summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* Standardize on correct spelling of "principal" for krb5Stephen Gallagher2010-06-166-14/+14
| | | | https://fedorahosted.org/sssd/ticket/542
* Don't segfault if ldap_access_filter is unspecifiedStephen Gallagher2010-06-141-12/+13
| | | | https://fedorahosted.org/sssd/ticket/539
* Eliminate unused variable from pc_init_timeout()Stephen Gallagher2010-06-101-4/+0
| | | | https://fedorahosted.org/sssd/ticket/525
* Check return code of hash_delete in proxy_child_destructorStephen Gallagher2010-06-101-1/+7
| | | | | | | We can't do much about an error here, but we should be reporting it. https://fedorahosted.org/sssd/ticket/534
* Properly check that the timeout event was created for cleanup/enumStephen Gallagher2010-06-102-2/+46
| | | | | | | | | We need to make sure that if we didn't create the timeout, that we cancel the request so there's no chance of ending up with two enumerations/cleanups running simultaneously. We'll attempt to reschedule later, if possible. https://fedorahosted.org/sssd/ticket/524
* Check the correct variable for NULL after creating timerStephen Gallagher2010-06-101-1/+1
| | | | | | | | | In several places, we were creating a new timer and assigning it to the tev variable, but then we were checking for NULL from the te variable (which, incidentally, is guaranteed never to be NULL in this situation) https://fedorahosted.org/sssd/ticket/523
* Properly handle missing originalMemberOf entry in initgroupsStephen Gallagher2010-06-101-0/+1
| | | | | | | Failing to return after the tevent_req_post() here can result in a null-pointer dereference (along with other hard-to-track bugs) https://fedorahosted.org/sssd/ticket/507
* Avoid potential NULL dereferenceStephen Gallagher2010-06-101-3/+5
| | | | https://fedorahosted.org/sssd/ticket/506
* Properly handle read() and write() throughout the SSSDStephen Gallagher2010-06-101-7/+18
| | | | | | | We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.
* Add a missing initializerSumit Bose2010-06-091-1/+1
|
* Add a missing return valueSumit Bose2010-06-091-0/+1
|
* Allow ldap_access_filter values wrapped in parenthesesStephen Gallagher2010-06-092-3/+21
|
* Disable connection callbacks when going onlineStephen Gallagher2010-06-093-0/+27
| | | | | | | | Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.
* Fix Incorrect NULL check in get_server_common()Jakub Hrozek2010-06-091-1/+1
| | | | Fixes: #518
* Fix potential NULL dereference in fail_over.cJakub Hrozek2010-06-091-2/+5
| | | | Fixes: #505
* Fix realm_str dereferenceJakub Hrozek2010-06-091-1/+1
| | | | Fixes: #508
* Fix broken build against older versions of OpenLDAPStephen Gallagher2010-06-062-2/+12
| | | | | | OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.
* Initialize pam_data in Kerberos child.Sumit Bose2010-06-061-1/+1
|
* Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()Sumit Bose2010-06-021-23/+12
| | | | | | | | sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT.
* Compare full service nameSumit Bose2010-06-021-1/+2
|
* Fix handling of ccache file when going offlineSumit Bose2010-06-022-32/+77
| | | | | | | The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.
* Support password changes in chpass_provider = proxyStephen Gallagher2010-05-241-5/+73
| | | | | We were not passing the old authtok to the pam_chauthtok() function, causing it to return PAM_AUTH_ERR.
* Fix queuing bug in proxy providerStephen Gallagher2010-05-241-5/+7
| | | | | | | We weren't zeroing out the proxy_auth_ctx when we created it, so the 'running' element was sometimes being filled with garbage data that exceeded the maximum number of child processes. This meant that no requests were ever sent to the child processes.
* Display name of PAM action in pam_print_data()Stephen Gallagher2010-05-241-1/+22
|
* Use new schema for HBAC service checksSumit Bose2010-05-232-22/+812
|
* Check ipaEnabledFlagSumit Bose2010-05-231-5/+23
|
* Proxy provider PAM handling in child processStephen Gallagher2010-05-233-146/+1547
| | | | | | | | | | | | | This patch adds a new tevent_req to the proxy provider, which will spawn short-lived child processes to handle PAM requests. These processes then call the proxied PAM stack and return the results via SBUS method reply. Once it is returned, the parent process kills the child. There is a maximum of ten child processes running simultaneously, after which requests will be queued for sending once a child slot frees up. The maximum processes will be made configurable at a later date (as this would violate string freeze).
* Fix error reporting for be_pam_handlerStephen Gallagher2010-05-231-1/+1
|
* Make data provider id_callback publicStephen Gallagher2010-05-232-2/+3
|
* Do not modify IPA_DOMAIN when setting Kerberos realmSumit Bose2010-05-231-6/+20
|
* Remove signal event if child was terminated by a signalSumit Bose2010-05-232-6/+29
|
* Copy pam data from DBus messageSumit Bose2010-05-203-54/+75
| | | | | | | | Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.
* Fix check if LDAP id provider is already initializedSumit Bose2010-05-201-1/+1
|
* Add a better error message for TLS failuresStephen Gallagher2010-05-201-3/+32
|
* Reset run_online_cb flag even if there are no callbacksSumit Bose2010-05-201-8/+10
|
* Set ldap_search_timeout default to 5 secondsStephen Gallagher2010-05-184-2/+22
| | | | | | | | | The manpages had five seconds listed, but the source disagreed (it was set to 60 seconds). This resulted in long wait times when unlocking the screen after network disconnection, for example. If enumerate=True, we will set this value to a minimum of 30s
* Remove unused ldap_offline_timeout optionStephen Gallagher2010-05-184-4/+1
|
* Add offline callback to disconnect global SDAP handleSumit Bose2010-05-184-1/+24
|
* Add krb5 SIGTERM handler to ipa auth providerSumit Bose2010-05-181-0/+6
|
* Refactor krb5 SIGTERM handler installationSumit Bose2010-05-183-14/+39
|
* Add callback to remove krb5 info files when going offlineSumit Bose2010-05-185-41/+161
|
* Add run_callbacks flagSumit Bose2010-05-182-2/+25
|
* Refactor krb5_finalize()Sumit Bose2010-05-181-12/+27
|
* Add offline callbacksSumit Bose2010-05-183-1/+32
|
* Refactor data provider callbacksSumit Bose2010-05-183-142/+187
|
* Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose2010-05-183-50/+1
| | | | This reverts commit 4f5664a2ec401f43c090e6170ed9c78390c35272.
* Add ldap_access_filter optionStephen Gallagher2010-05-161-1/+1
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
* Add ldap_krb5_ticket_lifetime optionSumit Bose2010-05-168-12/+37
|
* Don't report a fatal error for an HBAC denialStephen Gallagher2010-05-161-1/+1
|
* Add ldap_access_filter optionStephen Gallagher2010-05-168-3/+688
| | | | | | | | | | This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
generated by cgit (git 2.34.1) at 2024-05-25 13:48:24 +0000