sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	SSH: Simplify public key formatting function	Jan Cholasta	2012-09-04	1	-4/+2
\|
*	SSH: Return error code in SSH utility functions	Jan Cholasta	2012-09-04	1	-6/+7
\|
*	Check if the SELinux login directory exists	Jakub Hrozek	2012-09-04	1	-3/+3
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1492
*	accept_fd_handler: add missing return	Sumit Bose	2012-08-21	1	-0/+1
\|
*	Only create the SELinux login file if there are mappings on the server	Jakub Hrozek	2012-08-16	1	-45/+77
\| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there are rules on the server, but none matches.
*	Do not try to remove the temp login file if already renamed	Jakub Hrozek	2012-08-16	1	-2/+3
\| \| \| \| \| \| \| \| \|	write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.
*	Build SELinux code in responder conditionally	Jakub Hrozek	2012-08-16	1	-0/+7
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1480
*	Fix LOCAL domain lookups	Pavel Březina	2012-08-15	1	-19/+22
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1436 Now subdomains are not evaluated for local domains.
*	Remove SYSDB_SUDO_CACHE_OC from attribute lists	Pavel Březina	2012-08-07	1	-1/+0
\| \| \| \|	It is not an attribute.
*	Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC	Pavel Březina	2012-08-07	1	-1/+1
\| \| \| \| \|	It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.
*	Change subdomain_info	Simo Sorce	2012-08-01	1	-1/+1
\| \| \| \| \|	Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
*	Fix bad check	Jakub Hrozek	2012-08-01	1	-1/+1
\|
*	Write SELinux config files in responder instead of PAM module	Jan Zeleny	2012-07-27	1	-5/+95
\|
*	Move SELinux processing from session to account PAM stack	Jan Zeleny	2012-07-27	1	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
*	NSS: Add override_shell option	Stephen Gallagher	2012-07-20	3	-2/+18
\| \| \| \| \| \| \| \| \|	If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
*	PAM: Fix off-by-one-error in the SELinux session code	Jakub Hrozek	2012-07-18	1	-1/+1
\|
*	Fix uninitialized values	Nick Guay	2012-07-18	3	-5/+5
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1379
*	Add newline to DEBUG messages	Jakub Hrozek	2012-07-12	1	-2/+2
\|
*	Fix segfault when using local provider	Stephen Gallagher	2012-07-10	1	-6/+5
\| \| \| \| \| \| \| \| \|	The name context was not being initialized for local provider domains because it was handled after skipping over the back-end initialization routine. This patch moves the name context init routine to occur earlier. https://fedorahosted.org/sssd/ticket/1412
*	pac responder: limit access by checking UIDs	Sumit Bose	2012-07-10	3	-4/+161
\| \| \| \| \| \| \| \| \| \| \| \|	A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
*	Fix potential NULL-dereference	Stephen Gallagher	2012-07-09	1	-1/+2
\| \| \| \|	Coverity #12800
*	Fix potential NULL-dereference	Stephen Gallagher	2012-07-09	1	-1/+3
\| \| \| \|	Coverity #12801
*	Set file descriptor limits in pac responder	Sumit Bose	2012-07-06	1	-0/+15
\|
*	sudo responder: schedule OOB full refresh when expired rule is deleted	Pavel Březina	2012-06-29	2	-4/+40
\|
*	sudo responder: refresh expired rules	Pavel Březina	2012-06-29	1	-31/+106
\|
*	sudo responder: update dp interface	Pavel Březina	2012-06-29	3	-34/+72
\|
*	sudo responder: allow fetching only expired rules in ↵	Pavel Březina	2012-06-29	1	-25/+22
\| \| \| \|	sudosrv_get_sudorules_query_cache()
*	sudo sysdb: add expiration time to the filter	Pavel Březina	2012-06-29	1	-1/+1
\|
*	sudo responder: new request enum type	Pavel Březina	2012-06-29	3	-13/+19
\| \| \| \| \| \| \| \| \|	sss_sudo_type represents query type that comes to the responder sss_dp_sudo_type represents query type to DP that is issued by the responder I'm leaving current values of sss_dp_sudo_type untouched so the compilation is not broken. Hovewer, they will be changed to new DP types once the DP interface is updated.
*	sudo responder: discard in-memory cache	Pavel Březina	2012-06-29	3	-375/+0
\|
*	sudo responder: change protocol version to 1	Pavel Březina	2012-06-29	1	-0/+9
\|
*	sudo api: send uid, username and domainname	Pavel Březina	2012-06-29	4	-109/+102
\| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1239 Test client was changed accordingly. The new usage is: sss_sudo_cli username [uid] If uid is not set, getpwnam(username) is called. It will retrieve both default options and rules.
*	sudo responder: get rid of dctx where possible	Pavel Březina	2012-06-29	3	-93/+102
\|
*	sudo responder: remove code duplication in commands	Pavel Březina	2012-06-29	4	-277/+283
\|
*	SELinux user maps: pick just one map	Jan Zeleny	2012-06-25	1	-12/+11
\| \| \| \| \| \| \| \| \|	This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360
*	Fix re_expression matching with subdomains	Jan Zeleny	2012-06-21	3	-70/+154
\| \| \| \| \| \| \| \| \| \| \|	This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.
*	Add range support to PAC responder	Sumit Bose	2012-06-21	3	-45/+140
\|
*	PAC responder: add the core functionality	Sumit Bose	2012-06-21	2	-2/+471
\| \| \| \| \| \| \|	This adds support for parsing PAC and storing information contained within. In particular the user and all his memberships are stored. In case it is necessary, getgrgid() requests are sent to provider for group resolution.
*	PAC responder: add some utility functions	Jan Zeleny	2012-06-21	2	-0/+549
\|
*	PAC responder: add basic infrastructure	Sumit Bose	2012-06-21	3	-0/+340
\| \| \| \| \|	This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.
*	Move some debug lines to new debug log levels	Stef Walter	2012-06-20	2	-2/+2
\| \| \| \| \| \| \|	* These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
*	Make the client idle timeout configurable	Stephen Gallagher	2012-06-18	2	-4/+19
\|
*	Add support for terminating idle connections	Shantanu Goel	2012-06-18	2	-2/+67
\|
*	Log message if close() fails in destructor.	Shantanu Goel	2012-06-18	1	-1/+12
\|
*	Make re_expression and full_name_format per domain options	Stef Walter	2012-06-12	13	-55/+57
\| \| \| \| \| \| \| \| \| \| \|	* Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
*	Allow fast memcache timeout to be configurable	Jan Zeleny	2012-06-10	3	-5/+15
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1318
*	PAM: Better pam_reply message	Stephen Gallagher	2012-06-10	1	-1/+2
\|
*	Ghost members - various small changes	Jan Zeleny	2012-05-31	1	-1/+1
\|
*	Ghost members - NSS responder changes	Jan Zeleny	2012-05-31	1	-89/+147
\| \| \| \| \| \| \| \| \|	Since there are two attributes storing information about user memberships of the group we have to include both of them in results. This will apply only for objects that have ghost members (i.e. they contain the SYSDB_GHOST attribute). If an object has this attribute, values of this attribute are not projected to the memberuid attribute.
*	NSS: Restore original protocol for getservbyport	Stephen Gallagher	2012-05-25	1	-1/+1
\| \| \| \|	When fixing an endianness bug, we changed the protocol unnecessarily.