summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* Refactor krb5 SIGTERM handler installationSumit Bose2010-05-183-14/+39
|
* Add callback to remove krb5 info files when going offlineSumit Bose2010-05-185-41/+161
|
* Add run_callbacks flagSumit Bose2010-05-182-2/+25
|
* Refactor krb5_finalize()Sumit Bose2010-05-181-12/+27
|
* Add offline callbacksSumit Bose2010-05-183-1/+32
|
* Refactor data provider callbacksSumit Bose2010-05-183-142/+187
|
* Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose2010-05-183-50/+1
| | | | This reverts commit 4f5664a2ec401f43c090e6170ed9c78390c35272.
* Add ldap_access_filter optionStephen Gallagher2010-05-161-1/+1
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
* Add ldap_krb5_ticket_lifetime optionSumit Bose2010-05-168-12/+37
|
* Don't report a fatal error for an HBAC denialStephen Gallagher2010-05-161-1/+1
|
* Add ldap_access_filter optionStephen Gallagher2010-05-168-3/+688
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-077-14/+672
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Use service discovery in backendsJakub Hrozek2010-05-0713-33/+162
| | | | | | | | | Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
* Add callback when the ID provider switches from offline to onlineStephen Gallagher2010-05-074-0/+174
| | | | | | | | Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
* Add more warnings about nearly expired passwordsSumit Bose2010-05-071-5/+66
| | | | | For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
* Add support for delayed kinit if offlineSumit Bose2010-05-0711-32/+565
| | | | | | | If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
* Compare the full service nameSumit Bose2010-05-071-1/+2
|
* Create kdcinfo and kpasswdinfo file at startupSumit Bose2010-05-073-1/+50
|
* Clean up kdcinfo and kpasswdinfo files when exitingStephen Gallagher2010-05-073-0/+65
|
* Fix memory hierarchy in the ipa timerulesJakub Hrozek2010-05-071-4/+4
|
* Handle Krb5 password expiration warningSumit Bose2010-05-072-174/+195
|
* Split pam_data utilities into a separate fileSumit Bose2010-05-072-35/+60
|
* Properly set up SIGCHLD handlersStephen Gallagher2010-05-076-54/+116
| | | | | | Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
* Use all available servers in LDAP providerJakub Hrozek2010-05-073-14/+91
|
* Fix segfault in GSSAPI reconnect codeStephen Gallagher2010-05-072-57/+41
| | | | | Also clean up some duplicated code into a single common routine sdap_account_info_common_done()
* Fix a wrong return value in IPA HBACSumit Bose2010-05-031-2/+2
|
* Avoid freeing sdap_handle too earlySimo Sorce2010-05-032-18/+46
| | | | | Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.
* Better handle sdap_handle memory from callers.Simo Sorce2010-05-037-42/+144
| | | | | | | | | | | | | Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
* Fix uninitialized variableJakub Hrozek2010-05-031-0/+1
|
* Try all servers during Kerberos authJakub Hrozek2010-05-031-23/+104
| | | | | The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
* Add dns_resolver_timeout optionStephen Gallagher2010-04-301-1/+9
| | | | | | We had a hard-coded timeout of five seconds for DNS lookups in the async resolver. This patch adds an option 'dns_resolver_timeout' to specify this value (Default: 5)
* Support SRV servers in failoverJakub Hrozek2010-04-302-51/+523
| | | | | | | | | | | | | | | Adds a new failover API call fo_add_srv_server that allows the caller to specify a server that is later resolved into a list of specific servers using SRV requests. Also adds a new failover option that specifies how often should the servers resolved from SRV query considered valid until we need a refresh. The "real" servers to connect to are returned to the user as usual, using the fo_resolve_service_{send,recv} calls. Make SRV resolution work with c-ares 1.6
* Remove freed server_common entities from listJakub Hrozek2010-04-301-1/+24
|
* Display a message if a password reset by root failsSumit Bose2010-04-262-0/+15
|
* Make the handling of fd events opaqueSumit Bose2010-04-265-184/+278
| | | | | | | Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
* New version of IPA auth and password migrationSumit Bose2010-04-264-199/+425
| | | | | | | | | The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
* Make Kerberos authentication a tevent_reqSumit Bose2010-04-262-307/+426
| | | | | To allow other providers to include Kerberos authentication the main part is put into a tevent request.
* Treat server names as case-insensitive in failover codeJakub Hrozek2010-04-261-2/+2
|
* Set LDAP_OPT_RESTART for all LDAP connectionsSumit Bose2010-04-261-7/+7
|
* Make ID provider init functions clearerStephen Gallagher2010-04-164-11/+11
| | | | | | | | | | | Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.
* Allow arbitrary-length PAM messagesStephen Gallagher2010-03-255-37/+27
| | | | | | | | | The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
* Fix LDAP search paths for IPA HBACSumit Bose2010-03-255-43/+81
| | | | | | - use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test
* Add krb5_kpasswd to IPA providerEugene Indenbom2010-03-252-2/+3
| | | | The krb5 options were out of sync, causing a runtime abort.
* Regression test against RHBZ #576856Jakub Hrozek2010-03-252-5/+5
|
* Fix warnings from -Wmissing-field-initializersSumit Bose2010-03-251-1/+3
| | | | This patch removes some tab-indentations from pamsrv.c, too.
* Set LDAP_OPT_RESTART for ldap_sasl_interactive_bind_s()Sumit Bose2010-03-251-0/+7
| | | | | | | This option is needed for the rare case where a poll() call during ldap_sasl_interactive_bind_s() is interrupted by a signal. LDAP_OPT_RESTART enables the handling of the EINTR error instead of returning an error.
* Improvements for LDAP Password Policy supportRalf Haferkamp2010-03-224-13/+103
| | | | | | | | Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
* Lower debug level of unexpected LDAP result codesSumit Bose2010-03-221-0/+5
|
* Fix error message for ldap_start_tlsStephen Gallagher2010-03-181-1/+1
|
* Fix a series of memory leaks in the SBUSStephen Gallagher2010-03-171-1/+5
|
generated by cgit (git 2.34.1) at 2024-06-09 03:22:49 +0000