summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* AD: Enable fallback to LDAP of trusted domainJakub Hrozek2013-12-191-13/+1
| | | | | Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.
* AD: Add a new option to turn off GC lookupsJakub Hrozek2013-12-193-13/+20
| | | | | | | | | | SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-196-41/+70
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: cross-domain membership fixSumit Bose2013-12-196-30/+261
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-194-64/+138
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* Add new option ldap_group_typeSumit Bose2013-12-194-0/+6
|
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-194-53/+25
|
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* AD: Don't mark domain as enumerated twiceJakub Hrozek2013-12-181-12/+0
| | | | | The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+524
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-229/+355
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-133-3/+152
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-092-2/+13
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* LDAP: Fix a debug messageJakub Hrozek2013-12-091-2/+1
|
* failover: check dns_domain if primary servers lookup failedPavel Březina2013-12-091-3/+7
| | | | | | | If primary servers lookup failed, dns_domain is not set. Resolves: https://fedorahosted.org/sssd/ticket/2173
* rfc2307bis_nested_groups_send: reuse search baseSumit Bose2013-12-091-2/+7
| | | | | If there are multiple members in the sdom list, always the search base of the first entry were used.
* SSSD: Improved domain detectionPavel Reichl2013-11-291-11/+28
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
* KRB5: Go offline in case of clock skewJakub Hrozek2013-11-291-0/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/1096 In case the KDC has skewed time, we can retry with the next one and eventually go offline if no KDC has time in sync with the client. Previously, authentication with wrong time resulted in System Error.
* Remove unused parameter from ipa_save_netgroupLukas Slebodnik2013-11-271-2/+1
|
* Remove unused memory context in proxyLukas Slebodnik2013-11-271-9/+6
|
* Remove unused parameter from save_netgroupLukas Slebodnik2013-11-273-6/+3
|
* Remove unused parameter from save_userLukas Slebodnik2013-11-271-10/+8
|
* Remove unused parameter from delete_userLukas Slebodnik2013-11-271-9/+7
|
* Remove unused parameter from krb5_auth_store_credsLukas Slebodnik2013-11-271-3/+2
|
* Remove unused parameter from krb5_auth_cache_credsLukas Slebodnik2013-11-271-3/+0
|
* Remove unused parameter from sdap_save_netgroupLukas Slebodnik2013-11-271-4/+1
|
* Remove unused parameter from sdap_process_missing_member_2307Lukas Slebodnik2013-11-271-4/+2
|
* Remove unused parameter from sdap_add_group_member_2307Lukas Slebodnik2013-11-271-4/+3
|
* Remove unused parameter from sdap_store_group_with_gidLukas Slebodnik2013-11-271-7/+3
|
* Remove unused parameter from sdap_get_members_with_primary_gidLukas Slebodnik2013-11-271-4/+4
|
* Remove unused parameter from sdap_save_userLukas Slebodnik2013-11-274-9/+3
|
* Remove unused parameter from get_user_dnLukas Slebodnik2013-11-271-2/+1
|
* Remove unused parameter from sss_selinux_extract_userLukas Slebodnik2013-11-271-1/+1
|
* LDAP: Search for original DN during auth if it's missingJakub Hrozek2013-11-201-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-11-202-33/+147
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* LDAP: Initialize user count for AD matching ruleJakub Hrozek2013-11-181-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/2157 If AD matching rule was selected, but the group was empty, the SSSD accessed random data. Initializing count to zero prevents that.
* krb5: Alignment warning reported by clangMichal Zidek2013-11-151-7/+7
| | | | | | | Do not store address from byte buffer into pointer of diffrent type! https://fedorahosted.org/sssd/ticket/1359
* SYSDB: Drop redundant sysdb_ctx parameter from sysdb.cMichal Zidek2013-11-1512-22/+14
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)Michal Zidek2013-11-1525-82/+68
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c moduleJakub Hrozek2013-11-154-25/+15
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap moduleJakub Hrozek2013-11-151-4/+2
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)Michal Zidek2013-11-159-25/+22
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_ssh moduleMichal Zidek2013-11-151-4/+2
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_services moduleMichal Zidek2013-11-156-33/+26
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_search moduleMichal Zidek2013-11-159-23/+17
|
* SYSDB: Drop the sysdb_ctx parameter from SELinux functionsJakub Hrozek2013-11-151-7/+6
|
* SYSDB: Drop the sysdb_ctx parameter from the autofs APIJakub Hrozek2013-11-152-29/+16
|
* Merge ipa_selinux_common.c and ipa_selinux.cJakub Hrozek2013-11-153-110/+46
| | | | | Moved unused functions and merged ipa_selinux_common.c into ipa_selinux.c
generated by cgit (git 2.34.1) at 2024-06-30 09:05:37 +0000