| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1271
|
|
|
|
|
|
| |
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
|
|
|
|
|
| |
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|
| |
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
|
|
|
|
|
|
|
|
|
| |
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
|
|
|
|
|
|
|
| |
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1320
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1258
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1307
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1249
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1282
|
|
|
|
|
|
|
|
|
| |
There were many places where we were printing (null) to the logs
because a NULL keytab name tells libkrb5 to use its configured
default instead of a particular path. This patch should clean up
all uses of this to print "default" in the logs.
https://fedorahosted.org/sssd/ticket/1288
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1270
|
|
|
|
| |
case-insensitive domains
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1260
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1274
|
|
|
|
|
|
|
|
|
|
| |
We were never freeing "result" if it was allocated by
ldap_result(). We were also not freeing "errmsg" if it was
allocated but ldap_parse_result() returned an error.
Also disambiguate error messages from ldap_parse_result() and
error messages from sss_ldap_get_diagnostic_msg() since they use
differing memory-management functions.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
If we can't reach the RootDSE, let's just proceed as if it's
unavailable with reasonable defaults. If we fail later on, that's
fine.
Fixes https://fedorahosted.org/sssd/ticket/1257
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1242
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1238
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1227
|
|
|
|
| |
We want to consume this in the IPA provider.
|
|
|
|
|
|
|
| |
Instead of keeping the number of parent groups in "state" and having to
reset the count when moving to another group on the same level, keep
track of the all groups on a particular level along with their parents
and parent count.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1214
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function alters the memory hierarchy of the be_req
to ensure memory safety during shutdown. It creates a
spy on the be_cli object so that it will free the be_req
if the client is freed.
It is generally allocated atop the private data context
for the appropriate back-end against which it is being
filed.
https://fedorahosted.org/sssd/ticket/1226
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1215
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1217
|
|
|
|
|
|
|
|
| |
We now have a session module that is only available for the IPA
provider. We should not be logging noisily that other providers
do not have the session provider configured.
https://fedorahosted.org/sssd/ticket/1211
|
| |
|
|
|
|
|
|
| |
The orig_dn here isn't being passed to a filter and therefore must
not be santized, as the sanitization process would break DNs that
contain (among other things) parentheses.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1136
|