sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	LDAP: Don't fail if subdomain cannot be found by sid	Lukas Slebodnik	2014-01-22	1	-4/+6
\| \| \| \| \| \| \| \| \|	Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
*	LDAP: Fix error check	Jakub Hrozek	2014-01-20	1	-2/+2
\| \| \| \|	https://fedorahosted.org/sssd/ticket/2199
*	LDAP: Add a new error code for malformed access control filter	Jakub Hrozek	2014-01-09	4	-10/+16
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
*	responder: Set forest attribute in AD domains	Pavel Reichl	2014-01-09	1	-1/+1
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2160
*	LDAP: Fix typo and use the right attribute map	Jakub Hrozek	2014-01-08	1	-1/+1
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2191 There was a copy-n-paste bug in the code that resulted in using a wrong attribute map. This could lead to the primary name not being selected correctly.
*	AD: cross-domain membership fix	Sumit Bose	2013-12-19	4	-13/+257
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
*	AD: filter domain local groups for trusted/sub domains	Sumit Bose	2013-12-19	4	-64/+138
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
*	Add new option ldap_group_type	Sumit Bose	2013-12-19	2	-0/+4
\|
*	Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias	Sumit Bose	2013-12-19	1	-5/+16
\|
*	ad: use tokengroups even when id mapping is disabled	Pavel Březina	2013-12-18	3	-26/+524
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1568
*	ad: refactor tokengroups initgroups	Pavel Březina	2013-12-18	3	-229/+355
\| \| \| \| \|	sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
*	AD: use LDAP for group lookups	Sumit Bose	2013-12-13	1	-0/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
*	LDAP: Fix a debug message	Jakub Hrozek	2013-12-09	1	-2/+1
\|
*	rfc2307bis_nested_groups_send: reuse search base	Sumit Bose	2013-12-09	1	-2/+7
\| \| \| \| \|	If there are multiple members in the sdom list, always the search base of the first entry were used.
*	SSSD: Improved domain detection	Pavel Reichl	2013-11-29	1	-11/+28
\| \| \| \| \| \| \|	A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
*	Remove unused parameter from sdap_save_netgroup	Lukas Slebodnik	2013-11-27	1	-4/+1
\|
*	Remove unused parameter from sdap_process_missing_member_2307	Lukas Slebodnik	2013-11-27	1	-4/+2
\|
*	Remove unused parameter from sdap_add_group_member_2307	Lukas Slebodnik	2013-11-27	1	-4/+3
\|
*	Remove unused parameter from sdap_store_group_with_gid	Lukas Slebodnik	2013-11-27	1	-7/+3
\|
*	Remove unused parameter from sdap_get_members_with_primary_gid	Lukas Slebodnik	2013-11-27	1	-4/+4
\|
*	Remove unused parameter from sdap_save_user	Lukas Slebodnik	2013-11-27	4	-9/+3
\|
*	Remove unused parameter from get_user_dn	Lukas Slebodnik	2013-11-27	1	-2/+1
\|
*	LDAP: Search for original DN during auth if it's missing	Jakub Hrozek	2013-11-20	1	-16/+194
\| \| \| \| \| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
*	LDAP: Split out a request to search for a user w/o saving	Jakub Hrozek	2013-11-20	2	-33/+147
\| \| \| \| \| \| \| \| \| \|	Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
*	LDAP: Initialize user count for AD matching rule	Jakub Hrozek	2013-11-18	1	-1/+1
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2157 If AD matching rule was selected, but the group was empty, the SSSD accessed random data. Initializing count to zero prevents that.
*	SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c	Michal Zidek	2013-11-15	7	-10/+7
\|
*	SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)	Michal Zidek	2013-11-15	11	-45/+34
\|
*	SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module	Jakub Hrozek	2013-11-15	4	-25/+15
\|
*	SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap module	Jakub Hrozek	2013-11-15	1	-4/+2
\|
*	SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)	Michal Zidek	2013-11-15	4	-11/+10
\|
*	SYSDB: Drop the sysdb_ctx parameter from the sysdb_services module	Michal Zidek	2013-11-15	3	-12/+10
\|
*	SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module	Michal Zidek	2013-11-15	3	-11/+6
\|
*	SYSDB: Drop the sysdb_ctx parameter from the autofs API	Jakub Hrozek	2013-11-15	2	-29/+16
\|
*	LDAP: Prevent from using uninitialized sdap_options	Lukas Slebodnik	2013-11-14	1	-1/+1
\| \| \| \| \| \| \| \|	ldap_get_options can fail in time of ldap back end initialisation and then sssd try to release uninitialised sdap_options. Resolves: https://fedorahosted.org/sssd/ticket/2147
*	Remove unused variable	Jakub Hrozek	2013-11-12	1	-1/+0
\|
*	Signals: Refactor termination of processes	Simo Sorce	2013-11-12	1	-1/+1
\| \| \| \| \| \| \| \|	sig_term() was never used as a real signal handler, but only called by tevent signal handlers in the kerberos and ldap children. Also the same code was duplicated with separate local guard variables in other functions. Unify orderly termination handling, between all these functions.
*	Add ldap_autofs_map_master_name option	Cove Schneider	2013-11-12	4	-0/+15
\|
*	Initialize sid_str to NULL to avoid freeing random data	Jakub Hrozek	2013-11-08	1	-1/+1
\| \| \| \| \|	If any function before failed, sss_idmap_free_sid() might have been called with random data.
*	free idmapped SIDs correctly	Pavel Březina	2013-11-07	2	-2/+4
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2133
*	LDAP: Check all search bases during nested group processing	Jakub Hrozek	2013-10-30	1	-13/+42
\|
*	nested groups: pick correct domain for cache lookups	Pavel Březina	2013-10-30	1	-4/+12
\| \| \| \| \| \| \| \| \|	Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
*	sdap_fill_memberships: pick correct domain for every member	Pavel Březina	2013-10-30	1	-4/+19
\| \| \| \| \| \| \| \| \|	Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
*	ghosts: pick correct domain for every member	Pavel Březina	2013-10-30	1	-10/+15
\| \| \| \| \| \| \| \| \|	Groups may contain members from different domains. We need to make sure that we store subdomain users with correct domain name. Resolves: https://fedorahosted.org/sssd/ticket/2064
*	sdap: add sdap_domain_get_by_dn()	Pavel Březina	2013-10-30	2	-0/+28
\| \| \| \| \| \| \| \|	This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
*	sdap: store base dn in sdap_domain	Pavel Březina	2013-10-30	2	-15/+22
\| \| \| \| \| \| \| \| \|	Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
*	free sid obtained from sss_idmap_unix_to_sid()	Pavel Březina	2013-10-30	1	-0/+2
\|
*	LDAP: Return correct error code	Lukas Slebodnik	2013-10-30	1	-1/+1
\| \| \| \| \| \|	If talloc_array return NULL we should return right error code from function sdap_domain_subdom_add. It might happen that we could return either wrong error code or uninitialized variable ret.
*	sdap_save_group: try to determine domain by SID	Pavel Březina	2013-10-29	1	-7/+18
\| \| \| \| \| \| \| \| \| \| \| \| \|	GC contains objects from both parent domain and subdomain. Lets say we have group with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent group 5000' and this request goes through data provider, searching in parent domain first. Even though this group does not belong to this domain it is found and stored as ad.pb group. With this patch we look at group's SID and put it into correct domain.
*	sdap_save_user: try to determine domain by SID	Pavel Březina	2013-10-29	1	-22/+32
\| \| \| \| \| \| \| \| \| \| \| \| \|	GC contains objects from both parent domain and subdomain. Lets say we have user with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent passwd 5000' and this request goes through data provider, searching in parent domain first. Even though this user does not belong to this domain it is found and stored as ad.pb user. With this patch we look at user's SID and put it into correct domain.
*	dp: convert cleanup task to be_ptask	Pavel Březina	2013-10-25	4	-73/+64
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/1968