summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* Validate keytab at startupJakub Hrozek2010-08-032-48/+19
| | | | | | | | In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556
* Fix getting default realm in the ldap childJakub Hrozek2010-08-031-1/+10
|
* Log TLS errors to syslogStephen Gallagher2010-07-092-1/+23
| | | | | Also adds support for detecting LDAPS errors by adding a check for SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
* Add syslog messages for LDAP GSSAPI bindStephen Gallagher2010-07-091-2/+58
| | | | | We will now emit a level 0 debug message on keytab errors, and also write to the syslog (LOG_DAEMON)
* Eliminate delayed sdap_handle destruction after fail-over retry.eindenbom2010-07-091-9/+6
|
* Remove remainder of now unused global LDAP connection handle.eindenbom2010-07-094-188/+1
|
* Use new LDAP connection framework in IPA dynamic DNS forwarder.eindenbom2010-07-092-7/+4
|
* Use new LDAP connection framework in LDAP access backend.eindenbom2010-07-091-59/+73
|
* Use new LDAP connection framework for LDAP user and group enumeration.eindenbom2010-07-091-236/+131
|
* Use new LDAP connection framework to get user account groups from LDAP.eindenbom2010-07-091-108/+67
|
* Use new LDAP connection framework to get group account info from LDAP.eindenbom2010-07-092-37/+66
|
* Use new LDAP connection framework to get user account info from LDAP.eindenbom2010-07-092-38/+91
|
* Add an interface to try next fail-over server after connection to the active ↵eindenbom2010-07-091-0/+3
| | | | server was unexpectedly dropped.
* LDAP connection usage tracking, sharing and failover retry framework.eindenbom2010-07-096-0/+869
|
* GSSAPI ticket expiry time is returned from ldap_child and stored in ↵eindenbom2010-07-096-17/+64
| | | | sdap_handle for future reference.
* Add dns_discovery_domain optionJakub Hrozek2010-06-301-1/+0
| | | | | | | | | | | | The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479
* Make RootDSE optionalStephen Gallagher2010-06-282-3/+17
| | | | | | | | | | | In violation of the standard, some LDAP servers control access to the RootDSE, thus preventing us from being able to read it before performing a bind. This patch will allow us to continue on if the RootDSE was inaccessible. All of the places that we use the return value of the RootDSE after this are already checked for NULL and use sane defaults if the RootDSE is unavailable
* Add explicit requests for several operational attrsAlexander Gordeev2010-06-281-1/+12
| | | | | | | | | | | | | | | | Operational attributes are not returned in searched requests unless explicitly requested according to RFC 4512 section 5.1. Therefore to get several standard attributes of root DSE we have to request for them. The requested attrs are: - altServer - namingContexts - supportedControl - supportedExtension - supportedFeatures - supportedLDAPVersion - supportedSASLMechanisms Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su>
* Fix SASL authenticationSumit Bose2010-06-281-2/+2
|
* Protect against segfault in remove_ldap_connection_callbacksStephen Gallagher2010-06-181-1/+6
| | | | | | | | | If sdap_mark_offline() is called before a live connection is established, sdap_fd_events could be NULL, causing a segfault when remove_ldap_connection_callbacks() attempts to free the sdap_fd_events->conncb https://fedorahosted.org/sssd/ticket/545
* Fix return value from remove_connection_callback() destructorStephen Gallagher2010-06-181-9/+2
| | | | | ldap_get_option() can only fail if the option we're removing has already been removed. It is sufficient to log this and continue.
* Standardize on correct spelling of "principal" for krb5Stephen Gallagher2010-06-161-2/+2
| | | | https://fedorahosted.org/sssd/ticket/542
* Don't segfault if ldap_access_filter is unspecifiedStephen Gallagher2010-06-141-12/+13
| | | | https://fedorahosted.org/sssd/ticket/539
* Properly check that the timeout event was created for cleanup/enumStephen Gallagher2010-06-102-2/+46
| | | | | | | | | We need to make sure that if we didn't create the timeout, that we cancel the request so there's no chance of ending up with two enumerations/cleanups running simultaneously. We'll attempt to reschedule later, if possible. https://fedorahosted.org/sssd/ticket/524
* Properly handle missing originalMemberOf entry in initgroupsStephen Gallagher2010-06-101-0/+1
| | | | | | | Failing to return after the tevent_req_post() here can result in a null-pointer dereference (along with other hard-to-track bugs) https://fedorahosted.org/sssd/ticket/507
* Allow ldap_access_filter values wrapped in parenthesesStephen Gallagher2010-06-092-3/+21
|
* Disable connection callbacks when going onlineStephen Gallagher2010-06-093-0/+27
| | | | | | | | Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.
* Fix realm_str dereferenceJakub Hrozek2010-06-091-1/+1
| | | | Fixes: #508
* Fix broken build against older versions of OpenLDAPStephen Gallagher2010-06-062-2/+12
| | | | | | OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.
* Fix check if LDAP id provider is already initializedSumit Bose2010-05-271-1/+1
|
* Add ldap_access_filter optionStephen Gallagher2010-05-276-1/+558
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
* Add offline callback to disconnect global SDAP handleSumit Bose2010-05-273-1/+17
|
* Add a better error message for TLS failuresStephen Gallagher2010-05-201-3/+32
|
* Add ldap_krb5_ticket_lifetime optionSumit Bose2010-05-167-11/+35
|
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-162-14/+16
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Properly set up SIGCHLD handlersStephen Gallagher2010-05-161-10/+8
| | | | | | Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
* Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher2010-05-072-16/+14
| | | | | | | This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-072-14/+16
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Use service discovery in backendsJakub Hrozek2010-05-074-19/+71
| | | | | | | | | Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
* Add callback when the ID provider switches from offline to onlineStephen Gallagher2010-05-071-0/+9
| | | | | | | | Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
* Add more warnings about nearly expired passwordsSumit Bose2010-05-071-5/+66
| | | | | For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
* Use all available servers in LDAP providerJakub Hrozek2010-05-073-14/+91
|
* Fix segfault in GSSAPI reconnect codeStephen Gallagher2010-05-072-57/+41
| | | | | Also clean up some duplicated code into a single common routine sdap_account_info_common_done()
* Avoid freeing sdap_handle too earlySimo Sorce2010-05-032-18/+46
| | | | | Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.
* Better handle sdap_handle memory from callers.Simo Sorce2010-05-034-33/+139
| | | | | | | | | | | | | Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
* Silence warnings with -O2Jakub Hrozek2010-04-301-2/+4
|
* Display a message if a password reset by root failsSumit Bose2010-04-261-0/+8
|
* Make the handling of fd events opaqueSumit Bose2010-04-265-184/+278
| | | | | | | Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
* Set LDAP_OPT_RESTART for all LDAP connectionsSumit Bose2010-04-261-7/+7
|
* Make ID provider init functions clearerStephen Gallagher2010-04-161-3/+3
| | | | | | | | | | | Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.
generated by cgit (git 2.34.1) at 2024-05-09 07:32:40 +0000