summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* Make sub-domains case-insensitiveSumit Bose2012-11-051-2/+23
| | | | | | | | | | Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.
* krb5_auth: update with correct UPN if neededSumit Bose2012-11-053-0/+133
| | | | | | | | | The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
* Use find_or_guess_upn() where neededSumit Bose2012-11-054-34/+49
|
* Add new call find_or_guess_upn()Sumit Bose2012-11-054-8/+54
| | | | | | | | | With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
* krb5_child: send back the client principalSumit Bose2012-11-054-5/+42
| | | | | | | | | | | | | In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
* krb5_mod_ccname: replace wrong memory contextSumit Bose2012-11-051-1/+1
|
* krb5_child: send PAC to PAC responderSumit Bose2012-11-051-1/+139
| | | | | | If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
* krb5_auth: send different_realm flag to krb5_childSumit Bose2012-11-052-1/+8
| | | | | | | The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-11-054-0/+43
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* check_ccache_files: search sub-domains as wellSumit Bose2012-11-051-4/+14
| | | | | If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
* krb5_auth_send: check for sub-domainsSumit Bose2012-11-054-11/+37
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* subdomain-id: Generate homedir only for users not groupsSumit Bose2012-11-051-10/+12
|
* KRB5: Return error when principal selection failsJakub Hrozek2012-11-051-1/+4
| | | | | | | The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
* sudo refresh: handle errors properlyPavel Březina2012-11-051-8/+25
| | | | We should test both ret and (dp_error, errno) pair.
* sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2012-11-052-7/+19
| | | | | | | | https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
* LDAP: Check validity of naming_contextJakub Hrozek2012-11-051-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* Only call krb5_set_trace_callback on platforms that support itJakub Hrozek2012-10-122-2/+2
|
* Create ghost users when a user DN is encountered in IPAJakub Hrozek2012-10-121-37/+276
| | | | | | | The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
* Allow extdom exop to return flat domain name as wellSumit Bose2012-10-124-4/+37
| | | | | | | | There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561
* Collect krb5 trace on high debug levelsJakub Hrozek2012-10-124-3/+50
| | | | | | | If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
* Two fixes to child processesJakub Hrozek2012-10-122-6/+5
| | | | | | | | There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
* Add more info about ticket validationOndrej Kos2012-10-101-0/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
* Fix segfault when ID-mapping an entry without a SIDJakub Hrozek2012-10-101-1/+1
| | | | | | | | | If there was no SID attribute, then we would have detected it by checking the number of values of an element. We would however happily return EOK in that case and save garbage into the sid_str. This was causing segfault when the entry was supposed to be ID-mapped by had no SID.
* SSH: Refactor sysdb and related codeJan Cholasta2012-10-051-2/+16
|
* Fix default upper limit of slicesOndrej Kos2012-10-043-3/+3
| | | | | | | https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.
* Slices calculation is alway wrong for default valuesOndrej Kos2012-10-041-2/+2
|
* Log possibly non-randomizable ccache file templateOndrej Kos2012-10-044-6/+26
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
* Remove unused variableJakub Hrozek2012-10-041-6/+0
|
* Variable in sdap_sudo_rules_refresh_send could be used, uninitialized.Michal Zidek2012-10-031-0/+1
|
* Flip the default value of ldap_initgroups_use_matching_rule_in_chainJakub Hrozek2012-10-022-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1535
* remove left over principal selectionPavel Březina2012-10-021-21/+0
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
* LDAP: Handle empty namingContexts values safelyStephen Gallagher2012-09-261-0/+8
| | | | | | | | Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
* KRB5: Recover gracefully if the ccache file could not be reusedJakub Hrozek2012-09-241-4/+6
| | | | https://fedorahosted.org/sssd/ticket/1384
* Bad debug message when no dns_discovery_domain specified.Michal Zidek2012-09-241-3/+11
| | | | https://fedorahosted.org/sssd/ticket/920
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-245-12/+6
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* AUTOFS: Use both key and value in entry RDNJakub Hrozek2012-09-241-2/+10
| | | | | | This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map.
* AUTOFS: Add entry objects below map objectsJakub Hrozek2012-09-241-43/+91
| | | | | | | | https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.
* AUTOFS: Do not fail if search base is not providedJakub Hrozek2012-09-241-2/+2
|
* AD: Handle sysdb lookup failure during tokenGroups processingStephen Gallagher2012-09-241-0/+6
|
* Make subdomain discovery less noisySumit Bose2012-09-241-15/+16
| | | | Fixes https://fedorahosted.org/sssd/ticket/1517
* sdap_add_incomplete_groups(): fix ret may be uninitialized warningPavel Březina2012-09-241-1/+1
|
* AD: Optimize initgroups lookups with tokenGroupsStephen Gallagher2012-09-243-4/+313
| | | | https://fedorahosted.org/sssd/ticket/1355
* AD: Detect domain controller compatibility versionStephen Gallagher2012-09-243-0/+44
|
* AD: autorid compatibility should recommend the use of default domainStephen Gallagher2012-09-241-4/+4
| | | | | | | | | | | Previously, we were failing to start if ldap_idmap_autorid_compat was True but the default domain SID was unspecified. This is the recommended configuration, but it is functional without it. There is just a slight risk that the IDs will be inconsistent between machines if the first user requested is not from the default domain. https://fedorahosted.org/sssd/ticket/1530
* SSSD fails to store users if any of the requested attribute is empty.Michal Zidek2012-09-201-0/+6
| | | | https://fedorahosted.org/sssd/ticket/1440
* Add more debuginfo into ldap_childOndrej Kos2012-09-201-23/+36
| | | | | | | https://fedorahosted.org/sssd/ticket/1225 krb5_child already updated before. Adding more debuginfo into ldap_child. Also old debug levels rewritten into new macros.
* KRB5 child: handle more error codes gracefullyJakub Hrozek2012-09-201-31/+26
| | | | | This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
* KRB5 child: Don't return System Error on empty passwordJakub Hrozek2012-09-201-0/+4
| | | | https://fedorahosted.org/sssd/ticket/1310
* Failover: use _srv_ when no primary server is definedPavel Březina2012-09-174-46/+12
| | | | https://fedorahosted.org/sssd/ticket/1521
* SELinux: Always use the default if it exists on the serverJakub Hrozek2012-09-131-9/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
generated by cgit (git 2.34.1) at 2024-06-22 21:46:15 +0000