| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't pass zone directive to nsupdate for the first pass. The
information about zone should be generated by nsupdate which has
auto-detection logic for zone value. The previous version code sometime
worked but it broke when client domain was not the same as FreeIPA
domain.
Log without patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error
[ipa_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]: Input/output error
Log after patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_nsupdate_done] (0x0040): DNS update finished
Resolves:
https://fedorahosted.org/sssd/ticket/2540
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==18139== Conditional jump or move depends on uninitialised value(s)
==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626)
==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907)
==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114)
==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530)
==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634)
==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140)
==18139== by 0x5293862: server_loop (server.c:668)
==18139== by 0x10EA41: main (data_provider_be.c:2909
Related tickets:
https://fedorahosted.org/sssd/ticket/2645
https://fedorahosted.org/sssd/ticket/2662
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some callers may be interested in the raw referral values returned from
a lookup. This patch allows interested consumers to get these referrals
back and process them if they wish. It does not implement a generic
automatic following of referrals.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The variable ret was not read when function sysdb_has_enumerated
returned ENOENT. Just boolean variable has_enumerated need to be changed.
This dead assignment caused warning from clang static analyser
Value stored to 'ret' is never read
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdap_nested_group_populate_users() has code to handle user name changes.
It updates the SYSDB_NAME attribute. This attribute is also used in the
RDN but changing the attribute in the object does not change the DN
hence the DN still contains the old name. Currently
sysdb_set_user_attr() was used to update the entry which creates the DN
based on the give name. This will fail if the name is changed for a
second time. Since the DN is already available in the search result it
is more reliable to use it directly with sysdb_set_entry_attr().
Related to https://fedorahosted.org/sssd/ticket/2591
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.
However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.
[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=hdpadmin)(objectclass=user)
(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
[DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
Resolves:
https://fedorahosted.org/sssd/ticket/2635
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.
Resolves:
https://fedorahosted.org/sssd/ticket/2614
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
and for second time in the function sdap_store_group_with_gid,
which was called every time from function sdap_save_group
[sysdb_set_entry_attr] (0x0080): ldb_modify failed:
[Attribute or value exists](20)[attribute 'gidNumber': value #1
on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
[sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_store_group_with_gid] (0x0040):
Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com
[sdap_save_group] (0x0080): Could not store group with GID: [File exists]
[sdap_save_group] (0x0080):
Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists]
[sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case SSSD is set with id_provider=proxy and auth_provider=ldap, the
LDAP provider is not used to retrieve the user info with the
higher-level calls, but the lower-level connection establishment is used
instead. In this case, we need to make sure to mark the connection as
explicitly connected to be notified about results of looking up the DN.
Resolves:
https://fedorahosted.org/sssd/ticket/2620
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If for some reason ptask fails (e.g. timeout), req is talloc freed
but because subreq is attached to ectx which is permanent it is
finished anyway. Then a crash occures when we are trying to access
callback data.
The same happens in sdap_dom_enum_ex_send.
Resolves:
https://fedorahosted.org/sssd/ticket/2611
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Refactor nds_check_expired() to use utility function sss_utc_to_time_t().
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Refactor check_pwexpire_kerberos() to use utility function
sss_utc_to_time_t().
Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
Also fix debug message.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
In ldap_child_get_tgt_sync() variable 'ret' got overriden in done
section without ever before being read.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2346
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This is a preparation to support other object types without
introducing duplicated code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
be_req was used only as a talloc context for subreq. This memory context
was replace by state of the parent request which is more suitable for
tevent coding style.
This change will allow us to use this function in be_refresh where
none be_req is available.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It would be better to return explicit error code, although access is
still denied and error message printed.
Relates:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
ccname_file_dummy is used in the done-block which is called before
ccname_file_dummy is set to a value. This patch initializes
ccname_file_dummy to NULL.
Related to https://fedorahosted.org/sssd/ticket/2592
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2592
If there is an error after ccname_file_dummy is created but before it is
renamed then the file isn't removed. This can cause a lot of files to be
created and take up inodes in a filesystem.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Move part of pwexpire policy code to a separate function.
Relates to:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|