| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
server was unexpectedly dropped.
|
| | |
|
| |
|
|
| |
through SRV records) failover servers.
|
| |
|
|
| |
sdap_handle for future reference.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
| |
|
|
|
|
|
|
|
|
|
|
| |
proxy.c was growing too large to manage (and some graphical
development tools could no longer open it because of memory
limitations).
This patch splits proxy.c into the following files:
proxy_init.c: Setup routines for the plugin
proxy_id.c: Functions to handle user and group lookups
proxy_auth.c: Functions to handle PAM interactions
proxy_common.c: Common utility routines
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Operational attributes are not returned in searched requests unless
explicitly requested according to RFC 4512 section 5.1. Therefore to
get several standard attributes of root DSE we have to request for
them. The requested attrs are:
- altServer
- namingContexts
- supportedControl
- supportedExtension
- supportedFeatures
- supportedLDAPVersion
- supportedSASLMechanisms
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If sdap_mark_offline() is called before a live connection is
established, sdap_fd_events could be NULL, causing a segfault when
remove_ldap_connection_callbacks() attempts to free the
sdap_fd_events->conncb
https://fedorahosted.org/sssd/ticket/545
|
| |
|
|
|
| |
ldap_get_option() can only fail if the option we're removing has
already been removed. It is sufficient to log this and continue.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/542
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/539
|
| |
|
|
| |
Fixes: #531
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/525
|
| |
|
|
|
|
|
| |
We can't do much about an error here, but we should be reporting
it.
https://fedorahosted.org/sssd/ticket/534
|
| |
|
|
|
|
|
|
|
| |
We need to make sure that if we didn't create the timeout, that we
cancel the request so there's no chance of ending up with two
enumerations/cleanups running simultaneously. We'll attempt to
reschedule later, if possible.
https://fedorahosted.org/sssd/ticket/524
|
| |
|
|
|
|
|
|
|
| |
In several places, we were creating a new timer and assigning it
to the tev variable, but then we were checking for NULL from the
te variable (which, incidentally, is guaranteed never to be NULL
in this situation)
https://fedorahosted.org/sssd/ticket/523
|
| |
|
|
|
|
|
| |
Failing to return after the tevent_req_post() here can result in a
null-pointer dereference (along with other hard-to-track bugs)
https://fedorahosted.org/sssd/ticket/507
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/506
|
| |
|
|
|
|
|
| |
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Under certain circumstances, the openldap libraries will continue
internally trying to reconnect to a connection lost (as during a
cable-pull test). We need to drop the reconnection callbacks when
marking the backend offline in order to guarantee that they are
not called with an invalid sdap_handle.
|
| |
|
|
| |
Fixes: #518
|
| |
|
|
| |
Fixes: #505
|
| |
|
|
| |
Fixes: #508
|
| |
|
|
| |
Fixes: #498
|
| |
|
|
|
|
| |
OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to
LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS
error messages to be displayed on either version.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Because the memberOf attribute is now set for the service objects we do
not need to fetch the service groups separately anymore.
|
| | |
|
| |
|
|
|
|
|
|
| |
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs
structure if the requested element does not exist. Recent versions of
libldb do not accept empty elements when writing new objects to disk.
sysdb_attrs_get_string_array() does not create an empty element but
returns ENOENT.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
