summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Setup periodic task only once.Lukas Slebodnik2014-02-261-13/+41
| | | | | | | | | | | | | | | If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init If you enable enumeration and use different providers for id and sudo(autofs) then another periodic task will be scheduled. This can cause weird behaviour (e.g. missing members of group) Perodic tasks will be started only by id_provider. Resolves: https://fedorahosted.org/sssd/ticket/2153 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 057cb583f02bf47678c393cb8f1f74861c2b960b)
* LDAP: Handle errors from sdap_id_op properly in enum codeJakub Hrozek2014-02-121-1/+41
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 93dabb2fe0a798f22bb802b9c6521ab9e6a4ac36)
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-125-10/+454
| | | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
* LDAP: require attribute groupType for AD groupsLukas Slebodnik2014-01-291-1/+1
| | | | | | | | | Commit 8280c5213094 introduced filtering local groups for trusted/sub domains, but attribute groupType was not available with configuration id_provide ldap and ldap_schema ad. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: store group if subdomain cannot be found by sidLukas Slebodnik2014-01-291-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, group couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Don't clobber original_member during enumerationJakub Hrozek2014-01-291-6/+11
|
* LDAP: Add enum request with custom connectionJakub Hrozek2014-01-292-125/+191
| | | | | | | | | This commit changes the enumerate-sdap-domain request to accept a connection context per object that can be enumerated. Internally in the request, an sdap_id_op is also created per enumerated object type. This change will allow i.e. users to be enumerated using GC connection, while keeping the LDAP connection for groups and services.
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-293-23/+30
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* LDAP: Don't abort request if no id mapping domain matchesJakub Hrozek2014-01-241-5/+39
| | | | | | | | | If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
* sdap_idamp: Fall back to another method if sid is wrongLukas Slebodnik2014-01-221-2/+8
| | | | | | | | | | | sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: update id mapping detection for ldap providerLukas Slebodnik2014-01-221-0/+5
| | | | | | | | For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Don't fail if subdomain cannot be found by sidLukas Slebodnik2014-01-221-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Fix error checkJakub Hrozek2014-01-201-2/+2
| | | | https://fedorahosted.org/sssd/ticket/2199
* LDAP: Add a new error code for malformed access control filterJakub Hrozek2014-01-094-10/+16
| | | | | | | https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-091-1/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* LDAP: Fix typo and use the right attribute mapJakub Hrozek2014-01-081-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/2191 There was a copy-n-paste bug in the code that resulted in using a wrong attribute map. This could lead to the primary name not being selected correctly.
* AD: cross-domain membership fixSumit Bose2013-12-194-13/+257
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-194-64/+138
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* Add new option ldap_group_typeSumit Bose2013-12-192-0/+4
|
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-191-5/+16
|
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+525
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-231/+357
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-131-0/+2
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* SSSD: Improved domain detectionPavel Reichl2013-11-291-11/+28
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
* LDAP: Initialize user count for AD matching ruleJakub Hrozek2013-11-281-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/2157 If AD matching rule was selected, but the group was empty, the SSSD accessed random data. Initializing count to zero prevents that.
* LDAP: Search for original DN during auth if it's missingJakub Hrozek2013-11-201-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-11-202-33/+147
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* LDAP: Prevent from using uninitialized sdap_optionsLukas Slebodnik2013-11-141-1/+1
| | | | | | | | ldap_get_options can fail in time of ldap back end initialisation and then sssd try to release uninitialised sdap_options. Resolves: https://fedorahosted.org/sssd/ticket/2147
* Initialize sid_str to NULL to avoid freeing random dataJakub Hrozek2013-11-081-1/+1
| | | | | If any function before failed, sss_idmap_free_sid() might have been called with random data.
* free idmapped SIDs correctlyPavel Březina2013-11-072-2/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* LDAP: Check all search bases during nested group processingJakub Hrozek2013-10-301-13/+42
|
* nested groups: pick correct domain for cache lookupsPavel Březina2013-10-301-4/+12
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap_fill_memberships: pick correct domain for every memberPavel Březina2013-10-301-4/+19
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ghosts: pick correct domain for every memberPavel Březina2013-10-301-10/+15
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we store subdomain users with correct domain name. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: add sdap_domain_get_by_dn()Pavel Březina2013-10-302-0/+28
| | | | | | | | This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: store base dn in sdap_domainPavel Březina2013-10-302-15/+22
| | | | | | | | | Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* free sid obtained from sss_idmap_unix_to_sid()Pavel Březina2013-10-301-0/+2
|
* LDAP: Return correct error codeLukas Slebodnik2013-10-301-1/+1
| | | | | | If talloc_array return NULL we should return right error code from function sdap_domain_subdom_add. It might happen that we could return either wrong error code or uninitialized variable ret.
* sdap_save_group: try to determine domain by SIDPavel Březina2013-10-291-7/+18
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have group with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent group 5000' and this request goes through data provider, searching in parent domain first. Even though this group does not belong to this domain it is found and stored as ad.pb group. With this patch we look at group's SID and put it into correct domain.
* sdap_save_user: try to determine domain by SIDPavel Březina2013-10-291-22/+32
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have user with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent passwd 5000' and this request goes through data provider, searching in parent domain first. Even though this user does not belong to this domain it is found and stored as ad.pb user. With this patch we look at user's SID and put it into correct domain.
* dp: convert cleanup task to be_ptaskPavel Březina2013-10-254-73/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-253-17/+29
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* LDAP: Parse FQDN into name/domain for subdomain usersJakub Hrozek2013-10-251-1/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 When a subdomain user logs in, the username the account request receives is a FQDN. This hackish patch parses the FQDN and only uses the name to search the LDAP.
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-253-23/+30
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* LDAP: Delete entry by SID if not foundJakub Hrozek2013-10-251-3/+19
| | | | | In case the entry was deleted from the server, the search didn't notice and kept returning the cached data.
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-252-4/+13
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-257-1/+22
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* sdap_get_generic_ext_send: check if we a re still connectedSumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* Add unconditional online callbacksSumit Bose2013-10-221-0/+1
| | | | | | | | | Currently online callbacks are only executed if the backend was offline before. This patch add a new class of callback which are always called if the backend gets a request to go online. They can be used e.g. to reset timeouts until a more sophisticated method (OpenLMI, sssctl) is available.
* sdap_idmap: properly handle ranges for external mappingsSumit Bose2013-10-171-24/+44
| | | | | | | | | | | Currently we relied on the fact that external ID mapping is used as default fallback in case of an error and did not properly add subdomains with external ID mapping to the idmap library. If debugging is enabled this leads to irritating debug messages for every user or group lookup. With this patch this subdomains are added to the idmap library. Fixes https://fedorahosted.org/sssd/ticket/2105
generated by cgit (git 2.34.1) at 2024-05-18 16:28:42 +0000