summaryrefslogtreecommitdiffstats
path: root/src/responder/pac
Commit message (Collapse)AuthorAgeFilesLines
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-171-11/+2
| | | | Remove code duplication.
* Include sys/types.h for types id_t and uid_tLukas Slebodnik2013-09-031-0/+1
|
* PAC: Skip SIDs that cannot be resolved to domainJakub Hrozek2013-08-261-2/+4
|
* PAC: use SID instead of GID to search for groupsSumit Bose2013-08-261-48/+41
| | | | | | | With the support of POSIX IDs managed on the AD side we may find non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in the PAC. Since in this case all cached groups have a SDI attribute it is more reliable to search the groups by SID instead of GID.
* PAC: do not fail if a single group cannot be added/removedSumit Bose2013-08-261-18/+31
| | | | | When processing a list of groups we try to process as much as possible only not stop on the first error.
* PAC: read user DN instead of constructing itSumit Bose2013-08-261-5/+17
| | | | | | To avoid issues with case-sensitivity it is more reliable to search the user entry in the cache and use the returned DN instead of constructing it.
* PAC: handle non-POSIX groups in cacheSumit Bose2013-08-262-11/+9
| | | | | Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.
* PAC: do not create users with missing GIDSumit Bose2013-08-261-0/+14
| | | | | If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry.
* PAC: if user entry already exists keep itSumit Bose2013-08-263-86/+10
| | | | | | | | | | | | | | | | | Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996
* PAC: do not delete originalDN or cached password if presentSumit Bose2013-06-241-1/+26
| | | | | | | | | | | If the PAC responder recognizes some attribute changes between the cached user entry and the PAC data it quite crudely just removes the cached entry and recreates it. While in most cases all needed data can be recovered from the PAC data there is a case where it is not possible. E.g the IPA HBAC code use the OriginalDN attribute to improve performance when evaluating access rules. This patch makes sure this attribute is not lost when the PAC responder updates the object.
* PAC: do not expect that sysdb_search_object_by_sid() return ENOENTSumit Bose2013-06-191-8/+8
| | | | | | | sysdb_search_object_by_sid() does not return ENOENT if no related object was found in the cache but EOK and an empty result list. Fixes https://fedorahosted.org/sssd/ticket/1989
* New utility function sss_get_domain_nameJakub Hrozek2013-06-072-19/+10
| | | | | Instead of copying a block of code that checks whether domain is a subdomain and uses only name of FQDN as appropriate, wrap the logic into a function.
* Enhance PAC responder for AD usersSumit Bose2013-06-063-927/+659
| | | | | | | | | | | This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558
* Lookup domains at startupSumit Bose2013-06-041-0/+6
| | | | | | | | | | | | To make sure that e.g. the short/NetBIOS domain name is available this patch make sure that the responders send a get_domains request to their backends at startup the collect the domain information or read it from the cache if the backend is offline. For completeness I added this to all responders even if they do not need the information at the moment. Fixes https://fedorahosted.org/sssd/ticket/1951
* Add utility functions for formatting fully-qualified namesJakub Hrozek2013-05-302-4/+3
| | | | | | Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
* Add missing \n to debug stringSumit Bose2013-05-101-1/+1
|
* Remove unused TALLOC_CTX from responder_get_domain()Sumit Bose2013-05-021-2/+2
| | | | | | Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.
* Fix and rename get_my_domain_data()Sumit Bose2013-04-213-12/+14
| | | | | | | | | | | | | | | | | The task of get_my_domain_data() is to read some information about the configured domain from the cache. While the sysdb interface was redesigned some changes changed the behaviour so that the data of the domain of the current request was read. If this domain is a sub-domain the wrong data was read. As a result group-memberships of the configured domain were not taken into account. The original code didn't made it easy to see that always the parent domain should be used here, because there was no comment indication this and the function name get_my_domain_data() didn't made it clear either. Additionally to fixing the issue this patch also adds a comment and rename the function to get_parent_domain_data(). Fixes https://fedorahosted.org/sssd/ticket/1888
* Allow using flatname for subdomain home dir templateJakub Hrozek2013-04-101-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1609
* change responder contexts hierarchyPavel Březina2013-03-201-9/+14
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
* do not leak memory on failure in *_process_init()Pavel Březina2013-03-201-6/+11
|
* Remove unused functionsJakub Hrozek2013-03-042-18/+0
|
* Introduce IS_SUBDOMAIN() macroSimo Sorce2013-02-101-1/+1
| | | | Fixes https://fedorahosted.org/sssd/ticket/1766
* Parent and subdomains use the same sysdbSimo Sorce2013-02-101-5/+1
| | | | | | Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.
* Change the way domains are linked.Simo Sorce2013-02-101-10/+1
| | | | | | | | | | | | | | | | | | | - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
* Add function get_next_domain()Simo Sorce2013-02-101-1/+1
| | | | | | | Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-101-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1805
* Add domain argument to sysdb_delete_user()Simo Sorce2013-01-151-1/+1
| | | | Also remove sysdb_delete_domuser()
* Add domain argument to sysdb_store_user()Simo Sorce2013-01-151-1/+1
| | | | Also remove sysdb_store_domuser()
* Add domain to sysdb_search_group_by_gid()Simo Sorce2013-01-151-1/+1
| | | | Also remove unused sysdb_search_domgroup_by_gid()
* Add domain to sysdb_search_user_by_uid()Simo Sorce2013-01-151-1/+2
| | | | Also remove unused sysdb_search_domuser_by_uid()
* Add domain argument to sysdb_initgroups()Simo Sorce2013-01-151-1/+2
|
* Make sysdb_domain_dn() require a domain.Simo Sorce2013-01-151-1/+1
|
* Make sysdb_user_dn() require a domain explictly.Simo Sorce2013-01-151-1/+1
|
* Refactor gid handling in the PAC responderSumit Bose2013-01-083-84/+202
| | | | | | Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
* PAC responder: check if existing user differsSumit Bose2013-01-083-13/+64
| | | | | | If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
* Use hash table to collect GIDs from PAC to avoid dupsSumit Bose2013-01-081-18/+86
| | | | | | | To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
* Read remote groups from PACSumit Bose2013-01-081-3/+52
| | | | | | | Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
* Remote groups do not have an original DN attributeSumit Bose2013-01-081-40/+34
| | | | | | | Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
* Save domain and GID for groups from the configured domainSumit Bose2013-01-083-17/+47
| | | | | | | | | | Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.
* Always get user data from PACSumit Bose2013-01-081-7/+7
| | | | | | | Currently some user specific data from the PAC is only read when the user is not already in the cache. Since some of this information is needed later on, e.g. the domain SID the user belongs to, with this patch the data is read always from the PAC.
* Add find_domain_by_id()Sumit Bose2013-01-082-0/+42
| | | | | | | Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
* Use struct pac_grp instead of gid_t for groups from PACSumit Bose2013-01-083-18/+25
| | | | | To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.
* RESPONDERS: Create a common file with service names and versionsJakub Hrozek2012-12-181-3/+1
| | | | | | | The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
* PAC: check the return value of diff_git_listsJakub Hrozek2012-12-101-0/+4
|
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-201-1/+1
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-192-25/+42
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* Store the original group DN in the subdomain user objectSumit Bose2012-11-101-26/+58
| | | | | | | | | | | For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
* Get lists of GIDs to be added and deleted and use themSumit Bose2012-11-101-3/+89
| | | | | | | Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
* Add pac_user_get_grp_info() to read current group membershipsSumit Bose2012-11-101-0/+106
| | | | | | | | | | | | To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
generated by cgit (git 2.34.1) at 2024-05-02 20:00:05 +0000