summaryrefslogtreecommitdiffstats
path: root/src/responder/pam/pamsrv_cmd.c
Commit message (Collapse)AuthorAgeFilesLines
* Allocate PAM DP request data on responder context1.9.2-92Jakub Hrozek2013-07-251-0/+12
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-191-1/+4
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2012-11-151-17/+12
|
* PAM: Do not leak fd after SELinux context file is writtenJakub Hrozek2012-11-051-0/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.
* Add new option default_domain_suffixSumit Bose2012-10-011-10/+21
|
* SELinux: Always use the default if it exists on the serverJakub Hrozek2012-09-131-22/+21
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
* Check if the SELinux login directory existsJakub Hrozek2012-09-041-3/+3
| | | | https://fedorahosted.org/sssd/ticket/1492
* Only create the SELinux login file if there are mappings on the serverJakub Hrozek2012-08-161-45/+77
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.
* Do not try to remove the temp login file if already renamedJakub Hrozek2012-08-161-2/+3
| | | | | | | | | write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.
* Build SELinux code in responder conditionallyJakub Hrozek2012-08-161-0/+7
| | | | https://fedorahosted.org/sssd/ticket/1480
* Fix bad checkJakub Hrozek2012-08-011-1/+1
|
* Write SELinux config files in responder instead of PAM moduleJan Zeleny2012-07-271-5/+95
|
* Move SELinux processing from session to account PAM stackJan Zeleny2012-07-271-1/+2
| | | | | | | | | | | | | | The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
* PAM: Fix off-by-one-error in the SELinux session codeJakub Hrozek2012-07-181-1/+1
|
* Fix uninitialized valuesNick Guay2012-07-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1379
* SELinux user maps: pick just one mapJan Zeleny2012-06-251-12/+11
| | | | | | | | | This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360
* Fix re_expression matching with subdomainsJan Zeleny2012-06-211-33/+55
| | | | | | | | | | | This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.
* Make re_expression and full_name_format per domain optionsStef Walter2012-06-121-10/+10
| | | | | | | | | | | * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
* PAM: Better pam_reply messageStephen Gallagher2012-06-101-1/+2
|
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-041-35/+0
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* Send PAM requests for subdomains to the right providerJan Zeleny2012-04-241-3/+41
|
* Modified responder_get_domain()Jan Zeleny2012-04-241-1/+1
| | | | Now it checks for subdomains as well as for the domain itself
* Prevent printing NULL from DEBUG messagesJakub Hrozek2012-04-181-1/+2
|
* Remove sysdb_get_ctx_from_list()Sumit Bose2012-02-291-12/+12
|
* Don't give memory context in confdb where not neededJan Zeleny2012-02-211-2/+2
|
* Only fetch SELinux string if the user is foundJakub Hrozek2012-02-101-1/+2
|
* SELinux support in PAM responderJan Zeleny2012-02-061-0/+163
|
* PAM: Do not overwrite retJakub Hrozek2012-01-261-3/+1
|
* DP: Fix bugs in sss_dp_get_account_intStephen Gallagher2012-01-231-0/+1
| | | | | | | | | | | | | | | | | | | | | | | The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()
* RESPONDER: Extend sss_dp_account_send() to include extra dataStephen Gallagher2012-01-211-1/+1
| | | | | | | Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.
* PAM: Fix reversed logicJakub Hrozek2012-01-181-1/+1
|
* sss_get_cased_name utility functionJakub Hrozek2011-12-211-2/+2
|
* PAM: make initgroups timeout work across multiple clientsStephen Gallagher2011-12-201-4/+40
| | | | | | | | | | | Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063
* Use the case sensitivity flag in respondersJakub Hrozek2011-12-161-2/+6
|
* Canonicalize username in PAM providerJakub Hrozek2011-12-161-0/+27
|
* Responders: Split getting domain by name into separate functionJakub Hrozek2011-12-161-5/+2
|
* Ignore NULL-terminator when checking UTF8-validityStephen Gallagher2011-12-051-1/+1
| | | | | Glib fails if the NULL-terminator is included when a length is specified.
* RESPONDER: Refactor DP requests into tevent_req styleStephen Gallagher2011-11-291-11/+48
|
* RESPONDER: Ensure that all input strings are valid UTF-8Stephen Gallagher2011-11-181-0/+5
|
* sysdb refactoring: memory context deletedJan Zeleny2011-08-151-3/+2
| | | | | | This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
* sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2011-08-151-6/+4
| | | | | The patch also updates code using modified functions. Tests have also been adjusted.
* Revert "Allow LDAP to decide when an expiration warning is warranted"Stephen Gallagher2011-08-041-4/+3
| | | | This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6.
* Allow LDAP to decide when an expiration warning is warrantedStephen Gallagher2011-08-011-3/+4
| | | | | | | | | Previously, we were only displaying expiration warnings if the password was going to expire within a day. We'll allow LDAP to make this decision (by whether it passes us the expiration time). In the future, we can add an option to clamp this down to a shorter period if the local admin prefers it.
* Fix unchecked return values of pam_add_responseJakub Hrozek2011-04-081-4/+12
| | | | https://fedorahosted.org/sssd/ticket/798
* Perform initgroups lookups for all domainsStephen Gallagher2011-02-211-3/+5
| | | | | | | | | | Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.
* Perform initgroups lookup for PAMStephen Gallagher2011-01-211-1/+3
| | | | | Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.
* Use DEFAULT_PAM_VERBOSITY if config value cannot be retrievedSumit Bose2011-01-191-1/+1
|
* Add pam_pwd_expiration_warning config optionSumit Bose2011-01-191-12/+47
|
* Validate user supplied size of data itemsSumit Bose2011-01-111-76/+75
| | | | | | Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.
* Update the ID cache for any PAM requestStephen Gallagher2010-12-221-8/+11
| | | | | | | | Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
generated by cgit (git 2.34.1) at 2024-05-24 01:42:25 +0000