| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1760
|
| |
|
|
|
|
| |
sss_authtok_get_password() already returns length without terminating
zero. This broke authentication over LDAP because we removed the
last password character.
|
| |
|
|
| |
Use the new authtok abstraction and interfaces throught the code.
|
| |
|
|
|
| |
Make it clear to the API users that we can not take arbitrary auth tokens.
We can only take a password for now so simplify and clarify the interface.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This set of functions had a few important issues:
1. the base_dn was always NULL, as the base array was never actually used
to construct any DN. This means each function searched the whole database
multiple times.
It would try to remove SYSDB_USN from all database entries 3 times.
Then it would try to find non updated entries another 3 times and delete
them, arguably find empty results the last 2 times.
2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it
should not be used anywhere but within sysdb. Do this by using existing
functions instead of using ldb calls directly. This is important to keep
sysdb as conistent and self-contained as possible.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
The downside of this approach is that the user is returned as a group
member during getgrgid call as well.
|
| |
|
|
|
|
|
| |
The code would call sysdb_attrs_add_uint32 which added another UID or GID
to the ID=0 we already downloaded from LDAP (0 is the default value) when
ID-mapping an entry. This led to funky behaviour later on when we wanted
to process the ID.
|
| |
|
|
| |
It is not a map, but a default context. The name should reflect that.
|
| |
|
|
|
| |
Changes the ipa_get_selinux{send,recv} request so that it only delivers
data and moves processing to the IPA selinux handler.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
|
| |
|
|
|
|
| |
Use correct name for _done() function from the caller.
Remove unneded initializzations to NULL for a lot of variables hat are going to
be assigned as the first thing done in the functions.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1735
|
| |
|
|
|
|
|
|
|
|
| |
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
| |
|
|
|
|
|
|
|
|
| |
If we are unable to delete some rule from cache we print a debug
message and ignore the error. Thus we should set ret to EOK after
the for loop otherwise we return whether the last rule was deleted
successfully or not.
This also removes compilation warning that ret may be used
uninitialized (when we don't go inside the loop at all).
|
| |
|
|
|
| |
For some reason I was under the impression that the DN components are
counted backwards in libldb. This patch corrects this.
|
| |
|
|
|
|
| |
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
| |
|
|
|
|
| |
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1689
|
| |
|
|
| |
Reduces amount of code duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1679
The problem is when we are about to reset the server status, we don't
get through the timeout (30 seconds) because the "switch to primary
server" task is scheduled 30 seconds after fall back to a backup
server. Thus the server status remains "not working" and is resetted
after another 30 seconds.
We need to make sure that the server status is tried after the
timeout period. retry_timeout is currently hardcoded to 30, thus
the change in man page.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
Properly react on deleting group which was not found in sysdb.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1680
There were two errors:
1. kr->kpasswd_srv was never set
2. bad service name (KERBEROS) was provided when setting port status,
thus the port status never changed
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1685
The PROXY provider wasn't storing credentials to negative cache due to
bad return value. This was delegated from attempt to delete these
credentials from local cache. Therefore ENOENT is replaced as EOK.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1701
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1695
|
| |
|
|
|
|
|
|
|
| |
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
| |
|
|
|
| |
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
| |
|
|
|
| |
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
| |
|
|
|
| |
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
| |
|
|
|
|
|
|
|
|
| |
In particular note that we merge ipa_account_info_netgroups_done()
and ipa_account_info_users_done() into a single fucntion called
ipa_account_info_done() that handles both cases
We also remove the auxiliary function ipa_account_info_complete() that
unnecessarily violates the tevent_req style and instead use a new function
named ipa_account_info_error_text() to generate error text.
|
| |
|
|
| |
Also do not intermix two tevent_req sequences
|
| | |
|
| |
|
|
|
|
| |
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
| |
|
|
|
|
|
|
|
| |
In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.
This patch adds a log message and sets the count to zero so it is
handled appropriately below.
|
| |
|
|
|
|
|
|
| |
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
| |
|
|
|
| |
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
|
| |
|
|
| |
initialized variable, was causing build warning
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
