summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Use primary cn to search netgroupLukas Slebodnik2013-09-203-7/+22
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2075
* AD: Failure to get flat name is not fatalJakub Hrozek2013-09-203-68/+86
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
* sdap_domain_add: remove too strict consistency checkSumit Bose2013-09-201-10/+0
| | | | | The check worked for simple setups but fails e.g. in environment with trusts.
* LDAP: Deprecate ldap_{user,group}_search_filterJakub Hrozek2013-09-201-0/+12
|
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-185-7/+211
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-184-18/+29
| | | | AD provider will override the default with its own.
* AD: async request to retrieve master domain infoJakub Hrozek2013-09-184-214/+414
| | | | Adds a reusable async request to download the master domain info.
* BE: Log domain name to journald if availableJakub Hrozek2013-09-181-0/+2
| | | | | | | | If the SSSD is compiled with journald support, then all sss_log() statements will include a new field called "SSSD_DOMAIN" that includes the domain name. Filtering only messages from the single domain is then as easy as: # journalctl SSSD_DOMAIN=foo.example.com
* KRB5: Call umask before mkstemp in the krb5 child codeJakub Hrozek2013-09-171-0/+3
|
* simple provider: obey case sensitivity for subdomain users and groupsPavel Březina2013-09-171-7/+43
| | | | | | | | When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple provider: support subdomain groupsPavel Březina2013-09-171-23/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple provider: support subdomain usersPavel Březina2013-09-171-5/+10
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2034
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-173-39/+9
| | | | Remove code duplication.
* IPA: Deprecate ipa_hbac_support_srchost optionOndrej Kos2013-09-132-0/+11
| | | | | | | | | This option got already deprecated on the ipa server side. Option is undocumented and warning is printed both to the sssd log files and syslog. Resolves: https://fedorahosted.org/sssd/ticket/1918
* KRB: Remove unused function parametersLukas Slebodnik2013-09-121-4/+2
| | | | | Parameter "int *dp_err" and parameter "int *pam_status" were unused in static function krb5_auth_prepare_ccache_name.
* KRB: Remove unused memory contextLukas Slebodnik2013-09-123-3/+3
| | | | mem_ctx was unused in function get_domain_or_subdomain
* Fix formating of variables with type: gid_tLukas Slebodnik2013-09-115-19/+19
|
* Fix formating of variables with type: uid_tLukas Slebodnik2013-09-113-8/+12
|
* Fix formating of variables with type: id_tLukas Slebodnik2013-09-112-5/+9
|
* Use right formating to print stringLukas Slebodnik2013-09-111-1/+1
| | | | format specifies type 'int' but the argument has type 'const char *'
* Fix warning: data argument not used by format stringLukas Slebodnik2013-09-111-2/+5
|
* Fix formating of variables with ber_ typeLukas Slebodnik2013-09-112-3/+4
|
* Fix formating of variables with type: time_tLukas Slebodnik2013-09-117-9/+10
|
* Fix formating of variables with type defined in stdint.hLukas Slebodnik2013-09-113-5/+7
|
* Fix formating of variables with type: key_serial_tLukas Slebodnik2013-09-111-1/+2
|
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-1127-63/+76
|
* Fix formating of variables with type: ssize_tLukas Slebodnik2013-09-113-5/+5
|
* Use the same variable type like in struct ldb_message_elementLukas Slebodnik2013-09-111-1/+1
| | | | | struct ldb_message_element.num_values is unsigned This patch indirectly fixes printf format string warning.
* Fix formating of variables with type: intLukas Slebodnik2013-09-112-3/+4
|
* Fix formating of variables with type: unsigned longLukas Slebodnik2013-09-111-1/+1
|
* Fix formating of variables with type: longLukas Slebodnik2013-09-115-10/+13
|
* LDAP: Store cleanup timestamp after initial cleanupJakub Hrozek2013-09-113-10/+10
| | | | | | When the SSSD changes serves (and hence lastUSN) we perform a cleanup as well. However, after recent changes, we didn't set the cleanup timestamp correctly, which made the lastUSN logic fail.
* is_dn(): free dnPavel Březina2013-09-101-0/+2
|
* krb5: Fix warning sometimes uninitializedLukas Slebodnik2013-09-101-0/+2
| | | | | | | warning: variable 'ret' is used uninitialized whenever 'if' condition is false if (kerr) { ^~~~
* krb5_child: Simplify ccache creationSimo Sorce2013-09-091-387/+87
| | | | | | | | | | | | The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add file/dir path precheckSimo Sorce2013-09-092-0/+35
| | | | | | | | | | | | | | | | | | | | | | | Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
* krb5: Remove unused ccache backend infrastructureSimo Sorce2013-09-096-144/+14
| | | | | | | | Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Unify function to create ccache filesSimo Sorce2013-09-093-69/+22
| | | | | | | | | | | Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Use new function to validate ccachesSimo Sorce2013-09-093-371/+88
| | | | | | | | | | This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Make check_for_valid_tgt() staticSimo Sorce2013-09-091-0/+74
| | | | | | | check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: move template check to initializzationSimo Sorce2013-09-094-24/+22
| | | | | | | | | | | | The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Move determination of user being activeSimo Sorce2013-09-093-43/+17
| | | | | | | | The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Replace type-specific ccache/principal checkSimo Sorce2013-09-093-148/+89
| | | | | | | | | Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce2013-09-093-118/+18
| | | | | | | | | This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add helper to destroy ccache as userSimo Sorce2013-09-092-0/+111
| | | | | | | | | | | This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
* krb5: Add calls to change and restore credentialsSimo Sorce2013-09-092-0/+131
| | | | | | | | In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
* krb5: Ingnore unknown expansion sequencesSimo Sorce2013-09-091-30/+15
| | | | | | | | | | | | | | | | Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
* dyndns: do not modify global family_orderSumit Bose2013-09-051-3/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2063
* AD: Rename parametrized #defineJakub Hrozek2013-09-051-3/+3
|
* ad srv: prefer servers that are in the same domain as clientPavel Březina2013-09-051-0/+89
| | | | https://fedorahosted.org/sssd/ticket/2001