgroups to be storedJan Zeleny2012-02-241-1/+26
| | | | https://fedorahosted.org/sssd/ticket/1136
* LDAP: Only use paging control on requests for multiple entriesStephen Gallagher2012-02-2410-25/+79
| | | | | | | | | | The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one
* AUTOFS: Search all search bases for automounter map entriesJakub Hrozek2012-02-231-18/+86
| | | | https://fedorahosted.org/sssd/ticket/1168
* LDAP: Properly assign orig_dnStephen Gallagher2012-02-231-0/+1
| | | | This was only used for properly identifying debug messages.
* IPA: Add ipa_parse_search_base()Stephen Gallagher2012-02-232-10/+28
| | | | | | | | | | Previously, we were using sdap_parse_search_base() for setting up the search_base objects for use in IPA. However, this was generating unfriendly log messages about unknown search base types. This patch creates a new common_parse_search_base() routine that can be used with either LDAP or IPA providers. https://fedorahosted.org/sssd/ticket/1151
* End request if ldap_parse_result failsJakub Hrozek2012-02-211-0/+3
|
* LDAP: Ignore group member users that do not have name attributesStephen Gallagher2012-02-171-2/+2
| | | | | | | | Instead of failing the group lookup, just skip them. This was impacting some users of ActiveDirectory where not all users had the appropriate attributes. https://fedorahosted.org/sssd/ticket/1169
* Redesign purging of the sudo cachePavel Březina2012-02-171-19/+55
| | | | https://fedorahosted.org/sssd/ticket/1173
* Fix memory hierarchy when processing nested group membershipsJakub Hrozek2012-02-144-11/+14
| | | | https://fedorahosted.org/sssd/ticket/1186
* Fix uninitialized in_transactionStephen Gallagher2012-02-131-1/+1
| | | | Coverity #12521 and #12491
* Add missing breaks to switch statementsStephen Gallagher2012-02-132-0/+2
| | | | Coverity #12525 and #12524
* AUTOFS: IPA providerJakub Hrozek2012-02-071-0/+3
|
* LDAP: Add support for SSH user public keysJan Cholasta2012-02-073-4/+23
|
* Update shadowLastChanged attribute during LDAP password changeJan Zeleny2012-02-065-0/+189
| | | | https://fedorahosted.org/sssd/ticket/1019
* Session target in IPA providerJan Zeleny2012-02-061-0/+1
|
generated by cgit (git 2.34.1) at 2024-05-28 15:23:29 +0000