summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Initialize hbac_ctx to NULLsssd-1.5.1-58.el5Stephen Gallagher2012-08-221-1/+1
|
* Add ipa_hbac_support_srchost option to IPA providersssd-1.5.1-57.el5Jan Zeleny2012-08-176-52/+398
| | | | | don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
* Process all groups from a single nesting levelJakub Hrozek2012-08-171-5/+18
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* DP: Reorganize memory hierarchy of requestsStephen Gallagher2012-06-221-15/+100
| | | | | | | | | | | | | This function alters the memory hierarchy of the be_req to ensure memory safety during shutdown. It creates a spy on the be_cli object so that it will free the be_req if the client is freed. It is generally allocated atop the private data context for the appropriate back-end against which it is being filed. https://fedorahosted.org/sssd/ticket/1226
* HBAC: create empty groups with one NULL elementJakub Hrozek2012-06-221-16/+15
| | | | https://fedorahosted.org/sssd/ticket/1130
* IPA: Check nsAccountLock during PAM_ACCT_MGMTStephen Gallagher2012-06-226-13/+86
| | | | | | | | | | | | | | LDAP: Make sdap_access_send/recv public We want to consume this in the IPA provider. IPA: Check nsAccountLock during PAM_ACCT_MGMT https://fedorahosted.org/sssd/ticket/1227 Conflicts: src/providers/ipa/ipa_access.h src/providers/ipa/ipa_init.c
* Steal result onto mem_ctx in sdap_initgr_nested_get_direct_parentsJakub Hrozek2012-06-141-2/+1
|
* Try all KDCs when getting TGT for LDAPsssd-1.5.1-52.el5Jakub Hrozek2012-06-041-15/+16
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Only do one cycle when resolving a serverJakub Hrozek2012-06-0410-57/+161
| | | | | | | | | | | | | | | Rename fo_get_server_name to fo_get_server_str_name fo_get_server_name() getter for a server name Allows to be more concise in tests and more defensive in resolve callbacks Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214 Detect cycle in the fail over on subsequent resolve requests only
* LDAP: Add option to disable paging controlStephen Gallagher2012-03-225-5/+12
| | | | | | | | | | | | | | | Fixes https://fedorahosted.org/sssd/ticket/967 Conflicts: src/config/SSSDConfig.py src/config/etc/sssd.api.d/sssd-ipa.conf src/config/etc/sssd.api.d/sssd-ldap.conf src/man/sssd-ldap.5.xml src/providers/ipa/ipa_common.c src/providers/ipa/ipa_common.h src/providers/ldap/ldap_common.c src/providers/ldap/sdap.h
* IPA: Detect nsupdate support for the realm directiveStephen Gallagher2012-01-171-14/+40
| | | | | For older platforms, do not add the 'realm' line in the update message
* Log nsupdate messageJakub Hrozek2012-01-101-0/+3
| | | | https://fedorahosted.org/sssd/ticket/893
* Handle timeout during sss_ldap_init_sendJakub Hrozek2011-12-131-1/+5
| | | | | | | | | In some cases, where there would be no response from the LDAP server, there would be no R/W events on the LDAP fd, so sdap_async_sys_connect_done would never be called. This patch adds a tevent timer that cancels the connection after SDAP_NETWORK_TIMEOUT seconds.
* Allow using Glib for UTF8 supportStephen Gallagher2011-12-051-33/+11
|
* LDAP: Try next failover server on any errorStephen Gallagher2011-12-051-9/+5
|
* Revert "RHEL5: Remove UTF8 support for RHEL5"Stephen Gallagher2011-12-051-4/+32
| | | | This reverts commit c417f0b8cde38ff5cc10241383f1481e3440879c.
* RFC2307bis initgroups: fix nested groups processingJakub Hrozek2011-10-311-20/+33
| | | | | Due to incorrectly written loop, SSSD would go into infitite loop if it processed the same group on two different levels of membership.
* RHEL5: Remove UTF8 support for RHEL5Stephen Gallagher2011-10-261-32/+4
|
* Plug memory leaks in LDAP providerJakub Hrozek2011-10-261-0/+3
|
* Use fewer transactions during RFC2307bis initgroupsJakub Hrozek2011-10-261-539/+802
| | | | | | | | Utility functions for LDAP nested schema initgroups Use fewer transactions during RFC2307bis initgroups Use fewer transactions during IPA initgroups
* Add a missing breakJakub Hrozek2011-10-261-0/+1
|
* Improve performance of HBAC with large numbers of hostsStephen Gallagher2011-10-264-206/+334
| | | | | | | | | | HBAC: Do not save member/memberOf links We can just trust the values from the FreeIPA server HBAC: Use originalMember for identifying servicegroups HBAC: Use originalMember for identifying hostgroups
* Append PID to sbus server socket name, let clients use a symlinkJakub Hrozek2011-10-262-2/+2
| | | | | | | | Add option to follow symlinks to check_file() Append PID to sbus server socket name, let clients use a symlink https://fedorahosted.org/sssd/ticket/1034
* Use explicit base 10 for converting strings to integersJakub Hrozek2011-10-262-4/+4
| | | | https://fedorahosted.org/sssd/ticket/1013
* Better handling for aliasesJakub Hrozek2011-10-263-94/+225
| | | | | | | | | | | | | | Add sysdb interface to get name aliases Add a sysdb_get_direct_parents function Store name aliases for users, groups Return users and groups based on alias https://fedorahosted.org/sssd/ticket/926 Fix typo in sysdb_get_direct_parents
* IPA access: hostname comparison should be case-insensitiveJakub Hrozek2011-10-261-1/+1
|
* HBAC: fix typos preventing proper hostgroup evaluationStephen Gallagher2011-10-261-3/+3
|
* Fix uninitialized pointer read in sdap_gssapi_get_default_realm()Jakub Hrozek2011-10-261-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1003
* Use sss_ldap_err2string() instead of ldap_err2string()Pavel Březina2011-10-263-37/+35
| | | | | | | | | | sss_ldap_err2string() - function created https://fedorahosted.org/sssd/ticket/986 sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() https://fedorahosted.org/sssd/ticket/986
* Improve error message for LDAP password constraint violationJakub Hrozek2011-10-263-16/+29
| | | | https://fedorahosted.org/sssd/ticket/985
* Do not access memory out of boundsSumit Bose2011-10-261-2/+2
|
* HBAC: Properly skip all non-group memberOf entriesStephen Gallagher2011-10-261-1/+2
|
* Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek2011-10-265-3/+17
| | | | https://fedorahosted.org/sssd/ticket/978
* HBAC: Use of hostgroups for targethost or sourcehost was brokenStephen Gallagher2011-10-261-4/+4
| | | | | We were trying to look up the wrong attribute for the name of the hostgroup.
* HBAC: Handle saving groups that have no membersStephen Gallagher2011-10-261-7/+21
|
* Improve password policy error code and messageSumit Bose2011-10-261-4/+9
| | | | | | Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
* Use sysdb attribute name for GID, not LDAP attributeStephen Gallagher2011-10-261-3/+3
|
* Use the default Kerberos realm for LDAP with GSSAPI authJakub Hrozek2011-10-261-3/+55
| | | | https://fedorahosted.org/sssd/ticket/970
* Fix returning groups when gidNumber attribute is not orderedJakub Hrozek2011-10-263-4/+10
| | | | https://fedorahosted.org/sssd/ticket/951
* Explicitly ignore groups with gidNumber=0Jakub Hrozek2011-10-262-11/+18
| | | | https://fedorahosted.org/sssd/ticket/916
* Set gidNumber of non-posix groups to 0 even on updatesJakub Hrozek2011-10-261-8/+44
|
* Rewrite HBAC rule evaluatorStephen Gallagher2011-10-2615-1697/+3614
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943
* Request password control unconditionally during bindJakub Hrozek2011-10-261-6/+6
| | | | https://fedorahosted.org/sssd/ticket/940
* Do not add a NULL host parsed from LDAP URIJakub Hrozek2011-10-261-1/+8
| | | | https://fedorahosted.org/sssd/ticket/911
* ipa_dyndns: Use sockaddr_storage for storing IP addressesJakub Hrozek2011-10-261-12/+17
| | | | https://fedorahosted.org/sssd/ticket/915
* Fix TLS/SSL validation after switch to ldap_init_fdSumit Bose2011-10-268-71/+149
| | | | | | | | | | | | | | Add sockaddr_storage to sdap_service Add sdap_call_conn_cb() to call add connection callback directly Use name based URI instead of IP address based URIs Use ldap_init_fd() instead of ldap_initialize() if available Do not access state after tevent_req_done() is called. Call ldap_install_tls() on ldaps connections
* Honor the TTL value of SRV record lookupsJakub Hrozek2011-10-266-29/+30
| | | | | | | | | | | | | | | | | | | | | | | | | Add new resolv_hostent data structure and utility functions Resolve hosts by name from files into resolv_hostent Resolve hosts by name from DNS into resolv_hostent Switch resolver to using resolv_hostent and honor TTL Conflicts: src/providers/fail_over.c Provide TTL structure names for c-ares < 1.7 https://fedorahosted.org/sssd/ticket/898 In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to ares_addrttl/ares_addr6ttl so they are in the ares_ namespace. Because they are committed to stable ABI, the contents are the same, just the name changed -- so it is safe to just #define the new name for older c-ares version in case the new one is not detected in configure time.
* Delete cached ccache file if password is expiredSumit Bose2011-10-261-8/+63
|
* Do not check pwdAttributeSumit Bose2011-10-261-9/+0
| | | | | | | It is not safe to check pwdAttribute to see if server side password policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is present the bind response we can assume that there is a server side password policy.
* Handle non-POSIX groups in nestingJan Zeleny2011-10-262-28/+69
| | | | | | | | Added sysdb_attrs_get_bool() function Non-posix group processing - sysdb changes Non-posix group processing - ldap provider and nss responder
generated by cgit (git 2.34.1) at 2024-06-22 19:47:35 +0000