| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The pam responder was not properly configured to recover from a backend
disconnect. The connections that were in flight before the disconnection
were never freed and new requests for the same user would just pile up on
top of the now phantom requests.
Fixes: https://fedorahosted.org/sssd/ticket/1655
|
|
|
|
|
|
|
|
|
|
| |
This code will now attempt first to see if it has privilege to set
the value as specified, and if not it will fall back to the
previous behavior. So on systems with the CAP_SYS_RESOURCE
capability granted to SSSD, it will be able to ignore the
limits.conf hard limit.
https://fedorahosted.org/sssd/ticket/1197
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Converge accept_fd_handler and accept_priv_fd_handler
These two functions were almost identical. Better to maintain them
as a single function.
Set return errno to the value prior to calling close().
Log message if close() fails in destructor.
Do not send SIGPIPE on disconnection
Note we set MSG_NOSIGNAL to avoid
having to fiddle with signal masks
but also do not want to die in case
SIGPIPE gets raised and the application
does not handle it.
Add support for terminating idle connections
Conflicts:
src/responder/common/responder.h
src/responder/common/responder_common.c
|
|
|
|
|
|
|
| |
This patch will increase the file descriptor limit to 8k or the
limits.conf maximum, whichever is lesser.
https://fedorahosted.org/sssd/ticket/1197
|
|
|
|
| |
Glib fails if the NULL-terminator is included when a length is specified.
|
|
|
|
|
| |
Glib fails if the NULL-terminator is included when a length is
specified.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
There are several places (all error-handling) where sss_cmd_done()
is called with no response packet created. As a short-term
solution, we need to check whether the packet is NULL and simply
return EINVAL. client_send() (the consumer) will then forcibly
disconnect the client (which will return PAM_SYSTEM_ERR to the
client).
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1013
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb interface to get name aliases
Add a sysdb_get_direct_parents function
Store name aliases for users, groups
Return users and groups based on alias
https://fedorahosted.org/sssd/ticket/926
Fix typo in sysdb_get_direct_parents
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Prevent segfault if vetoed_shells are specified without allowed_shells
https://fedorahosted.org/sssd/ticket/954
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/928
|
|
|
|
|
|
|
|
| |
Added sysdb_attrs_get_bool() function
Non-posix group processing - sysdb changes
Non-posix group processing - ldap provider and nss responder
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new option to override primary GID number
https://fedorahosted.org/sssd/ticket/742
Add a new option to override home directory value
https://fedorahosted.org/sssd/ticket/551
Add new options to override shell value
https://fedorahosted.org/sssd/ticket/742
Conflicts:
src/conf_macros.m4
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not throw a DP error when failing to delete a nonexistent entity
Add debug logging to the negative cache
Fix a regression with the negative cache in multi-domain configurations
Fix regression where nonexistent entries were never added to the negative cache
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/817
Refactor set_netgroup_entry()
To avoid wrong or missing netgroup names in the getent_ctx destructor
set_netgroup_entry() now takes the name out of the getent_ctx struct
instead of using a separate argument.
|
|
|
|
|
|
|
|
|
|
| |
Previously, we were setting the client context PAM lookup timeout
after the first domain replied. However, if the user wasn't a
member of the first domain, their information wasn't being
updated.
This patch ensures that we only set this timeout after the user
has been found or all domains were searched.
|
|
|
|
|
| |
Previously we were only looking up the user, but we need to make
sure that all groups are available for use by access providers.
|
| |
|
| |
|
|
|
|
|
|
|
| |
When the automatic cleanup happened, if the netgroup had been
created with no contents (to indicate an unknown netgroup), we
weren't saving the hash table address and the talloc_free() was
failing.
|
|
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
|
|
|
|
| |
The existence of the getent_ctx is used to track the enumeration cache
timeout.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
|
|
|
|
|
| |
Previously, this was initialized to zero, so the first domain in
the list wouldn't be checked for ID updates in
pam_check_user_search. This initializes the first domain to check
the provider.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/735
|
|
|
|
|
|
| |
Also fixes the same problem with set_close_on_exec
https://fedorahosted.org/sssd/ticket/713
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/716
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/719
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Currently we do not handle the open nss request after a reconnect and
wait until they timeout (which is a couple of minutes!). This patch adds
a handler that terminates all requests after a reconnect. Then responder
will return matching cache entries or nothing.
|
| |
|
|
|
|
| |
Useful for optimizing the initgroups operation.
|
| |
|
| |
|
| |
|