summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Handle errors from sdap_id_op properly in enum codeJakub Hrozek2014-02-121-1/+41
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Remove dead codeJakub Hrozek2014-02-121-8/+0
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Only download domains that are set to enumerateJakub Hrozek2014-02-121-1/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-128-15/+502
| | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: support for subdomain_homedirPavel Reichl2014-02-051-0/+190
| | | | | | | Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169
* dyndns: Update PTR records separatelyNikolai Kondrashov2014-02-011-3/+6
| | | | | | | | | | Generate nsupdate input for sending PTR record update messages separately instead of together in nsupdate_msg_add_ptr. This fixes updates with addresses from different networks (DNS zones), as nsupdate doesn't support such updates in a single message. Fixes https://fedorahosted.org/sssd/ticket/2179
* AD: Remove unused memory contextsLukas Slebodnik2014-02-012-12/+10
| | | | | Memory context memctx was unused in functions _ad_servers_init sdap_ad_tokengroups_update_members
* LDAP: require attribute groupType for AD groupsLukas Slebodnik2014-01-291-1/+1
| | | | | | | | | Commit 8280c5213094 introduced filtering local groups for trusted/sub domains, but attribute groupType was not available with configuration id_provide ldap and ldap_schema ad. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: store group if subdomain cannot be found by sidLukas Slebodnik2014-01-291-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, group couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* AD: Establish cross-domain memberships after enumeration finishesJakub Hrozek2014-01-292-22/+377
| | | | | | | | | | | | | | | | Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142
* LDAP: Don't clobber original_member during enumerationJakub Hrozek2014-01-291-4/+10
|
* AD: Enumerate users from GC, other entities from LDAPJakub Hrozek2014-01-291-3/+17
|
* LDAP: Add enum request with custom connectionJakub Hrozek2014-01-292-125/+191
| | | | | | | | | This commit changes the enumerate-sdap-domain request to accept a connection context per object that can be enumerated. Internally in the request, an sdap_id_op is also created per enumerated object type. This change will allow i.e. users to be enumerated using GC connection, while keeping the LDAP connection for groups and services.
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-297-36/+52
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* AD: Store info on whether a subdomain is set to enumerateJakub Hrozek2014-01-291-5/+33
| | | | | | Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.
* AD SRV: use right domain name for CLDAP pingSumit Bose2014-01-281-1/+1
| | | | | | Currently always the name of the configured domain was passed to the CLDAP request. This will fail if the CLDAP request is send to a DC form a different domain.
* LDAP: Don't abort request if no id mapping domain matchesJakub Hrozek2014-01-242-6/+38
| | | | | | | | | If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
* krb5: hint to increase krb5_auth_timeoutPavel Reichl2014-01-221-1/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2202
* sdap_idamp: Fall back to another method if sid is wrongLukas Slebodnik2014-01-221-2/+8
| | | | | | | | | | | sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: update id mapping detection for ldap providerLukas Slebodnik2014-01-221-0/+5
| | | | | | | | For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Don't fail if subdomain cannot be found by sidLukas Slebodnik2014-01-221-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Fix error checkJakub Hrozek2014-01-201-2/+2
| | | | https://fedorahosted.org/sssd/ticket/2199
* AD: Don't fail the request if ad_account_can_shortcut failsJakub Hrozek2014-01-201-1/+3
|
* AD: Return right error code from netlogon_get_flat_nameLukas Slebodnik2014-01-161-1/+1
| | | | | | | EOK was returned in done section of netlogon_get_flat_name, even if error code was set in variable ret. This patch fixes also warnings from scan-build.
* simple access: refresh master domain infoPavel Reichl2014-01-152-45/+92
| | | | | | | | | | To correctly decide if an object is a member of the main sssd domain, a flat name is needed. However, the information may not be available when the module is inited so it may be necessary to refresh this data later while processing a request. Resolves: https://fedorahosted.org/sssd/ticket/2189
* simple access: match objects using flat namePavel Reichl2014-01-151-1/+3
| | | | | | | Use flat name to recognise users and groups belonging to main sssd domain. Resolves: https://fedorahosted.org/sssd/ticket/2189
* LDAP: Add a new error code for malformed access control filterJakub Hrozek2014-01-094-10/+16
| | | | | | | https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-096-16/+51
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* FAST: when parsing krb5_child response, make sure to not miss OTP message if ↵Alexander Bokovoy2014-01-091-3/+4
| | | | | | | | | | | | | it was last one The last message in the stream might be with empty payload which means we get only message type and message length (0) returned, i.e. 8 bytes left remaining in the stream after processing preceding message. This makes our calculation at the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be equal to len, after all. Fixes FAST processing for FreeIPA native OTP case: https://fedorahosted.org/sssd/ticket/2186
* LDAP: Fix typo and use the right attribute mapJakub Hrozek2014-01-081-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/2191 There was a copy-n-paste bug in the code that resulted in using a wrong attribute map. This could lead to the primary name not being selected correctly.
* IPA: fix for recent AD group membership changesSumit Bose2014-01-081-0/+2
|
* AD: Enable fallback to LDAP of trusted domainJakub Hrozek2013-12-191-13/+1
| | | | | Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.
* AD: Add a new option to turn off GC lookupsJakub Hrozek2013-12-193-13/+20
| | | | | | | | | | SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-196-41/+70
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: cross-domain membership fixSumit Bose2013-12-196-30/+261
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-194-64/+138
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* Add new option ldap_group_typeSumit Bose2013-12-194-0/+6
|
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-194-53/+25
|
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* AD: Don't mark domain as enumerated twiceJakub Hrozek2013-12-181-12/+0
| | | | | The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+524
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-229/+355
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-133-3/+152
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-092-2/+13
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* LDAP: Fix a debug messageJakub Hrozek2013-12-091-2/+1
|
* failover: check dns_domain if primary servers lookup failedPavel Březina2013-12-091-3/+7
| | | | | | | If primary servers lookup failed, dns_domain is not set. Resolves: https://fedorahosted.org/sssd/ticket/2173
* rfc2307bis_nested_groups_send: reuse search baseSumit Bose2013-12-091-2/+7
| | | | | If there are multiple members in the sdom list, always the search base of the first entry were used.
* SSSD: Improved domain detectionPavel Reichl2013-11-291-11/+28
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
generated by cgit (git 2.34.1) at 2024-09-27 09:30:33 +0000