sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	PAC: check the return value of diff_git_lists	Jakub Hrozek	2012-12-14	1	-0/+4
\|
*	LDAP: Only convert direct parents' ghost attribute to member	Jakub Hrozek	2012-11-21	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
*	Refactor the way subdomain accounts are saved	Simo Sorce	2012-11-19	2	-25/+42
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
*	Store the original group DN in the subdomain user object	Sumit Bose	2012-11-12	1	-26/+58
\| \| \| \| \| \| \| \| \| \| \|	For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
*	Get lists of GIDs to be added and deleted and use them	Sumit Bose	2012-11-12	1	-3/+89
\| \| \| \| \| \| \|	Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
*	Add pac_user_get_grp_info() to read current group memberships	Sumit Bose	2012-11-12	1	-0/+106
\| \| \| \| \| \| \| \| \| \| \| \|	To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
*	Add diff_gid_lists() with test	Sumit Bose	2012-11-12	2	-0/+172
\| \| \| \| \| \| \| \|	This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
*	pac responder: add user principal and name alias to cached user object	Sumit Bose	2012-11-05	3	-4/+46
\| \| \| \| \| \| \|	The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.
*	pac responder: use only lower case user name	Sumit Bose	2012-11-05	2	-5/+15
\| \| \| \| \|	Since winbind can only return lower-cased user name the pac responder must do the same to avoid inconsistent behaviour.
*	pac responder: fix copy-and-paste error	Sumit Bose	2012-11-05	1	-7/+0
\| \| \| \|	This error prevent proper id-mapping in the PAC responder.
*	SYSDB: Remove unnecessary domain parameter from several sysdb calls	Jakub Hrozek	2012-09-24	2	-6/+2
\| \| \| \| \|	The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
*	pac responder: limit access by checking UIDs	Sumit Bose	2012-07-10	1	-0/+19
\| \| \| \| \| \| \| \| \| \| \| \|	A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
*	Set file descriptor limits in pac responder	Sumit Bose	2012-07-06	1	-0/+15
\|
*	Add range support to PAC responder	Sumit Bose	2012-06-21	3	-45/+140
\|
*	PAC responder: add the core functionality	Sumit Bose	2012-06-21	2	-2/+471
\| \| \| \| \| \| \|	This adds support for parsing PAC and storing information contained within. In particular the user and all his memberships are stored. In case it is necessary, getgrgid() requests are sent to provider for group resolution.
*	PAC responder: add some utility functions	Jan Zeleny	2012-06-21	2	-0/+549
\|
*	PAC responder: add basic infrastructure	Sumit Bose	2012-06-21	3	-0/+340
	This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.