| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
| |
|
|
|
|
| |
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
| |
|
|
|
|
| |
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
| |
|
|
|
|
| |
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place.
|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality into LDAP
provider. No backup servers are added at the moment, just the basic
support is in place.
|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality
into krb5 provider. No backup servers are added at the moment,
just the basic support is in place.
|
| |
|
|
|
|
| |
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
| |
|
|
|
|
|
|
|
| |
This patch adds support for marking existing connections as being
disconnected. Each such connection can't be used for new queries and a
new one has to be created instead if necessary. This will ensure that
pending operations will end gracefully during reconnection. Also all new
queries to the server we are reconnecting to will use another (probably
newly created) connection.
|
| |
|
|
|
|
|
|
| |
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
| |
|
|
|
|
|
| |
This patch adds two support functions for adding reconnection callbacks
and invoking such callbacks. The concept of reconnection is simple: stop
using current connection for for new queries to the server without
actually going offline.
|
| |
|
|
|
|
|
| |
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data
type of sasl_minssf from int to ber_len_t. Unfortunately, default
value of ldap_sasl_minssf is -1 but ber_len_t is defined as
unsigned long. This made SASL mechanism inoperative.
|
| |
|
|
|
| |
The host record will be fetched if HBAC is used as access provider since
the record is already downloaded and it can be trusted to be valid.
|
| |
|
|
|
| |
If HBAC is active, SELinux code will reuse them instead of downloading
them from the server again.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1420
sudoHost attribute may contain hostname or fqdn of the machine.
Sudo itself supports only one hostname and its fqdn - the one that
is returned by gethostbyname().
This patch implements autoconfiguration of hostname and fqdn if
it has not been set manually by ldap_sudo_hostnames option.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
| | |
|
| |
|
|
| |
In case of error the request wasn't freed and the callback just ended.
|
| |
|
|
|
|
| |
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
| |
|
|
|
|
|
| |
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|
| |
|
|
|
| |
This function is no longer necessary since sysdb interface for copying
elements has been implemented.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The AD provider cannot function with canonicalization because of
a bug in Active Directory rendering it unable to complete a
password-change while canonicalization is enabled.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1379
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1421
|
| |
|
|
|
| |
We should always download the defaults because even if there are no
rules, we might want to use (or update) the defaults.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
| | |
|
| |
|
|
|
| |
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1410
|
| |
|
|
| |
Coverity #12770
|
| |
|
|
| |
Coverity #12784
|
| |
|
|
| |
Coverity #12797
|
| |
|
|
| |
Coverity #12802
|
| | |
|
| |
|
|
|
|
|
|
| |
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
| | |
|
| |
|
|
|
|
| |
This simplifies configuration by eliminating the need to
specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is
not located at /etc/krb5.keytab
|
| |
|
|
|
| |
This patch adds support for checking whether a user is expired or
disabled in AD.
|
| |
|
|
|
|
| |
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
|
| |
|
|
|
|
| |
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
| |
|
|
| |
This will eliminate ambiguity for the AD provider
|
| |
|
|
|
| |
This will reduce code duplication between the krb5, ipa and ad
providers
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|
