| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1652
It is possible to simply reset the list of ghost users to a different one
during a modify operation. It is also actually how we update entries that
are expired in the SSSD cache.
In this case, we must be careful and retain the ghost users that are not
native to the group we are processing but are rather inherited from child
groups. The intention of the replace operation after all is to set the
list of direct members of that group, not direct and indirect.
|
| |
|
|
|
|
|
| |
Similar to the add and delete operation, we also need to propagate the
changes of the ghost user attribute to the parent groups so that if a
nested group updates memberships, its parents also get the membership
updated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1668
The memberof plugin did only expand the ghost users attribute to
parents when adding a nested group, but didn't implement the reverse
operation.
This bug resulted in users being reported as group members even
after the direct parent went away as the expanded ghost attributes were
never removed from the parent entry.
When a ghost entry is removed from a group, all its parent groups are
expired from the cache by setting the expire timestamp to 1. Doing so
would force the SSSD to re-read the group next time it is requested in
order to make sure its members are really up-to-date.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a nested group with ghost users is added, its ghost attribute should
propagate within the nested group structure much like the memberuid
attribute. Unlike the memberuid attribute, the ghost attribute is only
semi-managed by the memberof plugin and added manually to the original
entry.
This bug caused LDB errors saying that attribute or value already exists
when a group with a ghost user was added to the hierarchy as groups were
updated with an attribute they already had.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
| |
|
|
|
| |
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
| |
|
|
|
|
|
|
| |
string_in_list() and add_string_to_list() are two utilities for NULL
terminated strings arrays. add_string_to_list() adds a new string to an
existing list or creates a new one with the strings as only item if
there is not list. string_in_list() checks if a given string is in the
list. It can be used case sensitive or in-sensitive.
|
| |
|
|
|
|
|
|
| |
This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().
|
| | |
|
| |
|
|
|
|
| |
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
| | |
|
| |
|
|
|
| |
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
| |
|
|
|
|
| |
This patch switches from using just key in the RDN to using both key and
value. That is neccessary to allow multiple direct mounts in a single
map.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1506
Changes how the new autofs entry objects are handled. Instead of
creating the entry on the cn=autofs,cn=custom level, the entry is
created below the map it belongs to.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1472
|
| |
|
|
|
|
|
|
|
| |
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
| |
|
|
| |
This will be used later for setting domain_realm mappings in krb5.conf
|
| |
|
|
|
| |
Declaring a bunch of structures as const and then wrapping all uses in
discard_const_p() is a bit silly. Remove all these useless decorations.
|
| |
|
|
|
| |
Rename the structure to use a standard name prefix so it is properly
name-spaced, in preparation for changing the structure itself.
|
| | |
|
| |
|
|
|
|
|
|
| |
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1411
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
| |
|
|
| |
Coverity #12782
|
| |
|
|
| |
Coverity #12783
|
| |
|
|
| |
Coverity #12786
|
| |
|
|
| |
Coverity #12798
|
| | |
|
| |
|
|
|
|
| |
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implemented working versions of the following functions for libcrypto:
sss_base64_encode
sss_base64_decode
sss_hmac_sha1
sss_password_encrypt
sss_password_decrypt
test_encrypt_decrypt now expects EOK from libcrypto.
test_hmac_sha1 now expects EOK from libcrypto.
Added test_base64_encode to test base64 encoding implementation.
Added test_base64_decode to test base64 decoding implementation.
Signed-off-by: George McCollister <George.McCollister@gmail.com>
|
| | |
|
| |
|
|
|
|
| |
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
| |
|
|
|
| |
Passing Kerberos context to sss_krb5_get_error_message will allow us to
get better error messages.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/974
|
| |
|
|
|
|
| |
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1127
|
| |
|
|
| |
A test to cover this is added as well.
|
| |
|
|
|
|
|
|
| |
The samba ndr libraries use struct dom_sid to handle SIDs. Since there
is no public samba library which offers conversion from other
representations, e.g. as string, this is added to libsss_idmap.
To avoid compile-time or run-time dependency to any samba library or
header file the definition of the struct is copied here.
|
| | |
|
| | |
|
| |
|
|
|
| |
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is
added to the struct used by libsss_idmap.
|
