summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-196-41/+70
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: cross-domain membership fixSumit Bose2013-12-196-30/+261
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-194-64/+138
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* Add new option ldap_group_typeSumit Bose2013-12-194-0/+6
|
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-194-53/+25
|
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+525
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-231/+357
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-133-3/+152
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-092-2/+13
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* failover: check dns_domain if primary servers lookup failedPavel Březina2013-12-091-3/+7
| | | | | | | If primary servers lookup failed, dns_domain is not set. Resolves: https://fedorahosted.org/sssd/ticket/2173
* SSSD: Improved domain detectionPavel Reichl2013-11-291-11/+28
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
* LDAP: Initialize user count for AD matching ruleJakub Hrozek2013-11-281-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/2157 If AD matching rule was selected, but the group was empty, the SSSD accessed random data. Initializing count to zero prevents that.
* LDAP: Search for original DN during auth if it's missingJakub Hrozek2013-11-201-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-11-202-33/+147
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* LDAP: Prevent from using uninitialized sdap_optionsLukas Slebodnik2013-11-141-1/+1
| | | | | | | | ldap_get_options can fail in time of ldap back end initialisation and then sssd try to release uninitialised sdap_options. Resolves: https://fedorahosted.org/sssd/ticket/2147
* Initialize sid_str to NULL to avoid freeing random dataJakub Hrozek2013-11-082-2/+2
| | | | | If any function before failed, sss_idmap_free_sid() might have been called with random data.
* free idmapped SIDs correctlyPavel Březina2013-11-074-4/+7
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* AD: Fix ad_access_filter parsing with empty filterJakub Hrozek2013-10-301-0/+8
|
* LDAP: Check all search bases during nested group processingJakub Hrozek2013-10-301-13/+42
|
* nested groups: pick correct domain for cache lookupsPavel Březina2013-10-301-4/+12
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap_fill_memberships: pick correct domain for every memberPavel Březina2013-10-301-4/+19
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ghosts: pick correct domain for every memberPavel Březina2013-10-301-10/+15
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we store subdomain users with correct domain name. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: add sdap_domain_get_by_dn()Pavel Březina2013-10-302-0/+28
| | | | | | | | This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: store base dn in sdap_domainPavel Březina2013-10-302-15/+22
| | | | | | | | | Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ad: shortcut if possible during get object by ID or SIDPavel Březina2013-10-301-0/+96
| | | | | | | | | | When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match. Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.
* free sid obtained from sss_idmap_unix_to_sid()Pavel Březina2013-10-301-0/+2
|
* be_spy_create: free be_req and not the long living dataSumit Bose2013-10-301-1/+1
|
* LDAP: Return correct error codeLukas Slebodnik2013-10-301-1/+1
| | | | | | If talloc_array return NULL we should return right error code from function sdap_domain_subdom_add. It might happen that we could return either wrong error code or uninitialized variable ret.
* ad_subdom_store: check ID mapping of the domain not of the parentSumit Bose2013-10-291-2/+2
|
* KRB5: Handle ERR_CHPASS_FAILEDJakub Hrozek2013-10-291-0/+6
| | | | | | | The Kerberos provider didn't handle ERR_CHPASS_FAILED at all, which resulted in the default return code (System Error) to be returned if password change failed for pretty much any reason, including password too recent etc.
* sdap_save_group: try to determine domain by SIDPavel Březina2013-10-291-7/+18
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have group with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent group 5000' and this request goes through data provider, searching in parent domain first. Even though this group does not belong to this domain it is found and stored as ad.pb group. With this patch we look at group's SID and put it into correct domain.
* sdap_save_user: try to determine domain by SIDPavel Březina2013-10-291-22/+32
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have user with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent passwd 5000' and this request goes through data provider, searching in parent domain first. Even though this user does not belong to this domain it is found and stored as ad.pb user. With this patch we look at user's SID and put it into correct domain.
* ad: destroy ptasks when subdomain is removedPavel Březina2013-10-251-0/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* ipa: destroy cleanup task when subdomain is removedPavel Březina2013-10-251-0/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: convert cleanup task to be_ptaskPavel Březina2013-10-254-73/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* be_ptask: add be_ptask_create_sync()Pavel Březina2013-10-252-0/+117
| | | | | | | | This is a wrapper around be_ptask_create() that allows to create synchronous periodic tasks. Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-252-0/+15
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: add function to terminate request of specific domainPavel Březina2013-10-252-0/+23
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: set request domainPavel Březina2013-10-251-0/+43
| | | | | | | | Every request is attached to be_ctx->domain by default. We will change the domain to a subdomain if it is relevant. Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: store list of ongoing requestsPavel Březina2013-10-252-0/+18
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-252-7/+8
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Add extended access filterJakub Hrozek2013-10-252-2/+216
| | | | | | | https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.
* AD: Search GC by default during access control, fall back to LDAPJakub Hrozek2013-10-253-10/+163
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-254-19/+49
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-252-0/+2
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* LDAP: Parse FQDN into name/domain for subdomain usersJakub Hrozek2013-10-251-1/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 When a subdomain user logs in, the username the account request receives is a FQDN. This hackish patch parses the FQDN and only uses the name to search the LDAP.
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-255-26/+44
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
generated by cgit (git 2.34.1) at 2024-05-14 08:35:54 +0000