| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
|
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
|
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
|
|
|
|
|
|
|
| |
ldap_get_options can fail in time of ldap back end initialisation
and then sssd try to release uninitialised sdap_options.
Resolves:
https://fedorahosted.org/sssd/ticket/2147
|
|
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2077
If during the LDAP authentication we find out that the originalDN to
bind as is missing (because the ID module is not LDAP based), we can try
to look up the user from LDAP without saving him just in order to
receive the originalDN.
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user.
|
|
|
|
|
|
|
| |
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2157
If AD matching rule was selected, but the group was empty, the SSSD
accessed random data. Initializing count to zero prevents that.
|
| |
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we store subdomain users with correct
domain name.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
| |
This function will find sdap domain by comparing object dn
with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. Remembering
base dn in domain object gives us the ability to simply lookup
correct domain by comparing object dn with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
| |
|
|
|
|
|
|
| |
If talloc_array return NULL we should return right error code from function
sdap_domain_subdom_add. It might happen that we could return either wrong error
code or uninitialized variable ret.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have group with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent group 5000' and this request goes through data
provider, searching in parent domain first. Even though this
group does not belong to this domain it is found and stored as
ad.pb group.
With this patch we look at group's SID and put it into correct domain.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have user with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent passwd 5000' and this request goes through data
provider, searching in parent domain first. Even though this
user does not belong to this domain it is found and stored as
ad.pb user.
With this patch we look at user's SID and put it into correct domain.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
When a subdomain user logs in, the username the account request receives
is a FQDN. This hackish patch parses the FQDN and only uses the name to
search the LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
| |
In case the entry was deleted from the server, the search didn't notice
and kept returning the cached data.
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
|
|
|
|
|
|
|
|
| |
Currently online callbacks are only executed if the backend was offline
before. This patch add a new class of callback which are always called
if the backend gets a request to go online.
They can be used e.g. to reset timeouts until a more sophisticated method
(OpenLMI, sssctl) is available.
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we relied on the fact that external ID mapping is used as
default fallback in case of an error and did not properly add subdomains
with external ID mapping to the idmap library. If debugging is enabled
this leads to irritating debug messages for every user or group lookup.
With this patch this subdomains are added to the idmap library.
Fixes https://fedorahosted.org/sssd/ticket/2105
|
| |
|
|
|
|
|
|
|
|
| |
In some cases, local boolean variable "do_update" could be used
without proper initialisation.
Clang static analyser warning: "Assigned value is garbage or undefined"
It was not a big problem, because non-zero value for boolean variable mean
true.
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/2116
|
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
|
|
|
|
|
|
|
| |
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
|
|
|
|
|
|
|
| |
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2087
IN_MULTICAST accepts address in the host order, but network order was
supplied.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
|
|
|
|
| |
The check worked for simple setups but fails e.g. in environment with
trusts.
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
|
|
| |
AD provider will override the default with its own.
|
|
|
|
| |
Remove code duplication.
|
| |
|
| |
|
| |
|
| |
|
| |
|