| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2762
Use specific errmsg when ldap returns
LDAP_CONSTRAINT_VIOLATION code if that specific
message is available.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
Simplifies the code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
cleanup_groups() uses DN of group in filter for ldbsearch. But the name
might contain characters with special meaning for filtering
like - "*()\/"
Resolves:
https://fedorahosted.org/sssd/ticket/2744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Rename 'use_server_with_nsupdate' to more general name 'fallback_mode'.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove zone command from message to nsupsate. This command is generally
used to hint nsupdate. In correctly configured environment such
information should be obtained via DNS.
If DNS does not provide necessary information we give other hints.
For more details see:
https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
nsupdate command `server` should not be used for the first attempt
to udpate DNS. It should be used only in subsequent attempts after the
first attempt failed.
Resolves:
https://fedorahosted.org/sssd/ticket/2495
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.
This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Enum member SDAP_CACHE_PURGE_TIMEOUT has counter-intuitive name as it's used
to access 'ldap_purge_cache_timeout' option.
SDAP_CACHE_PURGE_TIMEOUT is more fitting name.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When dyndns_iface option was not used, address of connection to LDAP
was used. This patch proposes following change:
* Interface containing address of connection is found.
* All A and AAAA addresses of this interface are collected.
* Collected addresses are sent during DDNS update.
* Function sss_iface_addr_add() is removed.
Resolves:
https://fedorahosted.org/sssd/ticket/2558
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2549
|
| |
|
|
|
|
|
| |
If none of eligible interfaces matches ifname then ENOENT is returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2549
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It reduces a noise caused by canonicalization of non-existing user.
Resolves:
https://fedorahosted.org/sssd/ticket/2678
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send
to a tri-state that controls whether we expect only a single entry
(ie don't use the paging control), multiple entries with a search limit
(wildcard request) or multiple entries with no limit (enumeration).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Using the new request sdap_get_and_parse_generic_send is a separate
commit so that we can audit where the function is used during a code
review.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
So far we had a simple sdap_get_generic_send() request that uses the
right defaults around the low-level sdap_get_generic_ext_send() request
and calls the parser.
This patch adds also sdap_get_and_parse_generic_send() that exposes all
options that sdap_get_generic_ext_send() offers but also calls the
parser.
In this patch the function is not used at all.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far
it's the same code as if enumeration was used, so there are no limits.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_get_real_name overrode reurned code LDAP
and thus user was not removed from cache after removing it from LDAP.
This patch also do not try to set initgroups flag if user
does not exist. It reduce some error message.
Resolves:
https://fedorahosted.org/sssd/ticket/2681
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise each connection would clobber the environment variable with
its own.
This is a temporary workaround until SSSD's ldap_child is able to store
ccaches in a collection.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't pass zone directive to nsupdate for the first pass. The
information about zone should be generated by nsupdate which has
auto-detection logic for zone value. The previous version code sometime
worked but it broke when client domain was not the same as FreeIPA
domain.
Log without patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error
[ipa_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]: Input/output error
Log after patch applied:
[ipa_dyndns_update_send] (0x0400): Performing update
[ipa_dyndns_nsupdate_done] (0x0040): DNS update finished
Resolves:
https://fedorahosted.org/sssd/ticket/2540
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==18139== Conditional jump or move depends on uninitialised value(s)
==18139== at 0x14400F1B: generic_ext_search_handler.isra.3 (sdap_async.c:1626)
==18139== by 0x879D7E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==18139== by 0x87A20CD: epoll_event_loop_once (tevent_epoll.c:907)
==18139== by 0x87A07D6: std_event_loop_once (tevent_standard.c:114)
==18139== by 0x879CFBC: _tevent_loop_once (tevent.c:530)
==18139== by 0x879D15A: tevent_common_loop_wait (tevent.c:634)
==18139== by 0x87A0776: std_event_loop_wait (tevent_standard.c:140)
==18139== by 0x5293862: server_loop (server.c:668)
==18139== by 0x10EA41: main (data_provider_be.c:2909
Related tickets:
https://fedorahosted.org/sssd/ticket/2645
https://fedorahosted.org/sssd/ticket/2662
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For GPOs assigned to a site, it's possible that their definition
actually exists in another domain. To retrieve this information,
we need to follow the referral and perform a base search on
another domain controller.
Resolves:
https://fedorahosted.org/sssd/ticket/2645
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some callers may be interested in the raw referral values returned from
a lookup. This patch allows interested consumers to get these referrals
back and process them if they wish. It does not implement a generic
automatic following of referrals.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The variable ret was not read when function sysdb_has_enumerated
returned ENOENT. Just boolean variable has_enumerated need to be changed.
This dead assignment caused warning from clang static analyser
Value stored to 'ret' is never read
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdap_nested_group_populate_users() has code to handle user name changes.
It updates the SYSDB_NAME attribute. This attribute is also used in the
RDN but changing the attribute in the object does not change the DN
hence the DN still contains the old name. Currently
sysdb_set_user_attr() was used to update the entry which creates the DN
based on the give name. This will fail if the name is changed for a
second time. Since the DN is already available in the search result it
is more reliable to use it directly with sysdb_set_entry_attr().
Related to https://fedorahosted.org/sssd/ticket/2591
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.
However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.
[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=hdpadmin)(objectclass=user)
(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
[DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
Resolves:
https://fedorahosted.org/sssd/ticket/2635
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.
Resolves:
https://fedorahosted.org/sssd/ticket/2614
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
