summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
* Change state of hash entry if netgroup cannot be parsedSumit Bose2011-03-091-0/+2
|
* Refactor set_netgroup_entry()Sumit Bose2011-03-071-4/+7
| | | | | | To avoid wrong or missing netgroup names in the getent_ctx destructor set_netgroup_entry() now takes the name out of the getent_ctx struct instead of using a separate argument.
* Add missing name to struct getent_ctx for missing netgroupSumit Bose2011-03-071-0/+6
| | | | https://fedorahosted.org/sssd/ticket/817
* Perform initgroups lookups for all domainsStephen Gallagher2011-02-211-3/+5
| | | | | | | | | | Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.
* Perform initgroups lookup for PAMStephen Gallagher2011-01-211-1/+3
| | | | | Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.
* Use DEFAULT_PAM_VERBOSITY if config value cannot be retrievedSumit Bose2011-01-191-1/+1
|
* Add pam_pwd_expiration_warning config optionSumit Bose2011-01-191-12/+47
|
* Fix missing hash table bugStephen Gallagher2011-01-141-0/+1
| | | | | | | When the automatic cleanup happened, if the netgroup had been created with no contents (to indicate an unknown netgroup), we weren't saving the hash table address and the talloc_free() was failing.
* Validate user supplied size of data itemsSumit Bose2011-01-111-76/+75
| | | | | | Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.
* Remove unused enumeration cache timeout checksSumit Bose2011-01-063-33/+2
| | | | | The existence of the getent_ctx is used to track the enumeration cache timeout.
* Post enumeration tevent request if neededSumit Bose2011-01-062-8/+43
|
* Return groups and users from all domains during enumerationSumit Bose2011-01-061-3/+5
|
* Update the ID cache for any PAM requestStephen Gallagher2010-12-224-8/+23
| | | | | | | | Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
* Ensure ID is checked in all domains for PAMStephen Gallagher2010-12-221-0/+2
| | | | | | | Previously, this was initialized to zero, so the first domain in the list wouldn't be checked for ID updates in pam_check_user_search. This initializes the first domain to check the provider.
* Fix possible NULL-dereference in lookup_netgr_step()Sumit Bose2010-12-171-1/+1
| | | | https://fedorahosted.org/sssd/ticket/735
* Fix unchecked return value in set_nonblockingStephen Gallagher2010-12-171-10/+53
| | | | | | Also fixes the same problem with set_close_on_exec https://fedorahosted.org/sssd/ticket/713
* Fix uninitialized value error in lookup_netgr_step()Sumit Bose2010-12-151-146/+181
|
* Remove unused newauthtok variable in LOCAL_pam_handlerSumit Bose2010-12-141-3/+0
| | | | https://fedorahosted.org/sssd/ticket/716
* Eliminate possible NULL-dereference in pam_check_user_searchStephen Gallagher2010-12-141-0/+7
| | | | https://fedorahosted.org/sssd/ticket/719
* Add support for server-side pam response messagesSumit Bose2010-12-031-0/+2
|
* Add a special filter type to handle enumerationsSumit Bose2010-12-021-1/+1
|
* Introduce pam_verbosity config optionSumit Bose2010-11-151-11/+90
| | | | | | | | | | | Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
* Avoid long long in messages to PAM client use int64_tSumit Bose2010-11-151-7/+7
|
* Fix double free issueSumit Bose2010-10-261-2/+2
|
* Always use talloc_zero() to allocate cmdctxSumit Bose2010-10-262-3/+3
|
* Remove all nss requests after a reconnectSumit Bose2010-10-263-1/+26
| | | | | | | Currently we do not handle the open nss request after a reconnect and wait until they timeout (which is a couple of minutes!). This patch adds a handler that terminates all requests after a reconnect. Then responder will return matching cache entries or nothing.
* sysdb interface for adding fake usersJakub Hrozek2010-10-151-1/+1
|
* sysdb interface for adding incomplete groupsJakub Hrozek2010-10-151-1/+1
| | | | Useful for optimizing the initgroups operation.
* Also return member groups to the clientSumit Bose2010-10-132-55/+85
|
* Add handling of nested netgroups to nss clientSumit Bose2010-10-131-1/+4
|
* Add missing tevent_req_done()Sumit Bose2010-10-131-0/+1
|
* Add netgroup support to the NSS responderStephen Gallagher2010-10-137-2/+922
|
* Split out some helper functions for the NSS responderStephen Gallagher2010-10-132-83/+147
| | | | | Create a new private header and make some functions available for other object files.
* Add negative cache features for netgroupsStephen Gallagher2010-10-132-0/+39
|
* Require explicit setting of callback context for check_cacheStephen Gallagher2010-10-131-7/+13
| | | | | Previously, it was implicitly using the nss_dom_ctx, but there are situations where we would want to send a different private context
* Initgroups on a non-cached user should go to the data providerStephen Gallagher2010-09-221-1/+2
| | | | | | | We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries.
* Handle multiple simultaneous enumeration requestsStephen Gallagher2010-09-082-289/+717
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, if a second enumeration request arrived while one was already being processed, each process would receive only a subset of the total number of available users or groups. This is because we were maintaining the response object as a global value in the NSS responder. The second request would come in, see that the data set was already populated, and start reading from wherever the cursor was currently pointed. With this patch, we now move the cursor to the client context instead of the global NSS context. Additionally, this patch completely rewrites the approach to enumerations in the tevent_req style. This makes it much easier to follow in the code. In order to ensure that a slow or malicious client cannot hold onto a reference for the setent result object indefinitely, we set an expiration on the object. We use the enum_cache_timeout here, since that is an appropriate value. If the timeout fires during the normal operation of the get*ent() loop of a client program, we will save the current values of the read index so that we can resume as soon as the object has been refreshed by an implicit setent call. Instead of deleting the enumeration result object immediately after the last in-progress client has read it, we'll keep the object around for the lifetime of enum_cache_timeout. This way, additional clients making enumeration requests can still access the results in-memory.
* Dead assignments cleanup in NSS responderJan Zeleny2010-09-082-7/+7
| | | | | | Various dead assignments were deleted, some return value inspections were added. Ticket: #588
* Move crypto functions into its own subdirJakub Hrozek2010-09-081-1/+1
| | | | | | A refactoring patch that creates a common util/crypto subdir with per-implementation subdirectories for each underlying crypto library supported by SSSD.
* Honor filter_users in PAMStephen Gallagher2010-06-173-10/+47
|
* Move setup of filter_users and filter_groups to negcache.cStephen Gallagher2010-06-173-187/+220
| | | | | Creates a new function - sss_ncache_prepopulate() - that can be shared with other responders, such as PAM.
* Refactor the negative cacheStephen Gallagher2010-06-175-57/+57
| | | | | Rename functions from nss_ncache_* to sss_ncache_* Move negative cache to responder/common and rename as negcache.c/h
* Ensure that all domains are checked for users/groupsStephen Gallagher2010-06-171-3/+15
| | | | | | | There was a bug in the negative cache checks (probably a leftover from when filter_users was global-only) that meant that if a user was filtered out of a domain, the remaining domains would not be checked for that user. (Same for groups/initgroups)
* Properly null-terminate socket pathStephen Gallagher2010-06-141-2/+4
| | | | https://fedorahosted.org/sssd/ticket/540
* Check the correct variable for NULL after creating timerStephen Gallagher2010-06-101-1/+1
| | | | | | | | | In several places, we were creating a new timer and assigning it to the tev variable, but then we were checking for NULL from the te variable (which, incidentally, is guaranteed never to be NULL in this situation) https://fedorahosted.org/sssd/ticket/523
* Remove dead code from the PAM responderJakub Hrozek2010-06-062-13/+0
|
* Add support for delayed kinit if offlineSumit Bose2010-05-261-1/+1
| | | | | | | If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
* Use SO_PEERCRED on the PAM socketSumit Bose2010-04-162-1/+55
| | | | | | | | | | | | | | | | | This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
* Revert "Add better checks on PAM socket"Sumit Bose2010-04-162-140/+1
| | | | This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
* sysydb: Finally stop using a common event contextSimo Sorce2010-04-121-1/+1
| | | | This commit completes the migration to a synchronous sysdb