summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* WIPadlookupJakub Hrozek2015-09-041-0/+35
|
* LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domainsJakub Hrozek2015-09-042-6/+0
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2723 In case there are overlapping sdap domains, a search for a single user might match and return multiple entries. For instance, with AD domains represented by search bases: DC=win,DC=trust,DC=test DC=child,DC=win,DC=trust,DC=test A search for user from win.trust.test would be based at: DC=win,DC=trust,DC=test but would match both search bases and return both users. Instead of performing complex filtering, just save both users. The responder would select the entry that matches the user's search.
* cleanup task: Expire all memberof targets when removing userMichal Židek2015-09-031-1/+52
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2676 When user is removed from cache during cleanup task, mark all his memberof targets as expired to refresh member/ghost attributes on next request. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Use sss_unique_file and close fd on failureHEADmasterJakub Hrozek2015-09-011-16/+14
| | | | | | | | The GPO child didn't remove temporary file on failure and didn't close the fd on failure (the latter was not much of a problem for a short-lived child process). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: send less logs to syslogPavel Reichl2015-09-011-0/+42
| | | | | | | | | Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: end on ENOMEMPavel Reichl2015-08-311-0/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-316-19/+19
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-311-25/+2
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sdap_async: Use specific errmsg when availableMichal Židek2015-08-191-2/+8
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2762 Use specific errmsg when ldap returns LDAP_CONSTRAINT_VIOLATION code if that specific message is available. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Use sss_unique_filename in ldap_childJakub Hrozek2015-08-171-22/+3
| | | | | | Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique_file when creating kdcinfo filesJakub Hrozek2015-08-171-7/+9
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique file in krb5_childJakub Hrozek2015-08-171-16/+11
| | | | | | | | In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: minor improvements in ldap id cleanupPavel Reichl2015-08-172-4/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: sanitize group name when used in filterPavel Reichl2015-08-171-5/+83
| | | | | | | | | | | cleanup_groups() uses DN of group in filter for ldbsearch. But the name might contain characters with special meaning for filtering like - "*()\/" Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DYNDNS: remove code duplicationPavel Reichl2015-08-141-55/+44
| | | | | | | | | | Move copy pasted code for converting sockaddr_storage to string into function. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: rename field of sdap_dyndns_update_statePavel Reichl2015-08-141-8/+8
| | | | | | | | | Rename 'use_server_with_nsupdate' to more general name 'fallback_mode'. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove zone commandPavel Reichl2015-08-146-42/+3
| | | | | | | | | | | | | | | | Remove zone command from message to nsupsate. This command is generally used to hint nsupdate. In correctly configured environment such information should be obtained via DNS. If DNS does not provide necessary information we give other hints. For more details see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: remove redundant talloc_steal()Pavel Reichl2015-08-141-1/+2
| | | | | | | String 'update_msg' was already allocated on mem_ctx, so, there is no need to steal it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Don't use server cmd in nsupdate by defaultPavel Reichl2015-08-141-1/+1
| | | | | | | | | | | nsupdate command `server` should not be used for the first attempt to udpate DNS. It should be used only in subsequent attempts after the first attempt failed. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-145-0/+11
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Always re-fetch the keytab from the IPA serverJakub Hrozek2015-08-142-25/+62
| | | | | | | | | | Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Change the default of ldap_user_certificate to userCertificate;binaryJakub Hrozek2015-08-141-1/+1
| | | | | | | | | | This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: use ldb_binary_encode when printing attribute valuesJakub Hrozek2015-08-141-1/+10
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DEBUG: Add new debug category for fail over.Michal Židek2015-08-142-8/+37
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-072-3/+8
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5: assume online state if KDC proxy is configuredSumit Bose2015-08-051-0/+6
| | | | | | | | | | | If a KDC proxy is configured a request in the KRB5 provider will assume online state even if the backend is offline without changing the state of the backend. Resolves https://fedorahosted.org/sssd/ticket/2700 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not create kdcinfo file if proxy configuration existsSumit Bose2015-08-051-0/+7
| | | | | | | Resolves https://fedorahosted.org/sssd/ticket/2652 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Do not try to remove missing ccacheLukas Slebodnik2015-08-051-0/+5
| | | | | | | | | There was a misleading debug message in krb5_child [[sssd[krb5_child[16629]]]] [get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)], please remove it manually. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Remove MPG groups if getgrgid was called before getpw()Jakub Hrozek2015-07-311-2/+39
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUTPavel Reichl2015-07-315-6/+6
| | | | | | | | | Enum member SDAP_CACHE_PURGE_TIMEOUT has counter-intuitive name as it's used to access 'ldap_purge_cache_timeout' option. SDAP_CACHE_PURGE_TIMEOUT is more fitting name. Reviewed-by: Petr Cech <pcech@redhat.com>
* krb5: do not send SSS_OTP if two factors were usedSumit Bose2015-07-291-1/+6
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2729 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Use ad_site also when site search failsPavel Březina2015-07-291-2/+10
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2725 Some deployments use the ad_site option for cases where the AD clients are not able to find a site for one reason or another. With our current code, the ad_site option value can only override a site that the client found, not supply the value for cases no site could be found. This patch fixes the issue. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Handle sssd-owned keytabs when running as rootJakub Hrozek2015-07-282-8/+41
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* IPA: Better debuggingJakub Hrozek2015-07-281-0/+3
| | | | Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* SYSDB: prepare for LOCAL viewPavel Březina2015-07-271-1/+2
| | | | | | | | | | | | Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Handle cases where no GPOs applyStephen Gallagher2015-07-261-3/+43
| | | | | | | | | | | | | | | | | It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DYNDNS: support for dualstackPavel Reichl2015-07-243-39/+124
| | | | | | | | | | | | When dyndns_iface option was not used, address of connection to LDAP was used. This patch proposes following change: * Interface containing address of connection is found. * All A and AAAA addresses of this interface are collected. * Collected addresses are sent during DDNS update. * Function sss_iface_addr_add() is removed. Resolves: https://fedorahosted.org/sssd/ticket/2558
* DYNDNS: special value '*' for dyndns_iface optionPavel Reichl2015-07-241-4/+16
| | | | | Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update.
* DYNDNS: support mult. interfaces for dyndns_iface optPavel Reichl2015-07-243-8/+74
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2549
* DYNDNS: sss_iface_addr_list_get return ENOENTPavel Reichl2015-07-242-3/+16
| | | | | | | If none of eligible interfaces matches ifname then ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2549
* Fix minor typosYuri Chornoivan2015-07-232-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Use the right domain for case-sensitive flagJakub Hrozek2015-07-221-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Update few debug messagesLukas Slebodnik2015-07-171-2/+3
| | | | | | | | | It reduces a noise caused by canonicalization of non-existing user. Resolves: https://fedorahosted.org/sssd/ticket/2678 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: Return right data provider error codeLukas Slebodnik2015-07-151-1/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2719 Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-156-2/+18
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_lookup_type enumJakub Hrozek2015-07-156-33/+73
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use sdap_get_and_parse_generic_/_recvJakub Hrozek2015-07-152-8/+8
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Using the new request sdap_get_and_parse_generic_send is a separate commit so that we can audit where the function is used during a code review. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_get_and_parse_generic_sendJakub Hrozek2015-07-152-35/+136
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 So far we had a simple sdap_get_generic_send() request that uses the right defaults around the low-level sdap_get_generic_ext_send() request and calls the parser. This patch adds also sdap_get_and_parse_generic_send() that exposes all options that sdap_get_generic_ext_send() offers but also calls the parser. In this patch the function is not used at all. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Fetch users and groups using wildcardsJakub Hrozek2015-07-152-2/+51
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUPJakub Hrozek2015-07-152-0/+9
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-07 10:01:38 +0000