summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* krb5: Ingnore unknown expansion sequencesSimo Sorce2013-09-091-30/+15
| | | | | | | | | | | | | | | | Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
* dyndns: do not modify global family_orderSumit Bose2013-09-051-3/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2063
* KRB5: Fix warning declaration shadows global declarationLukas Slebodnik2013-09-031-8/+8
| | | | | | src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a global declaration /usr/include/stdio.h:754: warning: shadowed declaration is here
* IPA_HBAC: Explicitelly include header file time.hLukas Slebodnik2013-08-281-0/+1
| | | | | | | | struct hbac_eval_req is defined in header file and it has attribute request_time with type time_t, but header file "time.h" was not included. It was not problem, because time.h was indirectly included by stdlib.h (stdlib.h -> sys/types.h -> time.h) in implementation files, but other platforms can have other dependencies among header files.
* krb5: Fetch ccname template from krb5.confStephen Gallagher2013-08-286-14/+169
| | | | | | | | | | | | | In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
* krb5_common: Refactor to use a talloc temp contextSimo Sorce2013-08-281-12/+28
| | | | | | | | In preparation for handling some more allocations in the following patches and fixes a curent memleak on the opts struct. Related: https://fedorahosted.org/sssd/ticket/2036
* KRB5: Add support for KEYRING cache typeStephen Gallagher2013-08-274-0/+212
| | | | https://fedorahosted.org/sssd/ticket/2036
* KRB5: Remove unnecessary call to become_user()Stephen Gallagher2013-08-271-6/+0
| | | | | | | | By the time that the create_ccache_in_dir() routine is called, we are already guaranteed to have dropped privileges. This has either happened because we dropped them before the exec() in the normal operation case or because we dropped them explicitly after we completed the TGT validation step if that or FAST is configured.
* sudo: do not strdup usn on ENOENTPavel Březina2013-08-261-1/+1
| | | | | | If USN attribute is not present, we call strdup on uninitialized variable. This may cause segfault, or if we are lucky and usn is NULL it will return ENOMEM.
* sudo: do not fail to store the rule if we can't read usnPavel Březina2013-08-261-3/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2052
* DP: Notify propperly when removing PAC responderOndrej Kos2013-08-242-1/+5
| | | | | Adds pac_cli be_client structure pointer, to indetify and log the PAC responder termination correctly.
* check_cc_validity: make sure _valid is always setSumit Bose2013-08-241-5/+7
| | | | | In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be used uninitialized' compiler warnings.
* proxy: Allow initgroup to return NOTFOUNDSimo Sorce2013-08-221-0/+16
| | | | | | | | | When the user is only member of its own primary group, initgroups_dyn may return NOTFOUND as, at least for the 'files' nss provider the code skips the passed in group. Resolves: https://fedorahosted.org/sssd/ticket/2051
* KRB5: Only set active and valid on successStephen Gallagher2013-08-221-6/+5
| | | | | | | | The FILE cache only sets the return values of _active and _bool if the entire function succeeds. The DIR cache was setting it even on failure. This patch makes both consistent. This will benefit static analysis tools which would be able to detect if the variable is ever used uninitialized anywhere.
* KRB5: Refactor cc_*_check_existingStephen Gallagher2013-08-221-61/+59
| | | | | | | | | | | | | | There was duplicated code in cc_file_check_existing() and in cc_dir_check_existing(). I pulled them into the same function. There are two changes made to the original code here: 1) Fixes a use-after-free bug in cc_file_check_existing(). In the original code, we called krb5_free_context() and then used that context immediately after that in krb5_cc_close(). This patch corrects the ordering 2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all cache types. Previously, this was only handled for DIR caches.
* KRB5: Add new #define for collection cache typesStephen Gallagher2013-08-224-18/+18
| | | | | | Kerberos now supports multiple types of collection caches, not just DIR: caches. We should add a macro for generic collection behavior and use that where appropriate.
* Use conditional build for retrieving ccache.Lukas Slebodnik2013-08-222-88/+22
| | | | | | | | Some krb5 functions needn't be available for retrieving ccache with principal. Therefore ifdef is used to solve this situation with older version of libkrb5. There were two functions with similar functionality in krb5_child and krb5_utils. They were merged to one universal function, which was moved to file src/util/sss_krb5.c
* sudo: continue if we are unable to resolve fqdnPavel Březina2013-08-191-1/+0
| | | | https://fedorahosted.org/sssd/ticket/2043
* KRB5: Do not log to syslog on each loginJakub Hrozek2013-08-191-1/+3
|
* KRB5: Formatting changesJakub Hrozek2013-08-191-4/+4
|
* sdap_get_initgr_done: use the right SID to get a GIDSumit Bose2013-08-191-1/+2
|
* ipa_s2n_get_user_done: make sure ALIAS name is lower caseSumit Bose2013-08-191-2/+18
| | | | Fixes https://fedorahosted.org/sssd/ticket/1630
* ipa_s2n_get_user_done: free group_attrs as wellSumit Bose2013-08-191-0/+1
|
* AD: Use the correct include guardJakub Hrozek2013-08-191-3/+3
|
* Remove include recursionLukas Slebodnik2013-08-191-1/+0
| | | | Header file proxy.h included itself.
* Check whether servername is not empty string.Lukas Slebodnik2013-08-191-1/+1
| | | | Previous check was wrong, servername cannot be NULL.
* proxy: Alocate auth tokens in struct authtok_convLukas Slebodnik2013-08-191-0/+20
| | | | | | | | | | | Struct sss_auth_token became opaque in commit 9acfb09f7969a69f58bd45c856b01700541853ca. All ocasions of "struct sss_auth_token" was replaced with pointer to this struct, but proper initialization of auth_tokens was missing in struct authtok_conv. Resolves: https://fedorahosted.org/sssd/ticket/2046
* ldap, krb5: More descriptive msg on chpass failure.Michal Zidek2013-08-112-0/+30
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* AD: Cast SASL callbacks to propper typeOndrej Kos2013-08-091-1/+3
| | | | | | The initialization of ad_sasl_callbacks raised an incompatible pointer type warning. This was caused because the cyrus-sasl API hasa changed. The callback function list needs to be cast now.
* Remove unused constantJakub Hrozek2013-08-091-2/+0
|
* Use the correct resolv timeoutJakub Hrozek2013-08-091-1/+1
|
* Enable removing nonexisting dn in sdap_handle_account_infoLukas Slebodnik2013-08-081-1/+1
| | | | Change was introduced in commit ca344fde
* Fix memory context for hash entriesSumit Bose2013-08-081-2/+4
| | | | | | | | In sdap_nested_group_populate_users() username and orignal_dn are allocated on a temporary memory context. If the corresponding user is not found in the cache both are added to a hash which is later on returned to the caller. To avoid a use-after-free when the hash entries are looked up both must be reassigned to the memory context of the hash.
* simple access provider: allow fully qualified namesPavel Březina2013-08-071-46/+95
| | | | https://fedorahosted.org/sssd/ticket/2026
* Fix memory context for a state memberSumit Bose2013-08-071-1/+1
| | | | | | primary_name was allocated on a temporary memory context but as it is a member of the state struct it should belong to the memory context of the state.
* sssd_ad: Add hackish workaround for sasl ad_compatSimo Sorce2013-08-061-0/+41
| | | | | | | | | This tries to set the ad_compat option for sasl, by working around the openldap/sasl initialization as openldap does not allow us to pass down to sasl our own getopt callback. Resolves: https://fedorahosted.org/sssd/ticket/2040
* sudo: print better debug message when a rule has multiple cn valuesPavel Březina2013-08-051-1/+5
|
* sudo: skip rule on error instead of failing completelyPavel Březina2013-08-051-1/+3
| | | | https://fedorahosted.org/sssd/ticket/2031
* Prevent using uninitialized "group_name" in done section.Lukas Slebodnik2013-07-251-1/+1
| | | | Coverity ID: 11927
* LDAP: Use domain-specific name where appropriateJakub Hrozek2013-07-245-112/+159
| | | | | | | | | The subdomain users user FQDN in their name attribute. However, handling of whether to use FQDN in the LDAP code was not really good. This patch introduces a utility function and converts code that was relying on user/group names matching to this utility function. This is a temporary fix until we can refactor the sysdb API in #2011.
* Set default DNS resolution timeout to 6 seconds.Michal Zidek2013-07-241-2/+2
| | | | | | | | Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly.
* Add mising argument required by format stringLukas Slebodnik2013-07-191-2/+3
|
* KRB: Replace multiple calls with variableOndrej Kos2013-07-181-6/+9
| | | | | Instead of multiple calls of sss_authtok_get_type, perform the call just once and store into variable.
* KRB: Handle empty password gracefullyOndrej Kos2013-07-181-0/+11
| | | | | | https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed.
* SIGCHLD handler: do not call callback when pvt data where freedPavel Březina2013-07-173-3/+7
| | | | https://fedorahosted.org/sssd/ticket/1992
* print hint about password complexity when new password is rejectedPavel Březina2013-07-172-1/+15
| | | | https://fedorahosted.org/sssd/ticket/1827
* Return right directory name for dircacheLukas Slebodnik2013-07-111-6/+10
| | | | | | | Dircache can be either file or directory. Wrong value was used when dircache was itself directory. https://fedorahosted.org/sssd/ticket/2002
* Always set port status to neutral when resetting service.Michal Zidek2013-07-111-1/+2
| | | | | | | | We did not set port status for metaservers (srv servers) in fo_reset_services(). Fixes: https://fedorahosted.org/sssd/ticket/1933
* KRB5_CHILD: Fix handling of get_password return codeOndrej Kos2013-07-101-4/+10
| | | | The switch statement was dead code due to missing case/default.
* ldap: only update shadowLastChange when password change is successfulJim Collins2013-07-011-1/+2
| | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1999 ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange even when the PAM password change status reports failure. We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.
generated by cgit (git 2.34.1) at 2024-06-23 05:29:09 +0000