summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Mark globals in ldap_opts.h as externPavel Březina2015-12-142-330/+388
| | | | | | To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DEBUG: Add missing new linesLukas Slebodnik2015-12-142-3/+3
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* LDAP: check early for missing SID in mapping checkSumit Bose2015-12-101-0/+6
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2830 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* initgr: only search for primary group if it is not already cachedSumit Bose2015-11-271-21/+36
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2868 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* ldap: skip sdap_save_grpmem() if ignore_group_members is setSumit Bose2015-11-271-0/+8
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2868 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: remove unused param name in sdap_sudo_get_usn()Pavel Reichl2015-11-021-2/+1
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_createLukas Slebodnik2015-11-023-3/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util: Update get_next_domain's interfaceMichal Židek2015-10-231-2/+2
| | | | | | | | | | | | Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: Use refcount to keep track of servers returned to callersJakub Hrozek2015-10-232-3/+3
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: pass params in sdap_get_and_parse_generic_sendPavel Reichl2015-10-221-2/+6
| | | | | | | | Previously some arguments passed to sdap_get_and_parse_generic_send() were ignored. This patch fixes that and passes 'attronly', 'serverctrls' and 'clientctrls' to sdap_get_generic_ext_send(). Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: change type of attrsonly in sdap_get_generic_ext_statePavel Reichl2015-10-221-9/+10
| | | | | | | | | | | | | | 'attrsonly' parameter is directly passed to ldap_search_ext() and is describe as: The attrsonly parameter should be set to a non-zero value if only attribute descriptions are wanted. It should be set to zero (0) if both attributes descriptions and attribute values are wanted. Boolean type should be fine for the 'attrsonly' parameter especially since the actual parameter was already set to false in function calls. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: allow_paging in sdap_get_generic_ext_send()Pavel Reichl2015-10-221-18/+25
| | | | | | | Make allow_paging parameter a part of the flag parameter in sdap_get_generic_ext_send(). Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: optional warning - sizelimit exceeded in POSIX checkPavel Reichl2015-10-221-9/+22
| | | | | | | | | | Add new parameter 'flags' to sdap_get_generic_ext_send_ext() which can be set to suppress warning about 'sizelimit exceeded'. Resolves: https://fedorahosted.org/sssd/ticket/2804 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: remove unused param. in sdap_fallback_local_userPavel Reichl2015-10-124-8/+4
| | | | | | Remove unused sdap_options parameter. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* autofs: remove unused params in del_autofs_entriesPavel Reichl2015-10-121-4/+1
| | | | | | Remove unused sdap_options and map parameters. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: remove unused param. in ldap_get_sudo_optionsPavel Reichl2015-10-123-5/+3
| | | | | | Remove unused talloc memory context. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Inform about small range sizeStephen Gallagher2015-10-091-0/+7
| | | | | | | | | | When a returned RID has a higher value than the ldap_idmap_range_size, it means that the administrator did not plan appropriately for the size of their network. We need to alert the admin at a severe notification level that their configuration will fail on entries with a high RID and point them at the explanation in the manual. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DYNDNS: use realm and server commands only as fallbackPavel Reichl2015-10-052-19/+23
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: fix minor memory leakPavel Reichl2015-10-022-2/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Relax POSIX checkPavel Reichl2015-10-021-4/+6
| | | | | | | | | | | Relax the check on UID or GID just to check if at least one of them is present but do not require them to be positive numbers. Add requirement on objectclass attributes to be user or group to make check more reliable. Resolves: https://fedorahosted.org/sssd/ticket/2800
* DDNS: execute nsupdate for single update of PTR recPavel Reichl2015-09-221-6/+115
| | | | | | | | | | | nsupdate fails definitely if any of update request fails when GSSAPI is used. As tmp solution nsupdate is executed for each update. Resolves: https://fedorahosted.org/sssd/ticket/2783 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Filter out multiple entries when searching overlapping domainsJakub Hrozek2015-09-224-20/+116
| | | | | | | | | | In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Move sdap_create_search_base from ldap to sdap codeJakub Hrozek2015-09-224-70/+68
| | | | | | | | The function shouldn't be placed in the LDAP tree, but in the SDAP tree to make it usable from tests without linking to libraries that are normally linked from LDAP provider (such as confdb) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domainsJakub Hrozek2015-09-222-13/+0
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2723 In case there are overlapping sdap domains, a search for a single user might match and return multiple entries. For instance, with AD domains represented by search bases: DC=win,DC=trust,DC=test DC=child,DC=win,DC=trust,DC=test A search for user from win.trust.test would be based at: DC=win,DC=trust,DC=test but would match both search bases and return both users. Instead of performing complex filtering, just save both users. The responder would select the entry that matches the user's search. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SDAP: Do not set is_offline if ignore_mark_offline is setJakub Hrozek2015-09-211-1/+1
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 The caller of the sdap_id_op requests can set the ignore_mark_offline flag to avoid the sdap_id_op from marking the whole back end as offline. However, there was a small bug - the is_offline internal sdap_id_op flag was still being set. As a consequence, the error code from the connection was ignored and EAGAIN was always returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Sanitize group dn before using in filterLukas Slebodnik2015-09-181-2/+16
| | | | | | | | | | Each string should be sanitized(rfc4515) before using ldbsearch. A group dn was not sanitized in the function cleanup_groups. Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Partially revert "LDAP: sanitize group name when used in filter"Lukas Slebodnik2015-09-181-83/+5
| | | | | | | This reverts commit e2e334b2f51118cb14c7391c4e4e44ff247ef638. + temporary disable unit test Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Revert "LDAP: end on ENOMEM"Lukas Slebodnik2015-09-181-1/+0
| | | | | | | This reverts commit f31a57321fc0a2390bb0d6030053c49787e5e587. It blocked reverting commit e2e334b2f51118cb14c7391c4e4e44ff247ef638. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Remove unused functionJakub Hrozek2015-09-113-9/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* cleanup task: Expire all memberof targets when removing userMichal Židek2015-09-031-1/+52
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2676 When user is removed from cache during cleanup task, mark all his memberof targets as expired to refresh member/ghost attributes on next request. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: end on ENOMEMPavel Reichl2015-08-311-0/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-312-4/+4
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* sdap_async: Use specific errmsg when availableMichal Židek2015-08-191-2/+8
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2762 Use specific errmsg when ldap returns LDAP_CONSTRAINT_VIOLATION code if that specific message is available. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Use sss_unique_filename in ldap_childJakub Hrozek2015-08-171-22/+3
| | | | | | Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: minor improvements in ldap id cleanupPavel Reichl2015-08-172-4/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: sanitize group name when used in filterPavel Reichl2015-08-171-5/+83
| | | | | | | | | | | cleanup_groups() uses DN of group in filter for ldbsearch. But the name might contain characters with special meaning for filtering like - "*()\/" Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DYNDNS: rename field of sdap_dyndns_update_statePavel Reichl2015-08-141-8/+8
| | | | | | | | | Rename 'use_server_with_nsupdate' to more general name 'fallback_mode'. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove zone commandPavel Reichl2015-08-142-13/+1
| | | | | | | | | | | | | | | | Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Don't use server cmd in nsupdate by defaultPavel Reichl2015-08-141-1/+1
| | | | | | | | | | | nsupdate command `server` should not be used for the first attempt to udpate DNS. It should be used only in subsequent attempts after the first attempt failed. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-141-0/+7
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: use ldb_binary_encode when printing attribute valuesJakub Hrozek2015-08-141-1/+10
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-071-2/+6
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUTPavel Reichl2015-07-315-6/+6
| | | | | | | | | Enum member SDAP_CACHE_PURGE_TIMEOUT has counter-intuitive name as it's used to access 'ldap_purge_cache_timeout' option. SDAP_CACHE_PURGE_TIMEOUT is more fitting name. Reviewed-by: Petr Cech <pcech@redhat.com>
* DYNDNS: support for dualstackPavel Reichl2015-07-241-10/+10
| | | | | | | | | | | | When dyndns_iface option was not used, address of connection to LDAP was used. This patch proposes following change: * Interface containing address of connection is found. * All A and AAAA addresses of this interface are collected. * Collected addresses are sent during DDNS update. * Function sss_iface_addr_add() is removed. Resolves: https://fedorahosted.org/sssd/ticket/2558
* DYNDNS: support mult. interfaces for dyndns_iface optPavel Reichl2015-07-241-8/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2549
* DYNDNS: sss_iface_addr_list_get return ENOENTPavel Reichl2015-07-241-1/+5
| | | | | | | If none of eligible interfaces matches ifname then ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2549
* Fix minor typosYuri Chornoivan2015-07-231-1/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Update few debug messagesLukas Slebodnik2015-07-171-2/+3
| | | | | | | | | It reduces a noise caused by canonicalization of non-existing user. Resolves: https://fedorahosted.org/sssd/ticket/2678 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-154-2/+16
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_lookup_type enumJakub Hrozek2015-07-156-33/+73
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-22 03:34:49 +0000