summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* sdap_get_generic_ext_send: check if we a re still connectedSumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* is_dn(): free dnPavel Březina2013-09-101-0/+2
|
* SIGCHLD handler: do not call callback when pvt data was freedPavel Březina2013-08-301-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1992
* print hint about password complexity when new password is rejectedPavel Březina2013-08-111-1/+15
| | | | https://fedorahosted.org/sssd/ticket/1827
* ldap, krb5: More descriptive msg on chpass failure.Michal Zidek2013-08-111-0/+15
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* providers: refresh expired netgroupsPavel Březina2013-08-113-0/+179
| | | | https://fedorahosted.org/sssd/ticket/1713
* LDAP: Fix crash when processing nested groupsJakub Hrozek2013-08-081-4/+16
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1932 There is a rather strange workaround in the nested groups processing code that calls tevent_req_post outside _send(). However, it broke in certain situations where the tevent_req_call resulted in req being freed, which freed state by extension and then the subsequent _post call was a use-after-free. This patch saves the two variables used outside state so that it's safe to use them even after the callback.
* sudo: print better debug message when a rule has multiple cn valuesPavel Březina2013-08-061-1/+5
|
* sudo: skip rule on error instead of failing completelyPavel Březina2013-08-061-1/+3
| | | | https://fedorahosted.org/sssd/ticket/2031
* Add ignore_group_members option.Paul B. Henson2013-05-312-2/+13
| | | | https://fedorahosted.org/sssd/ticket/1376
* Adding option to disable retrieving large AD groups.Lukas Slebodnik2013-05-236-13/+49
| | | | | | | | | This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
* Removing unused functions.Lukas Slebodnik2013-05-232-36/+0
| | | | This patch remove unused functions sdap_parse_user and sdap_parse_group
* Display the last grace warning, tooJakub Hrozek2013-05-022-3/+3
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* LDAP: do not invalidate pointer with realloc while processing ghost usersJakub Hrozek2013-04-191-3/+13
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-217-11/+191
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina2013-02-271-3/+7
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-262-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-281-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek2013-01-211-130/+144
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
* LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek2013-01-151-12/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
* let ldap_backup_chpass_uri workPavel Březina2013-01-141-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1760
* AD: Add user as a direct member of his primary groupJakub Hrozek2013-01-091-8/+109
| | | | | | | | | | | | In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
* AD: replace GID/UID, do not add another oneJakub Hrozek2013-01-094-7/+41
| | | | | | | The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
* sudo smart refresh: fix debug messagePavel Březina2013-01-071-1/+1
|
* sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina2013-01-071-5/+12
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
* LDAP: initialize refresh function handlerOndrej Kos2013-01-041-1/+1
|
* Add default section to switch statementSumit Bose2012-12-191-0/+3
| | | | | | switch statements should always have a default section. In this particular case gcc gave a "'send_fn' may be used uninitialized in this function" warning.
* DP: invalidate all cached maps if a request for auto.master comes inJakub Hrozek2012-12-181-0/+8
| | | | | | If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps
* sudo: do full refresh when data provider is back onlinePavel Březina2012-12-182-7/+75
| | | | | | | | https://fedorahosted.org/sssd/ticket/1689 Add a online callback if the first full refresh fails due to the provider beeing offline so we can perform the refresh as soon as possible.
* sudo: schedule another full refresh in short interval if the first failsPavel Březina2012-12-182-0/+28
| | | | | | | https://fedorahosted.org/sssd/ticket/1689 If the first full refresh of sudo rules fails because the data provider is offline, we will schedule another one in 2, 4, ... minutes.
* check dp error in sdap_sudo_full_refresh_done()Pavel Březina2012-12-181-3/+8
| | | | https://fedorahosted.org/sssd/ticket/1689
* add sdap_sudo_schedule_refresh()Pavel Březina2012-12-182-43/+77
| | | | Reduces amount of code duplication.
* let ldap_chpass_uri failover work when using same hostnamePavel Březina2012-12-151-11/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
* sudo: don't get stuck in rules and smart refresh when offlinePavel Březina2012-12-111-4/+14
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1682 The problem was in following code: if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) { tevent_req_error(req, ret); return; } In situation when data provider error occurs (e.g. when offline), ret == EOK but dp_error != DP_ERR_OK and we take the true branch. This results in calling tevent_req_error(req, EOK). Unfortunately, with EOK tevent_req_error only returns false, but does not trigger callback and this tevent request hangs forever, because no tevent_req_done(req) is called.
* LDAP: remove dead assignmentJakub Hrozek2012-12-101-1/+0
|
* SUDO: strdup the input variableJakub Hrozek2012-12-071-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1701
* LDAP: Continue adjusting group membership even if there is nothing to addJakub Hrozek2012-12-051-2/+1
| | | | https://fedorahosted.org/sssd/ticket/1695
* warn user if password is about to expirePavel Březina2012-12-021-3/+4
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
* idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek2012-11-284-79/+108
| | | | | | | | When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
* LDAP: fix uninitialized variableOndrej Kos2012-11-231-1/+1
| | | | initialized variable, was causing build warning
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-202-8/+38
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek2012-11-191-4/+16
|
* LDAP: Checking the principal should not be considered fatalJakub Hrozek2012-11-191-6/+10
| | | | | | | | | | | | | | The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
* LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek2012-11-192-0/+79
| | | | | The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
* Do not save HBAC rules in subdomain subtreeSumit Bose2012-11-191-3/+16
| | | | | | | | | | | | | | Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
* LDAP: Refactor saving ghost usersJakub Hrozek2012-11-191-88/+99
|
* LDAP: use the correct memory contextJakub Hrozek2012-11-191-1/+1
| | | | | The element being reallocated is part of the "group_attrs" array, not attrs.
* LDAP: Fix saving empty groupsJakub Hrozek2012-11-191-2/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
* LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek2012-11-191-1/+1
| | | | | | Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
* LDAP: Expire even non authenticated connectionsJakub Hrozek2012-11-181-8/+11
| | | | | | | The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649