| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The conversion to the tevent_req style introduced numerous bugs
related to memory management of the various client requests. In
some circumstances, this could cause memory corruption and
segmentation faults in the NSS responder. This patch makes the
following changes:
1) Rename the internal lookup from subreq to sidereq, to indicate
that it is not a sub-request of the current lookup (and therefore
is not cancelled if the current request is).
2) Change the handling of the callback loops since they call
tevent_req_[done|error], which results in them being freed (and
therefore removed from the cb_list. This was the source of the
memory corruption that would occasionally result in dereferencing
an unreadable request.
3) Remove the unnecessary sss_dp_get_account_int_recv() function
and change sss_dp_get_account_done() so that it only frees the
sidereq. All of the waiting processes have already been signaled
with the final results from sss_dp_get_account_int_done()
|
| |
|
|
|
|
|
| |
Some NSS maps such as 'services' require more values to be passed
to the data provider than just the name or ID. In these cases, we
will amend an optional component to filter value to pass to the
data provider backend.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of timing out the initgroups lookup on a per-cctx basis,
we will maintain a hash table of recently-seen users and use this
instead. This will allow SSSD to handle user's logging into
multiple services simultaneously more graciously, as well as
playing nicer with SSH (which makes calls to PAM both before and
after a fork).
https://fedorahosted.org/sssd/ticket/1063
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Glib fails if the NULL-terminator is included when a length is
specified.
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/926
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed:
SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED)
Added new macro:
CONVERT_AND_SET_DEBUG_LEVEL(new_value)
Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0
so DEBUG macro could be reduced by one condition. Anyway, it has a minor
effect, every time you want to load debug_level from command line parameters,
you have to use following pattern:
/* Set debug level to invalid value so we can deside if -d 0 was used. */
debug_level = SSSDBG_INVALID;
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
while((opt = poptGetNextOpt(pc)) != -1) { ... }
CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
|
| |
|
|
|
|
| |
This patch deletes memory context parameter in those places in sysdb
where it is not necessary. The code using modified functions has been
updated. Tests updated as well.
|
| |
|
|
|
| |
The patch also updates code using modified functions. Tests have also
been adjusted.
|
| |
|
|
| |
This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6.
|
| |
|
|
|
|
|
|
|
| |
Previously, we were only displaying expiration warnings if the
password was going to expire within a day. We'll allow LDAP to
make this decision (by whether it passes us the expiration time).
In the future, we can add an option to clamp this down to a
shorter period if the local admin prefers it.
|
| |
|
|
|
|
| |
We will now re-read the confdb debug_level value when processing
the monitor_common_logrotate() function, which occurs when the
monitor receives a SIGHUP.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/798
|
| |
|
|
|
|
|
|
|
|
| |
Previously, we were setting the client context PAM lookup timeout
after the first domain replied. However, if the user wasn't a
member of the first domain, their information wasn't being
updated.
This patch ensures that we only set this timeout after the user
has been found or all domains were searched.
|
| |
|
|
|
| |
Previously we were only looking up the user, but we need to make
sure that all groups are available for use by access providers.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
| |
|
|
|
|
|
|
| |
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
| |
|
|
|
|
|
| |
Previously, this was initialized to zero, so the first domain in
the list wouldn't be checked for ID updates in
pam_check_user_search. This initializes the first domain to check
the provider.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/716
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/719
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
| | |
|
| |
|
|
|
|
| |
A refactoring patch that creates a common util/crypto subdir with
per-implementation subdirectories for each underlying crypto library
supported by SSSD.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This patch removes some tab-indentations from pamsrv.c, too.
|
| | |
|
| |
|
|
|
|
|
|
| |
dbus_connection_send_with_reply() will report success and return
a NULL pending_reply when the connection is not open for
communication. This patch creates a new wrapper around
dbus_connection_send_with_reply() to properly detect this
condition and report it as an error.
|
| |
|
|
|
|
|
|
| |
Upon receiving SIGHUP, the monitor signals all services to reopen their
debug logs. It is also possible to signal individual services to reopen
their particular files.
Fixes: #332
|
| |
|
|
|
|
| |
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We disabled live reconfiguration a long time ago with the intent
of fixing it so that it wasn't completely broken, but we've
decided that live updates are too delicate to handle all cases
gracefully. For the forseeable future, we will rely on process
restart for updating the configuration.
Furthermore, we had not completely disabled live updates. It would
still attempt to run if we sent a SIGHUP. This has also been
eliminated.
|
