summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
* IFP: use default limit if provided is 0Pavel Březina2015-08-141-1/+3
| | | | | | | Returning zero values doesn't make any sense, so we may use it as "use sssd configuration instead". Reviewed-by: Petr Cech <pcech@redhat.com>
* NSS: Initgr memory cache should work with fq namesLukas Slebodnik2015-08-054-16/+49
| | | | | | | | | | | | | | | | | | | | | We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap: Invalidate initgroups memory cache after any changeLukas Slebodnik2015-08-051-8/+9
| | | | | | | | | | Initgroups memory cache was invalidated only in case on removed user. it should be invalidated also after changes in group membership. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: "Override" functions for initgr mmap cacheLukas Slebodnik2015-08-051-3/+12
| | | | | | | | | | | | | | | | | | Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides data about strings for individual memory caches (passwd, ...) Their are used in generic responder mmap cache code to find a record in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_* are used for checking the validity of record. So in case of corrupted record the whole mmap cache can be invalidated. Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide data for initgroups mmap cache and therefore particular record could not be invalidated. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Rename variablesLukas Slebodnik2015-08-052-10/+10
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-313-11/+53
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-314-37/+858
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: use negative cache for sid-by-id requestsSumit Bose2015-07-271-0/+55
| | | | | | | | | | | | | | | | | | | Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* negcache: allow domain name for UID and GIDSumit Bose2015-07-274-24/+55
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-161-0/+8
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IFP: Add wildcard requestsJakub Hrozek2015-07-155-0/+456
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* cache_req: Extend cache_req with wildcard lookupsJakub Hrozek2015-07-152-14/+166
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds two new functions to the cache_req API: - cache_req_user_by_filter_send - cache_req_group_by_filter_send These functions can be used to retrieve users or groups that match a specified filter. Also renames a variable to avoid constant confusion -- the variable is only used for debug output. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUPJakub Hrozek2015-07-152-1/+14
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM: Only cache first-factorJakub Hrozek2015-07-061-1/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Minor code improvementsPavel Reichl2015-07-062-2/+3
| | | | | | | | pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: authenticate agains cachePavel Reichl2015-07-062-6/+167
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: new attribute lastOnlineAuthWithCurrentTokenPavel Reichl2015-07-061-0/+66
| | | | | | | | | | | | | | Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: Invalidate entry in initgr mmap cacheLukas Slebodnik2015-07-031-0/+32
| | | | | | | | | | If user is removed from sysdb cache then it should be also removed from initgroups memory cache. Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Invalidate entry in right memory cacheLukas Slebodnik2015-07-031-8/+25
| | | | | | | | | If group was not found in nss_cmd_getgrnam_search then we tied to invalidate entry in memory cache. But function delete_entry_from_memory cache only invalidated in passwd memory cache. Reviewed-by: Michal Židek <mzidek@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-035-4/+116
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IFP: add FindByCertificate method for User objectsSumit Bose2015-06-1911-13/+239
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* ncache: add calls for certificate based searchesSumit Bose2015-06-192-0/+34
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: Fix warnings with enabled optimisationLukas Slebodnik2015-06-191-2/+2
| | | | | | | | | | | | | | | | | It seems that gcc 5.1 optimize enum in some ways and expects that unctions ifp_cache_build_path and ifp_cache_build_base_dn can return unitialized value due to missing default in switch. src/responder/ifp/ifp_cache.c:118:13: warning: 'base_dn' may be used uninitialized in this function [-Wmaybe-uninitialized] ldb_ret = ldb_search(sysdb_ctx_get_ldb(domain->sysdb), tmp_ctx, &result, ^ src/responder/ifp/ifp_cache.c: scope_hint: In function 'ifp_cache_get_cached_objects' src/responder/ifp/ifp_cache.c:135:18: warning: 'path' may be used uninitialized in this function [-Wmaybe-uninitialized] paths[i] = ifp_cache_build_path(paths, type, domain, result->msgs[i]); ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Export nodesPavel Březina2015-06-185-22/+199
| | | | | | | | | | | | | | | | | | | | | | IFP now exports cached users and groups in introspection. After a user is cached with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store And Introspection called with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.DBus.Introspectable.Introspect The cached users would be visible in the Introspection XML as: <node name="ipaldap/397400000" /> </node> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]Pavel Březina2015-06-1811-0/+708
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: deprecate GetUserAttrPavel Březina2015-05-221-0/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: add org.freedesktop.sssd.infopipe.Groups.GroupPavel Březina2015-05-227-0/+658
| | | | | | | | | | | | | | | | Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Groups.Group string:name method return sender=:1.159 -> dest=:1.168 reply_serial=2 variant string "group-1" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/LDAP/30002 org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList method return sender=:1.934 -> dest=:1.937 reply_serial=2 Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: add org.freedesktop.sssd.infopipe.GroupsPavel Březina2015-05-227-0/+369
| | | | | | | | | | | | | | | | Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByName string:group-1method return sender=:1.159 -> dest=:1.166 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByID uint32:30001 method return sender=:1.159 -> dest=:1.167 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Groups/LDAP_2ePB/30001" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: add org.freedesktop.sssd.infopipe.Users.UserPavel Březina2015-05-2212-34/+846
| | | | | | | | | | | | Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: add org.freedesktop.sssd.infopipe.UsersPavel Březina2015-05-227-0/+493
| | | | | | | | | | | | | | | | Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:user-1 method return sender=:1.159 -> dest=:1.160 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByID uint32:10001 method return sender=:1.159 -> dest=:1.163 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/1000 Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRELukas Slebodnik2015-05-221-3/+2
| | | | | | | | When SYSDB_INITGR_EXPIRE had default value (0) then value of SYSDB_CACHE_EXPIRE was used as initgroups expire attribute. The right apoach is already used in responder_cache_req.c Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* negcache: Soften condition for expired entriesLukas Slebodnik2015-05-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Type of timestamp for entries in negative cache is time_t which is number of *seconds* that have elapsed since 1 January 1970. The condition for ttl was to strict so entry could be valid from "ttl-1" to ttl e.g. * ttl is 1 second * entry was stored to negative cache at 1432120871.999639 stored_timestamp = 1432120871 * entry was tested few miliseconds later 1432120872.001293 current_time = 1432120872 Entry was marked as expired becuase result of condition was false stored_timestamp + ttl < current_time 1432120871 + 1 < 1432120872 This is a reason why ./test-negcache sometime fails. It's quite easily reproducible on slow machine or when valgrind was used. sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done Reviewed-by: Pavel Reichl <preichl@redhat.com>
* 2FA offline authSumit Bose2015-05-081-3/+32
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add pre-auth requestSumit Bose2015-05-081-0/+7
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam: handle 2FA authentication token in the responderSumit Bose2015-05-081-0/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NSS: check for overrides before calling backendSumit Bose2015-05-061-5/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the flag that the input data in a user or group lookup request might be an override value is only set if no cached entry was found. If the cached entry of an object with overrides is expired and a request with the override value as input is processed the flag is not set and the backend might not be able to find the right entry on the server. Typically this should not happen because of mid-point refreshes. To reproduce this create a FreeIPA user and override the login name for a specific view. On a client which has this view applied call getent passwd overridename sss_cache -E getent passwd overridename The second getent command will still show the right output but in the logs a [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed message can be found for the second request. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* autofs: fix 'Cannot allocate memory' with FQDNsAron Parsons2015-04-301-9/+0
| | | | | | https://fedorahosted.org/sssd/ticket/2643 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: Use negcache for getbysid requestsJakub Hrozek2015-04-241-0/+9
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Option filter_users had no effect for retrieving sudo rulesAdam Tkac2015-04-143-0/+39
| | | | | | | | | Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Reset negcache after checking domainsJakub Hrozek2015-04-091-0/+24
| | | | | | | | The NSS responder periodically re-checks subdomains. We need to reset the negative cache each time the check finishes to allow the negative cache to contain entries from different domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* responders: reset ncache after domains are discovered during startupJakub Hrozek2015-04-099-15/+45
| | | | | | | | | After responders start, they add a lookup operation that discovers the subdomains so that qualifying users works. After this operation is finishes, we need to reset negcache to allow users to be added into the newly discovered domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Add sss_ncache_reset_repopulate_permanentJakub Hrozek2015-04-092-0/+20
| | | | | | | This new function resets the negative cache and then re-adds the permanent entries. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Silence critical error from filter_users when default_domain_suffix ↵Jakub Hrozek2015-04-091-3/+15
| | | | | | | | | | | | | | | is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* ncache: Fix sss_ncache_reset_permanentJakub Hrozek2015-04-091-1/+1
| | | | | | | There was an off-by-one error in sss_ncache_reset_permanent that prevented the reset from working. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SSH: Ignore the default_domain_suffixJakub Hrozek2015-04-011-1/+1
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2609 In a trust setup, hosts are normally only stored on the IPA server. The default_domain_suffix option is only recommended for the IPA-AD trust scenario as well. Therefore we should ignore this option in the SSH provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com>
* PAC: Remove unused functionLukas Slebodnik2015-03-311-35/+0
| | | | | | The last usage of function dom_sid_in_domain was removed as a part of chages in ticket "Enhance PAC responder for AD users" 92af6f25864b5c389b57d0f659686801b45ca58c
* Fix a few typos in commentsPavel Reichl2015-03-261-4/+4
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-179-15/+15
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* responder_cache: Fix warning may be used uninitializedLukas Slebodnik2015-03-171-1/+1
| | | | | | | | | | | | | | | There is a warning with gcc-5.0 and enabled optimization. Warning is not visible with "-O0". CC src/responder/common/responder_cache_req.o src/responder/common/responder_cache_req.c: In function ‘cache_req_next_domain’: src/responder/common/responder_cache_req.c:296:160: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] src/responder/common/responder_cache_req.c:277:13: note: ‘ret’ was declared here errno_t ret; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam_initgr_check_timeout: add debug outputSumit Bose2015-03-131-0/+4
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>