| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
|
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
|
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
|
|
|
|
|
|
| |
If primary servers lookup failed, dns_domain is not set.
Resolves:
https://fedorahosted.org/sssd/ticket/2173
|
|
|
|
|
|
|
|
|
|
| |
If Data Provider was unable to refresh the subdomain list, the
sss_domain_info->subdomains list was NULL. Which meant that no DP
request matched any known domain and hence offline authentication was
not working correctly.
Resolves:
https://fedorahosted.org/sssd/ticket/2168
|
|
|
|
|
|
|
|
| |
ldap_get_options can fail in time of ldap back end initialisation
and then sssd try to release uninitialised sdap_options.
Resolves:
https://fedorahosted.org/sssd/ticket/2147
|
|
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2077
If during the LDAP authentication we find out that the originalDN to
bind as is missing (because the ID module is not LDAP based), we can try
to look up the user from LDAP without saving him just in order to
receive the originalDN.
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user.
|
|
|
|
|
|
|
| |
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2157
If AD matching rule was selected, but the group was empty, the SSSD
accessed random data. Initializing count to zero prevents that.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we store subdomain users with correct
domain name.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
| |
This function will find sdap domain by comparing object dn
with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. Remembering
base dn in domain object gives us the ability to simply lookup
correct domain by comparing object dn with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
|
| |
When getByID or getBySID comes from responder, the request doesn't
necessarily have to contain correct domain, since responder iterates
over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut if
domain does not match and avoid LDAP round trip. Responder will
continue with next domain until it finds the correct one.
|
| |
|
| |
|
|
|
|
|
|
| |
If talloc_array return NULL we should return right error code from function
sdap_domain_subdom_add. It might happen that we could return either wrong error
code or uninitialized variable ret.
|
| |
|
|
|
|
|
|
|
| |
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all, which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have group with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent group 5000' and this request goes through data
provider, searching in parent domain first. Even though this
group does not belong to this domain it is found and stored as
ad.pb group.
With this patch we look at group's SID and put it into correct domain.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have user with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent passwd 5000' and this request goes through data
provider, searching in parent domain first. Even though this
user does not belong to this domain it is found and stored as
ad.pb user.
With this patch we look at user's SID and put it into correct domain.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
| |
This is a wrapper around be_ptask_create() that allows to create
synchronous periodic tasks.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
| |
Every request is attached to be_ctx->domain by default. We
will change the domain to a subdomain if it is relevant.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
|
|
|
|
|
|
|
| |
This patch just adds the option, it doesn't do anything useful yet.
Related:
https://fedorahosted.org/sssd/ticket/2082
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
When a subdomain user logs in, the username the account request receives
is a FQDN. This hackish patch parses the FQDN and only uses the name to
search the LDAP.
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
|
|
|
|
|
| |
In case the entry was deleted from the server, the search didn't notice
and kept returning the cached data.
|
|
|
|
|
|
|
|
|
|
|
|
| |
AD provider went offline if the Global Catalog could not be connected although
there was also the LDAP port available. With this patch, AD provider will
fall back to the LDAP port before going offline.
New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx
If this flag is enabled function be_mark_offline will not be called.
Resolves:
https://fedorahosted.org/sssd/ticket/2104
|
|
|
|
|
|
|
| |
We had a hard coded value of Global Catalog port (3268).
Informations from SRV record was ignored.
This patch prefer port number from SRV record and hard coded value is used only
as a fall back if port number was not initialized.
|
|
|
|
|
|
|
|
|
|
| |
If the forest root of a trusted forest is managing POSIX IDs for its
users and groups the same is assumed for all member domains in the
forest which do not have explicitly have an idrange set.
To reflect this SSSD will create the matching ranges automatically.
Fixes https://fedorahosted.org/sssd/ticket/2101
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libss_idmap was only used to algorithmically map a SID to a POSIX
ID a domain SID was strictly necessary and the only information needed
to find a domain.
With the introduction of external mappings there are cases where a
domain SID is not available. Currently we relied on the fact that
external mapping was always used as a default if not specific
information about the domain was found. The lead to extra CPU cycles and
potentially confusing debug messages. Adding the domain name as a search
parameter will avoid this.
|