sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	nss: add SSS_NSS_GETORIGBYNAME request	Sumit Bose	2014-10-14	1	-0/+7
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
*	PAM: Add domains= option to pam_sss	Daniel Gollub	2014-09-29	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
*	Doxygen: replace <pre> with markdown table	Sumit Bose	2014-09-02	1	-18/+10
\| \| \| \|	Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
*	KRB5: Do not attempt to get a TGT after a password change using OTP	Jakub Hrozek	2014-03-26	1	-0/+3
\| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
*	Rename SAFEALIGN macros.	Michal Zidek	2013-05-14	1	-34/+2
\| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1772 SAFEALIGN macros have been renamed in this patch to make it easy to pick the right macro when data is copied from byte buffer to a variable or vice versa. The renamed macros are placed in new header file to avoid code duplication (the old ones were defined in two files, one for the client code and one for the rest of sssd).
*	Add client library for SID related lookups	Sumit Bose	2013-05-03	1	-0/+20
\| \| \| \| \| \| \| \| \| \| \| \|	This patch add a library for client side lookups for a SID or with a SID through the calls: - sss_nss_getsidbyname - sss_nss_getsidbyid - sss_nss_getnamebysid - sss_nss_getidbysid The library is called libsss_nss_idmap and the contributed spec file will create two new packages libsss_nss_idmap and libsss_nss_idmap-devel.
*	Add support for krb5 1.11's responder callback.	Nathaniel McCallum	2013-03-08	1	-0/+3
\| \| \| \| \| \| \| \| \| \| \|	krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
*	PAM: fix handling the client fd in pam destructor	Jakub Hrozek	2012-10-12	1	-4/+4
\| \| \| \| \|	* Protect the fd with a mutex when closing * Set it to a safe value after closing
*	PAM: close socket fd with pam_set_data	Jakub Hrozek	2012-10-11	1	-0/+2
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1569
*	Write SELinux config files in responder instead of PAM module	Jan Zeleny	2012-07-27	1	-4/+0
\|
*	sudo responder: change protocol version to 1	Pavel Březina	2012-06-29	1	-1/+1
\|
*	PAC client: add basic support in common client code	Sumit Bose	2012-06-21	1	-0/+5
\|
*	PAC responder: add the core functionality	Sumit Bose	2012-06-21	1	-0/+4
\| \| \| \| \| \| \|	This adds support for parsing PAC and storing information contained within. In particular the user and all his memberships are stored. In case it is necessary, getgrgid() requests are sent to provider for group resolution.
*	SSH: Common client code	Jan Cholasta	2012-02-07	1	-0/+6
\|
*	SSH: Responder	Jan Cholasta	2012-02-07	1	-0/+4
\|
*	SELinux support in PAM responder	Jan Zeleny	2012-02-06	1	-0/+4
\|
*	AUTOFS: a client library	Jakub Hrozek	2012-02-05	1	-0/+12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This is the library the autofs client is using. automounter dlopen()s the library so there is no header file, no pkgconfig file and the library is in the libsss_autofs package, not in -devel. The library provides the following interface: * _sss_setautomntent() - select the map for processing * _sss_getautomntent_r() - iterates through key/value pairs in the selected map. The key is usually the mount point, the value is mount information (server:/export) * _sss_getautomntbyname_r() - returns value for a specific key. * _sss_endautomntent() deselect a map, clean up
*	Fix sudo compilation on RHEL5	Jakub Hrozek	2012-01-30	1	-0/+1
\|
*	SUDO Integration - responder command for cn=defaults	Pavel Březina	2012-01-27	1	-0/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1143
*	NSS: Add client support for services (non-enumeration)	Stephen Gallagher	2012-01-27	1	-0/+22
\|
*	NSS: Add sss_readrep_copy_string	Stephen Gallagher	2012-01-18	1	-0/+12
\| \| \| \| \| \| \|	There were many places in the client code where we were duplicating a loop to copy data in from the response buffer. This patch turns those loops into a function for easier maintenance and easier-to-read *readrep() routines.
*	NSS: Validate input string lengths	Stephen Gallagher	2012-01-14	1	-0/+7
\| \| \| \| \| \| \|	Also fixes a return value bug where we were returning errno error codes instead of nss_status codes. Fixes https://fedorahosted.org/sssd/ticket/1135
*	SUDO Integration - responder	Pavel Březina	2011-12-16	1	-0/+3
\|
*	SUDO integration - client common interface	Pavel Březina	2011-12-16	1	-0/+6
\|
*	sss_cli.h - fix: function declaration after the header guard	Pavel Březina	2011-11-28	1	-2/+2
\|
*	Include string.h in sss_cli.h	Sumit Bose	2011-05-23	1	-0/+1
\| \| \| \|	Since memcpy() is used in sss_cli.h it should be declared here, too.
*	Use neutral name for functions used by both pam and nss	Simo Sorce	2011-02-11	1	-0/+1
\|
*	Add a renew task to krb5_child	Sumit Bose	2010-12-03	1	-1/+7
\|
*	sss_client: make code thread-safe	Simo Sorce	2010-11-22	1	-0/+5
\| \| \| \| \| \| \| \| \| \|	Add mutexes around nss operations and serialize them. This is necessary because nss operations may have global state. For pam it is sufficient to protect socket operations instead. As pam functions use only the provided pam handler. Fixes: https://fedorahosted.org/sssd/ticket/640
*	Avoid long long in messages to PAM client use int64_t	Sumit Bose	2010-11-15	1	-3/+3
\|
*	Add handling of nested netgroups to nss client	Sumit Bose	2010-10-13	1	-0/+5
\|
*	Add support for netgroups to NSS sss_client	Stephen Gallagher	2010-10-13	1	-2/+2
\|
*	Add utility function sss_strnlen()	Stephen Gallagher	2010-10-13	1	-0/+5
\| \| \| \|	This is useful for guaranteeing the size of an input buffer.
*	Handle Krb5 password expiration warning	Sumit Bose	2010-05-26	1	-1/+5
\|
*	Use SO_PEERCRED on the PAM socket	Sumit Bose	2010-04-16	1	-0/+11
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
*	Improvements for LDAP Password Policy support	Ralf Haferkamp	2010-03-22	1	-7/+16
\| \| \| \| \| \| \| \|	Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
*	Fixed alignment problems in nss client/server	George McCollister	2010-03-08	1	-0/+14
\| \| \| \| \| \| \| \|	I fixed a handful of alignment problems in sss_client and nss responder. Enumerating group and passwd with getgrent and getpwent now works correctly on ARM. Signed-off-by: George McCollister <georgem@novatech-llc.com>
*	Handle expired passwords like other PAM modules	Sumit Bose	2010-02-23	1	-1/+20
\| \| \| \| \| \| \| \| \| \| \| \| \|	So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
*	Add documentation for PAM response messages	Sumit Bose	2010-02-19	1	-19/+200
\|
*	Fix licensing issues for sss_client	Stephen Gallagher	2010-02-18	1	-8/+22
\|
*	Rename server/ directory to src/	Stephen Gallagher	2010-02-18	1	-0/+220
	Also update BUILD.txt