| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Add option to follow symlinks to check_file()
Append PID to sbus server socket name, let clients use a symlink
https://fedorahosted.org/sssd/ticket/1034
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1013
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb interface to get name aliases
Add a sysdb_get_direct_parents function
Store name aliases for users, groups
Return users and groups based on alias
https://fedorahosted.org/sssd/ticket/926
Fix typo in sysdb_get_direct_parents
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1003
|
|
|
|
|
|
|
|
|
|
| |
sss_ldap_err2string() - function created
https://fedorahosted.org/sssd/ticket/986
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/985
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
|
| |
We were trying to look up the wrong attribute for the name of the
hostgroup.
|
| |
|
|
|
|
|
|
| |
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the
requested password policy cannot be found we return PAM_PERM_DENIED.
Additionally the log message says that the access is denied.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/970
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/951
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/916
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/940
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/911
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/915
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sockaddr_storage to sdap_service
Add sdap_call_conn_cb() to call add connection callback directly
Use name based URI instead of IP address based URIs
Use ldap_init_fd() instead of ldap_initialize() if available
Do not access state after tevent_req_done() is called.
Call ldap_install_tls() on ldaps connections
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new resolv_hostent data structure and utility functions
Resolve hosts by name from files into resolv_hostent
Resolve hosts by name from DNS into resolv_hostent
Switch resolver to using resolv_hostent and honor TTL
Conflicts:
src/providers/fail_over.c
Provide TTL structure names for c-ares < 1.7
https://fedorahosted.org/sssd/ticket/898
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
|
| |
|
|
|
|
|
|
|
| |
It is not safe to check pwdAttribute to see if server side password
policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is
present the bind response we can assume that there is a server side
password policy.
|
|
|
|
|
|
|
|
| |
Added sysdb_attrs_get_bool() function
Non-posix group processing - sysdb changes
Non-posix group processing - ldap provider and nss responder
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add utility function to return IP address as string
Add a utility function to escape IPv6 address for use in URIs
Use escaped IP addresses in LDAP provider
Escape IPv6 IP addresses in the IPA provider
https://fedorahosted.org/sssd/ticket/880
Fix bad merge
We merged in a patch, but missed that it missed a dependency added
by another earlier patch.
|
| |
|
| |
|
|
|
|
|
| |
Previously, we only generated it when performing a password change,
but this didn't play nicely with kpasswd.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
A previous patch changed a talloc_steal() into a talloc_move(). Now it
is not enough to change the parent memory context with talloc_steal to
give back the data, but it has to be assigned back too.
Additionally this patch uses the missing pam data as an indication that
a renewal request for this data is currently running.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not throw a DP error when failing to delete a nonexistent entity
Add debug logging to the negative cache
Fix a regression with the negative cache in multi-domain configurations
Fix regression where nonexistent entries were never added to the negative cache
|
|
|
|
|
| |
Now that gecos can come from either the 'gecos' or 'cn' attributes,
we need to ensure that we never remove it from the cache.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The failover code is not strictly in charge of resolving. Its main
function is to provide a server to connect to for a service.
It is legal, although not currently used, to have a server that has no
name (server->common == NULL). In this case, no resolving should be done
and it is assumed that the failover user, which are the SSSD back ends
in our case, would perform any resolving out of band, perhaps using the
user_data attribute of fo_server structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were not fully compliant with section 5.3 of RFC 2307 which
states:
An account's GECOS field is preferably determined by a value of the
gecos attribute. If no gecos attribute exists, the value of the cn
attribute MUST be used. (The existence of the gecos attribute allows
information embedded in the GECOS field, such as a user's telephone
number, to be returned to the client without overloading the cn
attribute. It also accommodates directories where the common name
does not contain the user's full name.)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the loop ran through at least one
sdap_process_missing_member_2307() call and errored out later, we
were not canceling the transaction.
RFC2307: Ignore zero-length member names in group lookups
Mark transaction as done when cancelled
Fix typo in sdap_nested_group_process_step
|
| |
|
|
|
|
|
|
| |
This routine will replace the use of sysdb_attrs_to_list() for any
case where we're trying to get the name of the entry. It's a
necessary precaution in case the name is multi-valued.
|