| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We defined macro _XOPEN_SOURCE before time.h, because we need function strptime
The problem is with undef after including header time.h
The macro _XOPEN_SOURCE can be defined on some platforms
and undef can cause problems.
We detect all necessary feature macros in configure script
using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE.
It is better to include header file config.h
instead of defining macro _XOPEN_SOURCE
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
As the connection code is async-driven, the LDAP handle might be
invalidated before SSSD attempts to use it. Similar to commit
5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check
for the LDAP handle and aborts the request instead of crashing.
Resolves:
https://fedorahosted.org/sssd/ticket/2305
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
The sdap_copy_opts function copied all the arguments except for the
sentinel.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2239
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
debug_prg_name is used in debug_fn and it was allocated under
talloc context "kr". The variable "kr" was removed before the last debug
messages in function main. It is very little change that it will be overridden.
It is possible to see this issue with exported environment variable
TALLOC_FREE_FILL=255
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If LDAP entries have more then one attribute "automountKey"
automount map will be skipped and error message will be printed to log files
and sssd_be will crash.
DEBUG(SSSDBG_MINOR_FAILURE, "Malformed entry, skipping\n");
The output array with automount maps will contain uninitialized pointers
because array was terminated after the expected count of entries and not
after the last successfully retrieved entry
Resolves:
https://fedorahosted.org/sssd/ticket/2288
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
sss_parse_name now supports NULL as output parameters so existing calls passing
arguments which were never read were substituted by NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)
Perodic tasks will be started only by id_provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2153
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Memory context memctx was unused in functions _ad_servers_init
sdap_ad_tokengroups_update_members
|
|
|
|
|
|
|
|
|
| |
Commit 8280c5213094 introduced filtering local groups for trusted/sub domains,
but attribute groupType was not available with configuration id_provide ldap
and ldap_schema ad.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, group couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit changes the enumerate-sdap-domain request to accept a
connection context per object that can be enumerated. Internally in the
request, an sdap_id_op is also created per enumerated object type.
This change will allow i.e. users to be enumerated using GC connection,
while keeping the LDAP connection for groups and services.
|
|
|
|
|
|
|
|
|
|
| |
connection
Previously, the sdap-domain enumeration request used a single connection context to
download all the data. Now we'd like to use different connections to
download different objects, so the ID context is passed in and the
request itself decides which connection to use for the sdap-domain
enumeration.
|
|
|
|
|
|
|
|
|
| |
If an ID was requested from the back end, but no ID mapping domain
matched, the request ended with a scary error message. It's better to
treat the request as if no such ID was found in the domain
Related:
https://fedorahosted.org/sssd/ticket/2200
|
|
|
|
|
|
|
|
|
|
|
| |
sss_idmap_domain_has_algorithmic_mapping can return also
IDMAP_SID_INVALID, but it does not mean that idmaping is
unavailable. We should fall back to another method of detection
(sss_idmap_domain_by_name_has_algorithmic_mapping)
and do not return false immediately.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
| |
For id_provider ldap, it is only necessary to enable option ldap_id_mapping.
It is an regression introduced in the commit d3e1d88ce7de3216a862b
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
|
|
|
|
|
| |
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, user couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2199
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2160
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2191
There was a copy-n-paste bug in the code that resulted in using a wrong
attribute map. This could lead to the primary name not being selected
correctly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
|
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
| |
|
|
|
|
|
| |
If there are multiple members in the sdom list, always the search base
of the first entry were used.
|
|
|
|
|
|
|
| |
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
| |
|
| |
|
| |
|
| |
|
| |
|