| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
We tried to be too clever and only requested the name of the group,
but we require the objectClass to validate the results.
https://fedorahosted.org/sssd/ticket/622
|
|
|
|
|
| |
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
|
|
|
|
|
|
|
| |
The initial verification of the old password was returning an
error because we were not explicitly setting dp_err to
DP_ERR_SUCCESS and it was initialized earlier in the function to
DP_ERR_FATAL.
|
| |
|
|
|
|
|
|
|
|
| |
Instead of recursively updating all users of each group the user
being queried belongs to, just add or remove membership for the
requested user.
Fixes https://fedorahosted.org/sssd/ticket/478
|
|
|
|
|
| |
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
|
|
|
|
|
| |
We will now emit a level 0 debug message on keytab errors, and
also write to the syslog (LOG_DAEMON)
|
|
|
|
|
|
|
|
|
|
|
| |
In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Operational attributes are not returned in searched requests unless
explicitly requested according to RFC 4512 section 5.1. Therefore to
get several standard attributes of root DSE we have to request for
them. The requested attrs are:
- altServer
- namingContexts
- supportedControl
- supportedExtension
- supportedFeatures
- supportedLDAPVersion
- supportedSASLMechanisms
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su>
|
| |
|
|
|
|
|
|
|
|
|
| |
If sdap_mark_offline() is called before a live connection is
established, sdap_fd_events could be NULL, causing a segfault when
remove_ldap_connection_callbacks() attempts to free the
sdap_fd_events->conncb
https://fedorahosted.org/sssd/ticket/545
|
|
|
|
|
| |
ldap_get_option() can only fail if the option we're removing has
already been removed. It is sufficient to log this and continue.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/542
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/539
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/525
|
|
|
|
|
|
|
| |
We can't do much about an error here, but we should be reporting
it.
https://fedorahosted.org/sssd/ticket/534
|
|
|
|
|
|
|
|
|
| |
We need to make sure that if we didn't create the timeout, that we
cancel the request so there's no chance of ending up with two
enumerations/cleanups running simultaneously. We'll attempt to
reschedule later, if possible.
https://fedorahosted.org/sssd/ticket/524
|
|
|
|
|
|
|
|
|
| |
In several places, we were creating a new timer and assigning it
to the tev variable, but then we were checking for NULL from the
te variable (which, incidentally, is guaranteed never to be NULL
in this situation)
https://fedorahosted.org/sssd/ticket/523
|
|
|
|
|
|
|
| |
Failing to return after the tevent_req_post() here can result in a
null-pointer dereference (along with other hard-to-track bugs)
https://fedorahosted.org/sssd/ticket/507
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/506
|
|
|
|
|
|
|
| |
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Under certain circumstances, the openldap libraries will continue
internally trying to reconnect to a connection lost (as during a
cable-pull test). We need to drop the reconnection callbacks when
marking the backend offline in order to guarantee that they are
not called with an invalid sdap_handle.
|
|
|
|
| |
Fixes: #518
|
|
|
|
| |
Fixes: #505
|
|
|
|
| |
Fixes: #508
|
|
|
|
|
|
| |
OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to
LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS
error messages to be displayed on either version.
|
| |
|
|
|
|
|
|
|
|
| |
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs
structure if the requested element does not exist. Recent versions of
libldb do not accept empty elements when writing new objects to disk.
sysdb_attrs_get_string_array() does not create an empty element but
returns ENOENT.
|
| |
|
|
|
|
|
|
|
| |
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
|
|
|
| |
We were not passing the old authtok to the pam_chauthtok()
function, causing it to return PAM_AUTH_ERR.
|
|
|
|
|
|
|
| |
We weren't zeroing out the proxy_auth_ctx when we created it, so
the 'running' element was sometimes being filled with garbage data
that exceeded the maximum number of child processes. This meant
that no requests were ever sent to the child processes.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new tevent_req to the proxy provider, which will
spawn short-lived child processes to handle PAM requests. These
processes then call the proxied PAM stack and return the results
via SBUS method reply. Once it is returned, the parent process
kills the child.
There is a maximum of ten child processes running simultaneously,
after which requests will be queued for sending once a child slot
frees up. The maximum processes will be made configurable at a
later date (as this would violate string freeze).
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
The manpages had five seconds listed, but the source disagreed (it
was set to 60 seconds).
This resulted in long wait times when unlocking the screen after
network disconnection, for example.
If enumerate=True, we will set this value to a minimum of 30s
|
| |
|
| |
|