summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* Treat NULL or empty rhost as unknownStephen Gallagher2011-08-012-11/+25
| | | | | | | Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts.
* Add ipa_hbac_treat_deny_as optionStephen Gallagher2011-08-013-2/+13
| | | | | | By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
* Add ipa_hbac_refresh optionStephen Gallagher2011-08-014-1/+21
| | | | | This option describes the time between refreshes of the HBAC rules on the IPA server.
* Add new HBAC lookup and evaluation routinesStephen Gallagher2011-08-012-124/+398
| | | | | | Conflicts: Makefile.am
* Remove old HBAC implementationStephen Gallagher2011-08-012-1595/+1
|
* Add helper functions for looking up HBAC rule componentsStephen Gallagher2011-08-016-0/+2616
|
* Add HBAC evaluator and testsStephen Gallagher2011-08-013-0/+386
|
* Add helper function msgs2attrs_arrayStephen Gallagher2011-08-012-0/+33
| | | | | | | | | | This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h
* Change the default value of ldap_tls_cacert in IPA providerJakub Hrozek2011-08-011-1/+1
| | | | https://fedorahosted.org/sssd/ticket/944
* Remove incorrect private variableStephen Gallagher2011-08-011-1/+1
| | | | | | This caused no ill effects, since it wasn't used in the callback. However, it is a layering violation (especially since req is freed in the callback)
* Wrong paramater to sysdb_attrs_add_uint32Jakub Hrozek2011-08-011-1/+1
|
* Explicitly ignore groups with gidNumber=0Jakub Hrozek2011-07-272-11/+18
| | | | https://fedorahosted.org/sssd/ticket/916
* Set gidNumber of non-posix groups to 0 even on updatesJakub Hrozek2011-07-271-8/+44
|
* Only print server address if one is availableJakub Hrozek2011-07-211-0/+7
|
* Do not add a NULL host parsed from LDAP URIJakub Hrozek2011-07-211-1/+8
| | | | https://fedorahosted.org/sssd/ticket/911
* Fix unchecked return values of pam_add_responsesssd-1_5_11Jakub Hrozek2011-07-052-3/+11
| | | | https://fedorahosted.org/sssd/ticket/798
* ipa_dyndns: Use sockaddr_storage for storing IP addressesJakub Hrozek2011-07-051-12/+17
| | | | https://fedorahosted.org/sssd/ticket/915
* Don't pass NULL to printf for TLS errorsJakub Hrozek2011-06-303-33/+24
| | | | | | | | https://fedorahosted.org/sssd/ticket/643 Conflicts: src/util/sss_ldap.h
* Use ldap_init_fd() instead of ldap_initialize() if availableSumit Bose2011-06-303-37/+88
|
* Use name based URI instead of IP address based URIsSumit Bose2011-06-302-38/+3
|
* Add sdap_call_conn_cb() to call add connection callback directlySumit Bose2011-06-302-0/+40
|
* Add sockaddr_storage to sdap_serviceSumit Bose2011-06-303-0/+22
|
* Log nsupdate messageJakub Hrozek2011-06-301-0/+3
| | | | https://fedorahosted.org/sssd/ticket/893
* Switch resolver to using resolv_hostent and honor TTLJakub Hrozek2011-06-306-29/+30
| | | | | | Conflicts: src/providers/fail_over.c
* Do not check pwdAttributeSumit Bose2011-06-161-9/+0
| | | | | | | It is not safe to check pwdAttribute to see if server side password policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is present the bind response we can assume that there is a server side password policy.
* Delete cached ccache file if password is expiredSumit Bose2011-06-151-8/+63
|
* Non-posix group processing - ldap provider and nss responderJan Zeleny2011-06-022-28/+69
|
* Escape IPv6 IP addresses in the IPA providerJakub Hrozek2011-06-021-4/+26
| | | | https://fedorahosted.org/sssd/ticket/880
* Use escaped IP addresses in LDAP providerJakub Hrozek2011-06-021-6/+56
|
* Add utility function to return IP address as stringJakub Hrozek2011-06-022-17/+4
|
* Add online callback only once for TGT renewalSumit Bose2011-06-021-25/+44
|
* Sanitize username during initgroups callSumit Bose2011-05-251-1/+7
|
* IPA Provider: don't fail if user is not a member of any groupsStephen Gallagher2011-05-241-2/+5
|
* Enable paging support for LDAPStephen Gallagher2011-05-246-26/+132
|
* simple provider: Don't treat primary GID lookup failures as fatalStephen Gallagher2011-05-241-13/+19
|
* Only save members for successfully saved groupsJakub Hrozek2011-05-241-2/+17
|
* Make "password" the default for ldap_default_authtok_typeStephen Gallagher2011-05-241-1/+1
|
* Return pam data to the renewal item if renewal failsSumit Bose2011-05-021-4/+9
| | | | | | | | | A previous patch changed a talloc_steal() into a talloc_move(). Now it is not enough to change the parent memory context with talloc_steal to give back the data, but it has to be assigned back too. Additionally this patch uses the missing pam data as an indication that a renewal request for this data is currently running.
* Fix bad password caching when using automatic TGT renewalsssd-1_5_7Stephen Gallagher2011-04-291-3/+12
| | | | Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
* Always generate kpasswdinfo filesssd-1_5_6Stephen Gallagher2011-04-201-2/+1
| | | | | Previously, we only generated it when performing a password change, but this didn't play nicely with kpasswd.
* Do not throw a DP error when failing to delete a nonexistent entityStephen Gallagher2011-04-151-4/+4
|
* Never remove gecos from the sysdb cacheStephen Gallagher2011-04-121-0/+9
| | | | | Now that gecos can come from either the 'gecos' or 'cn' attributes, we need to ensure that we never remove it from the cache.
* Initialise rootdse to NULL if not availableSumit Bose2011-04-121-0/+1
|
* Initialise srv_opts even if rootDSE is missingSumit Bose2011-04-112-46/+49
|
* Remove detection of duplicates from SRV result processingJakub Hrozek2011-04-111-9/+0
|
* Read only rootDSE data if rootDSE is availableSumit Bose2011-04-081-20/+22
|
* Do not attempt to resolve nameless serversJakub Hrozek2011-04-011-1/+1
| | | | | | | | | | | The failover code is not strictly in charge of resolving. Its main function is to provide a server to connect to for a service. It is legal, although not currently used, to have a server that has no name (server->common == NULL). In this case, no resolving should be done and it is assumed that the failover user, which are the SSSD back ends in our case, would perform any resolving out of band, perhaps using the user_data attribute of fo_server structure.
* Fall back to cn if gecos is not availableStephen Gallagher2011-03-301-0/+9
| | | | | | | | | | | | | We were not fully compliant with section 5.3 of RFC 2307 which states: An account's GECOS field is preferably determined by a value of the gecos attribute. If no gecos attribute exists, the value of the cn attribute MUST be used. (The existence of the gecos attribute allows information embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute. It also accommodates directories where the common name does not contain the user's full name.)
* Mark transaction as done when cancelledJakub Hrozek2011-03-281-2/+8
|
* RFC2307: Ignore zero-length member names in group lookupsStephen Gallagher2011-03-281-0/+4
|
generated by cgit (git 2.34.1) at 2024-05-04 11:04:10 +0000