summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Search for original DN during auth if it's missingsssd-1.9.2-129.2.el6Jakub Hrozek2013-12-031-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-12-032-32/+146
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* PROXY: Handle empty GECOSJakub Hrozek2013-12-031-1/+8
| | | | | If the user's GECOS as returned by the proxied module is an empty string (as opposed to NULL), the ldb transaction would error out.
* proxy: Allow initgroup to return NOTFOUNDSimo Sorce2013-12-031-0/+16
| | | | | | | | | When the user is only member of its own primary group, initgroups_dyn may return NOTFOUND as, at least for the 'files' nss provider the code skips the passed in group. Resolves: https://fedorahosted.org/sssd/ticket/2051
* sdap_get_generic_ext_send: check if we a re still connectedsssd-1.9.2-129.el6Sumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* SIGCHLD handler: do not call callback when pvt data was freedPavel Březina2013-09-123-3/+11
| | | | https://fedorahosted.org/sssd/ticket/1992
* Make IPA SELinux provider aware of subdomain usersJakub Hrozek2013-09-031-6/+18
| | | | Fixes https://fedorahosted.org/sssd/ticket/1892
* print hint about password complexity when new password is rejectedsssd-1.9.2-121.el6Pavel Březina2013-08-112-2/+22
| | | | https://fedorahosted.org/sssd/ticket/1827
* ldap, krb5: More descriptive msg on chpass failure.sssd-1.9.2-120.el6Michal Zidek2013-08-112-0/+31
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* providers: refresh expired netgroupssssd-1.9.2-119.el6Pavel Březina2013-08-116-3/+208
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: add refresh expired records periodic taskPavel Březina2013-08-114-0/+32
| | | | | | https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
* back end: periodical refresh of expired records APIPavel Březina2013-08-112-0/+375
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: periodic task APIPavel Březina2013-08-112-0/+447
| | | | https://fedorahosted.org/sssd/ticket/1891
* Set default DNS resolution timeout to 6 seconds.Jakub Hrozek2013-08-111-1/+1
| | | | | | | Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly
* LDAP: Fix crash when processing nested groupssssd-1.9.2-116.el6Jakub Hrozek2013-08-091-4/+16
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1932 There is a rather strange workaround in the nested groups processing code that calls tevent_req_post outside _send(). However, it broke in certain situations where the tevent_req_call resulted in req being freed, which freed state by extension and then the subsequent _post call was a use-after-free. This patch saves the two variables used outside state so that it's safe to use them even after the callback.
* Removing unused functions.sssd-1.9.2-115.el6Lukas Slebodnik2013-08-092-36/+0
| | | | This patch remove unused functions sdap_parse_user and sdap_parse_group
* Always set port status to neutral when resetting service.Michal Zidek2013-08-091-1/+2
| | | | | | | | We did not set port status for metaservers (srv servers) in fo_reset_services(). Fixes: https://fedorahosted.org/sssd/ticket/1933
* failover: if expanded server is marked as neutral, invoke srv collapsePavel Březina2013-08-091-0/+7
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1947 Otherwise we will do the SRV expansion once again: 1. leaving the old servers in server list 2. meta server is not inserted back in the list, the newly found servers are inserted behind meta server, meta server is orphaned and the new servers are forgotten
* collapse_srv_lookup may free the server, make it clear from the APIPavel Březina2013-08-091-5/+8
| | | | https://fedorahosted.org/sssd/ticket/1947
* Adding option to disable retrieving large AD groups.sssd-1.9.2-113.el6Lukas Slebodnik2013-08-098-13/+51
| | | | | | | | | This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
* failover: set state->out when meta server remains in SRV_RESOLVE_ERRORsssd-1.9.2-108.el6Pavel Březina2013-08-091-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1886
* Display the last grace warning, toosssd-1.9.2-107.el6Jakub Hrozek2013-08-092-3/+3
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* Add ignore_group_members option.sssd-1.9.2-102.el6Paul B. Henson2013-08-082-2/+13
| | | | https://fedorahosted.org/sssd/ticket/1376
* NSS: Add original homedir to home directory template optionssssd-1.9.2-101.el6Stephen Gallagher2013-08-081-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1805
* IPA: Do not download or store the member attribute of host groupssssd-1.9.2-98.el6Jakub Hrozek2013-08-082-2/+0
| | | | | | | | https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
* sudo: print better debug message when a rule has multiple cn valuessssd-1.9.2-96.el6Pavel Březina2013-08-081-1/+5
|
* sudo: skip rule on error instead of failing completelyPavel Březina2013-08-081-1/+3
| | | | https://fedorahosted.org/sssd/ticket/2031
* LDAP: do not invalidate pointer with realloc while processing ghost users1.9.2-89Jakub Hrozek2013-05-301-3/+13
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
* Fix simple access group control in case-insensitive domains1.9.2-88Jakub Hrozek2013-04-151-16/+9
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-04-159-11/+193
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Resolve GIDs in the simple access providerJakub Hrozek2013-04-153-203/+759
| | | | | | | | | | | | | | Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
* Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek2013-04-151-0/+2
| | | | | | | | | | | The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
* Provide a be_get_account_info_send functionJakub Hrozek2013-04-152-19/+149
| | | | | | | | | | | | | | In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
* nested groups: fix group lookup hangs if member dn is incorrectrhel-6.41.9.2-83Pavel Březina2013-01-301-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* fix backend callbacks: remove callback properly from dlistPavel Březina2013-01-221-6/+18
| | | | | | | | https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
* LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek2013-01-211-130/+144
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
* Invalidate user entry even if there are no groupsJakub Hrozek2013-01-161-5/+7
| | | | | | | | | Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
* LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek2013-01-151-12/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
* let ldap_backup_chpass_uri workPavel Březina2013-01-151-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1760
* AD: Add user as a direct member of his primary groupJakub Hrozek2013-01-091-8/+109
| | | | | | | | | | | | In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
* AD: replace GID/UID, do not add another oneJakub Hrozek2013-01-094-7/+41
| | | | | | | The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
* IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek2013-01-083-4/+6
| | | | It is not a map, but a default context. The name should reflect that.
* SELINUX: Process maps even when offlineJakub Hrozek2013-01-081-226/+429
| | | | | Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
* SYSDB: Remove duplicate selinux definesJakub Hrozek2013-01-081-0/+1
|
* sudo smart refresh: fix debug messagePavel Březina2013-01-071-1/+1
|
* sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina2013-01-071-5/+12
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
* let krb5_backup_kpasswd failover workPavel Březina2013-01-041-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1735
* krb5 tgt renewal: fix usage of ldb_dn_get_component_val()Sumit Bose2012-12-201-4/+4
| | | | | For some reason I was under the impression that the DN components are counted backwards in libldb. This patch corrects this.
* Add default section to switch statementSumit Bose2012-12-201-0/+3
| | | | | | switch statements should always have a default section. In this particular case gcc gave a "'send_fn' may be used uninitialized in this function" warning.
* DP: invalidate all cached maps if a request for auto.master comes inJakub Hrozek2012-12-183-0/+16
| | | | | | If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps
generated by cgit (git 2.34.1) at 2024-05-09 04:47:33 +0000