| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
don't fetch all host groups if this option is false
https://fedorahosted.org/sssd/ticket/1078
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function alters the memory hierarchy of the be_req
to ensure memory safety during shutdown. It creates a
spy on the be_cli object so that it will free the be_req
if the client is freed.
It is generally allocated atop the private data context
for the appropriate back-end against which it is being
filed.
https://fedorahosted.org/sssd/ticket/1226
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1130
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP: Make sdap_access_send/recv public
We want to consume this in the IPA provider.
IPA: Check nsAccountLock during PAM_ACCT_MGMT
https://fedorahosted.org/sssd/ticket/1227
Conflicts:
src/providers/ipa/ipa_access.h
src/providers/ipa/ipa_init.c
|
| |
|
|
|
|
|
|
|
|
| |
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename fo_get_server_name to fo_get_server_str_name
fo_get_server_name() getter for a server name
Allows to be more concise in tests and more defensive in resolve
callbacks
Only do one cycle when resolving a server
https://fedorahosted.org/sssd/ticket/1214
Detect cycle in the fail over on subsequent resolve requests only
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/967
Conflicts:
src/config/SSSDConfig.py
src/config/etc/sssd.api.d/sssd-ipa.conf
src/config/etc/sssd.api.d/sssd-ldap.conf
src/man/sssd-ldap.5.xml
src/providers/ipa/ipa_common.c
src/providers/ipa/ipa_common.h
src/providers/ldap/ldap_common.c
src/providers/ldap/sdap.h
|
|
|
|
|
| |
For older platforms, do not add the 'realm' line in
the update message
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/893
|
|
|
|
|
|
|
|
|
| |
In some cases, where there would be no response from the LDAP server,
there would be no R/W events on the LDAP fd, so
sdap_async_sys_connect_done would never be called.
This patch adds a tevent timer that cancels the connection after
SDAP_NETWORK_TIMEOUT seconds.
|
| |
|
| |
|
|
|
|
| |
This reverts commit c417f0b8cde38ff5cc10241383f1481e3440879c.
|
|
|
|
|
| |
Due to incorrectly written loop, SSSD would go into infitite loop if it
processed the same group on two different levels of membership.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Utility functions for LDAP nested schema initgroups
Use fewer transactions during RFC2307bis initgroups
Use fewer transactions during IPA initgroups
|
| |
|
|
|
|
|
|
|
|
|
|
| |
HBAC: Do not save member/memberOf links
We can just trust the values from the FreeIPA server
HBAC: Use originalMember for identifying servicegroups
HBAC: Use originalMember for identifying hostgroups
|
|
|
|
|
|
|
|
| |
Add option to follow symlinks to check_file()
Append PID to sbus server socket name, let clients use a symlink
https://fedorahosted.org/sssd/ticket/1034
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1013
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb interface to get name aliases
Add a sysdb_get_direct_parents function
Store name aliases for users, groups
Return users and groups based on alias
https://fedorahosted.org/sssd/ticket/926
Fix typo in sysdb_get_direct_parents
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1003
|
|
|
|
|
|
|
|
|
|
| |
sss_ldap_err2string() - function created
https://fedorahosted.org/sssd/ticket/986
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/985
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
|
| |
We were trying to look up the wrong attribute for the name of the
hostgroup.
|
| |
|
|
|
|
|
|
| |
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the
requested password policy cannot be found we return PAM_PERM_DENIED.
Additionally the log message says that the access is denied.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/970
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/951
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/916
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/940
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/911
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/915
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sockaddr_storage to sdap_service
Add sdap_call_conn_cb() to call add connection callback directly
Use name based URI instead of IP address based URIs
Use ldap_init_fd() instead of ldap_initialize() if available
Do not access state after tevent_req_done() is called.
Call ldap_install_tls() on ldaps connections
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new resolv_hostent data structure and utility functions
Resolve hosts by name from files into resolv_hostent
Resolve hosts by name from DNS into resolv_hostent
Switch resolver to using resolv_hostent and honor TTL
Conflicts:
src/providers/fail_over.c
Provide TTL structure names for c-ares < 1.7
https://fedorahosted.org/sssd/ticket/898
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
|
| |
|
|
|
|
|
|
|
| |
It is not safe to check pwdAttribute to see if server side password
policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is
present the bind response we can assume that there is a server side
password policy.
|
|
|
|
|
|
|
|
| |
Added sysdb_attrs_get_bool() function
Non-posix group processing - sysdb changes
Non-posix group processing - ldap provider and nss responder
|