summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
...
* Check the return value of sysdb_search_servicesJakub Hrozek2013-03-051-0/+6
|
* sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina2013-02-271-3/+7
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-262-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* LDAP: Check for authtok validityJakub Hrozek2013-02-111-7/+9
| | | | | | | | | | The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
* Add realm info to sss_domain_infoSimo Sorce2013-02-101-1/+1
|
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-281-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-215-8/+8
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-215-39/+43
| | | | In preparation for making be_req opaque
* Introduce be_req_terminate() helperSimo Sorce2013-01-214-17/+10
| | | | | Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
* Remove domain from be_req structureSimo Sorce2013-01-211-1/+1
|
* Pass domain not be_req to access check functionsSimo Sorce2013-01-213-17/+25
|
* Remove sysdb as a be request structure memberSimo Sorce2013-01-211-2/+2
| | | | The sysdb context is already available through the 'domain' context.
* Remove sysdb as a be context structure memberSimo Sorce2013-01-2113-27/+27
| | | | The sysdb context is already available through the 'domain' structure.
* Move ldap provider access functionsSimo Sorce2013-01-212-59/+86
| | | | | | It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
* LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek2013-01-211-134/+147
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
* LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek2013-01-151-12/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
* Add domain arguments to sysdb sudo functionsSimo Sorce2013-01-154-9/+22
|
* Add domain arguments to sysdb services functionsSimo Sorce2013-01-152-4/+5
| | | | also fix sysdb_svc_add declarations
* Add domain argument to sysdb autofs functionsSimo Sorce2013-01-152-11/+18
|
* Add domain arguemnt to sysdb_get_real_name()Simo Sorce2013-01-151-1/+2
|
* Add domain argument to sysdb_idmap_ funcitonsSimo Sorce2013-01-151-1/+2
|
* Add domain argument to sysdb_remove_attrs()Simo Sorce2013-01-151-1/+1
|
* Add domain argument to sysdb_has/set_enumerated()Simo Sorce2013-01-153-3/+4
|
* Add domain arg to sysdb_search/delete_netgroup()Simo Sorce2013-01-151-1/+1
|
* Add domain argument to sysdb_delete_group()Simo Sorce2013-01-152-3/+5
| | | | Also remove sysdb_delete_domgroup()
* Add domain argument to sysdb_search_groups()Simo Sorce2013-01-153-7/+12
|
* Add domain argument to sysdb_delete_user()Simo Sorce2013-01-152-4/+6
| | | | Also remove sysdb_delete_domuser()
* Add domain arg to sysdb_search_users()Simo Sorce2013-01-153-16/+25
|
* Add domain argument to sysdb_cache_password()Simo Sorce2013-01-151-0/+1
|
* Add domain arg to sysdb group member functionsSimo Sorce2013-01-152-7/+9
|
* Add domain argument to sysdb_store_group()Simo Sorce2013-01-151-3/+5
| | | | Also remove sysdb_store_domgroup()
* Add domain argument to sysdb_store_user()Simo Sorce2013-01-151-2/+3
| | | | Also remove sysdb_store_domuser()
* Add domain arguments to sysdb_add_inetgroup fns.Simo Sorce2013-01-151-1/+1
|
* Add domain arguments to sysdb_add_group functions.Simo Sorce2013-01-152-4/+6
|
* Add domain argument to sysdb_set_user_attr()Simo Sorce2013-01-152-3/+8
|
* Add domain to sysdb_search_group_by_gid()Simo Sorce2013-01-151-1/+1
| | | | Also remove unused sysdb_search_domgroup_by_gid()
* Add domain to sysdb_search_group_by_name()Simo Sorce2013-01-153-7/+16
| | | | Also remove unused sysdb_search_domgroup_by_name()
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-155-15/+36
| | | | Also remove unused sysdb_search_domuser_by_name()
* Add domain argument to sysdb_get_user_attr()Simo Sorce2013-01-152-5/+6
|
* Make sysdb_custom_subtree_dn() require a domain.Simo Sorce2013-01-151-2/+4
|
* Make sysdb_domain_dn() require a domain.Simo Sorce2013-01-151-1/+1
|
* Make sysdb_netgroup_base_dn() require a domain.Simo Sorce2013-01-151-1/+1
|
* let ldap_backup_chpass_uri workPavel Březina2013-01-141-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1760
* Fix LDAP authentication - invalid password lengthPavel Březina2013-01-141-1/+1
| | | | | | sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
* Change pam data auth tokens.Simo Sorce2013-01-104-97/+92
| | | | Use the new authtok abstraction and interfaces throught the code.
* Fix sdap reinit.Simo Sorce2013-01-101-82/+89
| | | | | | | | | | | | | | | | This set of functions had a few important issues: 1. the base_dn was always NULL, as the base array was never actually used to construct any DN. This means each function searched the whole database multiple times. It would try to remove SYSDB_USN from all database entries 3 times. Then it would try to find non updated entries another 3 times and delete them, arguably find empty results the last 2 times. 2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it should not be used anywhere but within sysdb. Do this by using existing functions instead of using ldb calls directly. This is important to keep sysdb as conistent and self-contained as possible.
* AD: Add user as a direct member of his primary groupJakub Hrozek2013-01-091-8/+109
| | | | | | | | | | | | In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
* AD: replace GID/UID, do not add another oneJakub Hrozek2013-01-094-7/+41
| | | | | | | The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
* sudo smart refresh: fix debug messagePavel Březina2013-01-071-1/+1
|
* sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina2013-01-071-5/+12
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
generated by cgit (git 2.34.1) at 2024-06-10 09:19:49 +0000