| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
|
|
|
|
|
|
|
| |
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
|
|
|
|
|
|
| |
Allow backends to set a callback in the be_ctx that should be
invoked when the ID provider goes online.
This can be used to perform regular maintenance tasks that are
valid only when going online.
|
|
|
|
|
| |
For the shadow and mit_kerberos password policy warnings are sent to the
client if the password is about to expire.
|
|
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Instead of having all-purpose SIGCHLD handlers that try to catch
every occurrence, we instead create a per-PID handler. This will
allow us to specify callbacks to occur when certain children exit.
|
| |
|
|
|
|
|
| |
Also clean up some duplicated code into a single common routine
sdap_account_info_common_done()
|
| |
|
|
|
|
|
| |
Prevent freeing the sdap_handle by failing in the destructor if we
are trying to recurse.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always just mark the sdap_handle as not connected and let later _send()
functions to take care of freeing the handle before reconnecting.
Introduce restart functions to avoid calling _send() functions in _done()
functions error paths as this would have the same effect as directly freeing
the sdap_handle and cause access to freed memory in sdap_handle_release()
By freeing sdap_handle only in the connection _recv() function we
guarantee it can never be done within sdap_handle_release() but only
in a following event.
|
| |
|
|
|
|
|
| |
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
|
|
|
|
|
|
| |
We had a hard-coded timeout of five seconds for DNS lookups in the
async resolver. This patch adds an option 'dns_resolver_timeout'
to specify this value (Default: 5)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new failover API call fo_add_srv_server that allows the caller
to specify a server that is later resolved into a list of specific
servers using SRV requests.
Also adds a new failover option that specifies how often should the
servers resolved from SRV query considered valid until we need a
refresh.
The "real" servers to connect to are returned to the user as usual,
using the fo_resolve_service_{send,recv} calls.
Make SRV resolution work with c-ares 1.6
|
| |
|
| |
|
|
|
|
|
|
|
| |
Depending on the version of the OpenLDAP libraries we use two different
schemes to find the file descriptor of the connection to the LDAP
server. This patch removes the related ifdefs from the main code and
introduces helper functions which can handle the specific cases.
|
|
|
|
|
|
|
|
|
| |
The current version modified some global structures to be able to use
Kerberos and LDAP authentication during the IPA password migration. This
new version only uses tevent requests.
Additionally the ipaMigrationEnabled attribute is read from the IPA
server to see if password migration is allowed or not.
|
|
|
|
|
| |
To allow other providers to include Kerberos authentication the main
part is put into a tevent request.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Using sssm_*_init() as the name of the initialization function for
identity providers was a holdover from earlier development when we
thought we would only have a single "provider" entry in the config
file.
As we have now separated out the initialization functions for
auth, chpass and access, we should rename sssm_*_init() to
sssm_*_id_init() for a cleaner interface.
|
|
|
|
|
|
|
|
|
| |
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
|
|
|
|
| |
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC
- move domain_to_basedn() to a separate file to simplify the build of
a test
|
|
|
|
| |
The krb5 options were out of sync, causing a runtime abort.
|
| |
|
|
|
|
| |
This patch removes some tab-indentations from pamsrv.c, too.
|
|
|
|
|
|
|
| |
This option is needed for the rare case where a poll() call during
ldap_sasl_interactive_bind_s() is interrupted by a signal.
LDAP_OPT_RESTART enables the handling of the EINTR error instead of
returning an error.
|
|
|
|
|
|
|
|
| |
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
dbus_connection_send_with_reply() will report success and return
a NULL pending_reply when the connection is not open for
communication. This patch creates a new wrapper around
dbus_connection_send_with_reply() to properly detect this
condition and report it as an error.
|
|
|
|
|
| |
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
|
|
|
|
|
|
| |
When the user's password is expired it might also be indicated by
the bind operation returning "INVALID_CREDENTIALS" with the ppolicy
control's errorcode set to "PP_passwordExpired".
|
| |
|
| |
|
|
|
|
|
|
|
| |
As with krb5_ccname_template sequences like %u can be used in the
krb5_ccachedir parameter which are expanded at runtime. If the directory
does not exist, it will be created. Depending on the used sequences it
is created as a public or private directory.
|
| |
|
|
|
|
|
|
|
|
| |
Upon receiving SIGHUP, the monitor signals all services to reopen their
debug logs. It is also possible to signal individual services to reopen
their particular files.
Fixes: #332
|
|
|
|
|
|
| |
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
|
|
|
|
|
|
|
|
| |
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings.
|
| |
|