summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-209-11/+193
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Convert sdap_access to new error codesSimo Sorce2013-03-195-480/+212
| | | | Also simplify sdap_access_send to avoid completely fake _send() routines.
* Resolve GIDs in the simple access providerJakub Hrozek2013-03-193-122/+655
| | | | | | | | | | | | | | Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
* Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek2013-03-191-0/+2
| | | | | | | | | | | The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
* Provide a be_get_account_info_send functionJakub Hrozek2013-03-192-19/+144
| | | | | | | | | | | | | | In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
* Make the SELinux refresh time configurable.Michal Zidek2013-03-193-2/+5
| | | | Option ipa_selinux_refresh is added to basic ipa options.
* Reuse cached SELinux mappings.Michal Zidek2013-03-192-3/+29
| | | | | | | | Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
* Move SELinux processing to provider.Michal Zidek2013-03-192-31/+388
| | | | | | | | | | | | The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
* Removing unused declaration of functions and variable.Lukas Slebodnik2013-03-192-12/+2
| | | | | | Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
* Use common error facility instead of sdap_resultSimo Sorce2013-03-197-347/+229
| | | | | | | | | Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
* Decrease krb5_auth_timeout defaultOndrej Kos2013-03-183-3/+3
| | | | https://fedorahosted.org/sssd/ticket/1738
* Retry the correct service on krb5 child timeoutJakub Hrozek2013-03-181-1/+1
|
* Fix initialization of multiple variablesOndrej Kos2013-03-136-8/+7
|
* Removing unused header file providers.hLukas Slebodnik2013-03-131-24/+0
| | | | | | | | | Header file "providers.h" is not included in any other file and function "dp_process_init" declared in this header file has no implementation. Header file protos.h is not also included in any other file and even hole content is commented out.
* More generalized function open_debug_file_ex()Lukas Slebodnik2013-03-132-10/+2
| | | | | | | | Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
* Add support for krb5 1.11's responder callback.Nathaniel McCallum2013-03-084-1/+232
| | | | | | | | | | | krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
* Fixed typo in debug message.Lukas Slebodnik2013-03-071-3/+5
| | | | | C compiler did not complain, because "index" is function defined in header file <string.h>
* Updated Doxygen configuration to 1.8.1Thorsten Scherf2013-03-061-134/+478
| | | | https://fedorahosted.org/sssd/ticket/1819
* Check the return value of sysdb_search_servicesJakub Hrozek2013-03-051-0/+6
|
* Cleanup error message handling for krb5 childSimo Sorce2013-03-042-296/+240
| | | | | | | | | | | | | | | | | | | | Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
* krb5_child: fix value type and initializationOndrej Kos2013-03-041-1/+2
| | | | ret was defined as integer, instead of errno_t, and was uninitialized
* Use the correct memory context in be_req_createJakub Hrozek2013-03-041-1/+1
|
* Refactor krb5 childSimo Sorce2013-02-281-288/+210
| | | | | | | | | | | | | | | | | | | | | | | | | | The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
* krb5_child style fixSimo Sorce2013-02-281-11/+11
| | | | Use the standard 'done' label for exceptions.
* sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina2013-02-271-3/+7
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
* Do not process success case in an elseJakub Hrozek2013-02-261-24/+24
|
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-262-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* subdomains: replace invalid characters with underscore in krb5 mapping file namePavel Březina2013-02-141-1/+26
| | | | | | | https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
* Filter out multicast addresses from IPA DNS updatesJakub Hrozek2013-02-121-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1804
* LDAP: Check for authtok validityJakub Hrozek2013-02-111-7/+9
| | | | | | | | | | The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
* Introduce IS_SUBDOMAIN() macroSimo Sorce2013-02-101-2/+2
| | | | Fixes https://fedorahosted.org/sssd/ticket/1766
* Change the way domains are linked.Simo Sorce2013-02-101-107/+45
| | | | | | | | | | | | | | | | | | | - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
* Remove sysdb_subdom completelySimo Sorce2013-02-101-52/+58
| | | | | struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.
* Refactor sysdb_master_domain_add_info()Simo Sorce2013-02-101-24/+6
|
* Update main domain info in placeSimo Sorce2013-02-101-5/+4
|
* Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce2013-02-101-3/+1
|
* Add realm info to sss_domain_infoSimo Sorce2013-02-105-6/+8
|
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-101-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1805
* dp: check whether hostid backend is configured before filing be requestPavel Březina2013-02-011-0/+8
|
* Fix minor grammar error in logStephen Gallagher2013-01-301-1/+1
|
* krb: recreate ccache if it was deletedPavel Březina2013-01-301-1/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-281-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* Possible null derefence in ipa_subdomains.c.Michal Zidek2013-01-251-0/+4
| | | | | Found by coverity. https://fedorahosted.org/sssd/ticket/1790
* fix backend callbacks: remove callback properly from dlistPavel Březina2013-01-221-6/+18
| | | | | | | | https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
* Fix code styleJakub Hrozek2013-01-221-1/+2
|
* Make struct be_req opaqueSimo Sorce2013-01-212-18/+18
|
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-2117-32/+45
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-2122-133/+155
| | | | In preparation for making be_req opaque
* Add be_req_create() helperSimo Sorce2013-01-213-40/+38
|
* Introduce be_req_terminate() helperSimo Sorce2013-01-2118-129/+84
| | | | | Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
generated by cgit (git 2.34.1) at 2024-05-10 14:23:49 +0000