summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
* Revert "NSS: add support for subdomain_homedir"Pavel Reichl2014-02-111-8/+0
| | | | | | This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: add support for subdomain_homedirPavel Reichl2014-01-151-0/+8
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2169
* NSS: Use plain user name when expanding homedirJakub Hrozek2014-01-151-1/+12
|
* Use lower-case name for case-insensitive searchesSumit Bose2013-12-191-2/+2
| | | | | | | | | | | | The patch makes sure that a completely lower-cased version of a fully qualified name is used for case insensitive searches. Currently there are code paths where the domain name was used as configured and was not lower-cased. To make sure this patch does not break with old entries in the cache or case sensitive domains a third template was added to the related filters templates which is either filled with a completely lower-cased version or with the old version. The other two template values are unchanged.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-191-2/+2
|
* NSS: Fix memory leak in sss_setnetgrentLukas Slebodnik2013-12-101-1/+1
| | | | | | | | | | | struct nss_cmd_ctx was not released in function nss_cmd_setnetgrent_done and it wasn't used in the other function, because getnetgrent creates its own nss_cmd_ctx context. struct nss_cmd_ctx was released after closing client because it was allocated under client context. Memory leak is apparent with long living clients. Resolves: https://fedorahosted.org/sssd/ticket/2170
* pac: fix potential memory leaksPavel Březina2013-11-261-5/+5
|
* pac: fix double freePavel Březina2013-11-261-8/+6
|
* do not use default_domain_suffix with autofsAron Parsons2013-11-181-1/+1
|
* NSS: Set packet length for initgroupsLukas Slebodnik2013-11-071-0/+7
| | | | | | | | | | Some groups could be skipped, but packet length was not trimmed. This is a reason why valgrind reported access to uninitialised bytes. Actually, it isn't a problem, because the first uint32 in body is number of sended gids. Resolves: https://fedorahosted.org/sssd/ticket/2138
* free idmapped binary SIDs correctlyPavel Březina2013-11-071-1/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* free idmapped SIDs correctlyPavel Březina2013-11-072-2/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2133
* NSS: Fix parenthesisJakub Hrozek2013-10-301-1/+1
|
* NSS: Fix service enumerationJakub Hrozek2013-10-291-1/+5
| | | | | | | The code wrote into the middle of the packet to a space that was already reserved and allocated but then still advanced the pointer to the buffer. https://fedorahosted.org/sssd/ticket/2124
* NSS: Print FQDN for groups with mixed domain membershipJakub Hrozek2013-10-291-9/+64
| | | | | | | | | | | | | | | | | This patch is a workaround until https://fedorahosted.org/sssd/ticket/2129 is fixed properly. Consider a group entry such as: cn: subgroup@subdom ghost: someuser ghost: anotheruser@subdom Currently in order to print all group members as FQDN (which is the default for AD provider), the code needs to iterate over the ghost attributes and parse them into (name,domain) and optionally re-add the domain. The proper fix would be to store always just the FQDN in the hardcoded form of user@domain
* nss: wait for initial subdomains request to finishPavel Březina2013-10-171-0/+14
| | | | | | | | | | | | AD provider downloads domain information and initalizes ID mapping during subdomains request. This information is necessary to lookup objects without POSIX attributes. We need to make sure that we postpone all responder requests until ID mapping is initialized in the provider. Resolves: https://fedorahosted.org/sssd/ticket/2092
* sudo: improve time restrictions debug messagesPavel Březina2013-10-011-0/+7
|
* NSS: Failure to store entry negative cache should not be fatalJakub Hrozek2013-09-251-18/+31
| | | | | The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
* NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek2013-09-251-66/+105
| | | | | | | https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
* Check slot validity before MC_SLOT_TO_PTR.Michal Zidek2013-09-231-15/+75
| | | | | resolves: https://fedorahosted.org/sssd/ticket/2049
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-172-22/+4
| | | | Remove code duplication.
* Fix formating of variables with type: gid_tLukas Slebodnik2013-09-111-2/+2
|
* Fix formating of variables with type: uid_tLukas Slebodnik2013-09-111-2/+2
|
* Fix formating of variables with type defined in stdint.hLukas Slebodnik2013-09-111-6/+7
|
* Fix formating of variables with type: rlim_tLukas Slebodnik2013-09-111-5/+5
|
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-112-2/+2
|
* Fix formating of variables with type: unsigned longLukas Slebodnik2013-09-111-1/+1
|
* mmap_cache: Do not remove record from chain twiceLukas Slebodnik2013-09-091-0/+6
| | | | | | | | | | | It is not very likely, that record will have the same hash1 and hash2, but it is possible. In this situation, it does not make sense to remove record twice. Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash in this situation. It was only possible if record was alone in chain. Resolves: https://fedorahosted.org/sssd/ticket/2049
* Include sys/types.h for types id_t and uid_tLukas Slebodnik2013-09-031-0/+1
|
* DP: Use the correct type for DBus booleanJakub Hrozek2013-08-281-2/+5
| | | | https://fedorahosted.org/sssd/ticket/2057
* NSS: Descend into subdomains if enumerate=trueJakub Hrozek2013-08-281-12/+12
| | | | | | Since we now store the enumerate flag in sysdb for subdomains, we can always descend to all available subdomains and if they do not allow enumeration, simply skip them.
* mmap_cache: Use stricter check for hash keys.Lukas Slebodnik2013-08-281-4/+6
| | | | ht_size is size of hash_table in bytes, but hash keys have type uint32_t
* mmap_cache: Skip records which doesn't have same hashLukas Slebodnik2013-08-281-2/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049
* sss_packet_grow: correctly pad packet length to 512BPavel Březina2013-08-281-1/+1
| | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2059 If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number, we can end up with totlen < len and return EINVAL. It also does not pad the length, but usually allocates much more memory than is desired. len = 1024 n = 1024 % 512 + 1 = 0 + 1 = 1 totlen = 1 * 512 = 512 => totlen < len len = 511 n = 511 % 512 + 1 = 511 + 1 totlen = 512 * 512 = 262144 totlen is way bigger than it was supposed to be
* PAC: Skip SIDs that cannot be resolved to domainJakub Hrozek2013-08-261-2/+4
|
* PAC: use SID instead of GID to search for groupsSumit Bose2013-08-261-48/+41
| | | | | | | With the support of POSIX IDs managed on the AD side we may find non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in the PAC. Since in this case all cached groups have a SDI attribute it is more reliable to search the groups by SID instead of GID.
* PAC: do not fail if a single group cannot be added/removedSumit Bose2013-08-261-18/+31
| | | | | When processing a list of groups we try to process as much as possible only not stop on the first error.
* PAC: read user DN instead of constructing itSumit Bose2013-08-261-5/+17
| | | | | | To avoid issues with case-sensitivity it is more reliable to search the user entry in the cache and use the returned DN instead of constructing it.
* PAC: handle non-POSIX groups in cacheSumit Bose2013-08-262-11/+9
| | | | | Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.
* PAC: do not create users with missing GIDSumit Bose2013-08-261-0/+14
| | | | | If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry.
* PAC: if user entry already exists keep itSumit Bose2013-08-263-86/+10
| | | | | | | | | | | | | | | | | Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996
* pam: Bad debug message format and parameter.Michal Zidek2013-08-221-1/+2
|
* mmap_cache: Use sss_atomic_write_s instead of write.Michal Zidek2013-08-221-2/+11
| | | | | | | | Use sss_atomic_write_s() instead of write() in sss_mc_save_corrupted(). Also unlink() the file if no data were written. It is better to use sss_atomic_write_s instead of write
* mmap_cache: Store corrupted mmap cache before resetMichal Zidek2013-08-191-0/+66
| | | | | This patch adds function to store corrupted mmap cache file to disk for further analysis.
* mmap_cache: Use better checks for corrupted mc in responderMichal Zidek2013-08-191-3/+53
| | | | | We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder.
* mmap_cache: Off by one error.Michal Zidek2013-08-191-6/+6
| | | | | Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS.
* fill_initgr: add original primary GID if availableSumit Bose2013-08-191-0/+27
| | | | | | | | | | | | | In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027
* mmap_cache: Check if slot and name_ptr are not invalid.Michal Zidek2013-08-112-2/+54
| | | | | | | This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
* PAM: Set negcache if user is not found after provider checkJakub Hrozek2013-08-081-0/+10
|
* PAM: Check negcache when searching for fully qualified users, tooJakub Hrozek2013-08-081-0/+8
|
generated by cgit (git 2.34.1) at 2024-05-04 04:48:38 +0000