| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_add_user fails with EIO if enumeration is disabled and user contains
backslashes.
We try to remove ghost attributes from groups with disabled enumeration,
but unsanitized filter is used to find ghost attributes
"(|(ghost=usr\\\\002)" and ldb cannot parse this filter.
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
|
|
|
|
|
|
|
|
|
| |
sysdb_delete_user fails with EIO if user does not exist and contains
backslashes.
ldb could not parse filter (&(objectclass=group)(ghost=usr\\\\001)),
because ghost value was not sanitized
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
|
|
|
|
|
|
| |
Unit test testing detection of the right domain when processing group with members from several domains
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a workaround until
https://fedorahosted.org/sssd/ticket/2129 is fixed properly.
Consider a group entry such as:
cn: subgroup@subdom
ghost: someuser
ghost: anotheruser@subdom
Currently in order to print all group members as FQDN (which is the default
for AD provider), the code needs to iterate over the ghost attributes and
parse them into (name,domain) and optionally re-add the domain.
The proper fix would be to store always just the FQDN in the hardcoded
form of user@domain
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
|
|
|
|
|
|
|
| |
This patch fixes few format string warnings in the file test_utils.c
src/tests/cmocka/test_utils.c:54:56:
warning: format specifies type 'unsigned int' but the
argument has type 'size_t' (aka 'unsigned long') [-Wformat]
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If POSIX IDs are managed externally e.g. by AD it might be possible that
the IDs are centrally manages for the whole forest. Hence there might
not be a single ID range for each member domain in the forest but only a
single ID range for the whole forest. This means that we have to allow
collisions if ID ranges in this case.
Unit tests are added to make sure that the collisions are only allowed
for external mappings.
|
| |
|
|
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
|
|
|
|
|
| |
Recent simple access provider patches started using
be_ctx during access check. This caused segfault in
unit tests, since be_ctx wasn't initialized.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
| |
|
|
|
|
|
|
| |
The tmpl variable was only ever used to default to FILE backend in case
absolute patch w/o ccache type was selected. Since backends are no
longer there, we can remove the variable, too.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Remove struct sss_krb5_cc_be and the remaining functions that reference
it as they are all unused now.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
|
|
|
|
|
|
|
|
|
| |
Only 2 types (FILE and DIR) need to precreate files or directories
on the file system, and the 2 functions were basically identical.
Consolidate all in one common function and use that function directly
where needed instead of using indirection.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
|
|
|
|
|
|
|
| |
This completely replaces the per-ccache-type custom code to remove old cacches
and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as
the user owner.
Resolves:
https://fedorahosted.org/sssd/ticket/2061
|
|
|
|
|
| |
This tests dlopens and resolves all symbols to make sure there are no missing
symbols in our provider modules.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
It is better to use standard constant for maximum value of type size_t,
instead of reinventing wheel with own defined constant SIZE_T_MAX
This patch replace string "SIZE_T_MAX" -> "SIZE_MAX"
|
|
|
|
|
| |
The enumerate flag will be read from the cache for subdomains and
the domain object will be created accordingly.
|
| |
|
|
|
|
|
|
| |
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
|
|
|
|
|
| |
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
| |
|
|
|
|
|
|
| |
Wait for c-ares to finish before checking for memory leaks.
https://fedorahosted.org/sssd/ticket/1899
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2023
When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.
But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.
This patch makes sure that for all boolean option, the .val is always
the same as .def_val.
|
|
|
|
|
| |
warning: format string is not a string literal (potentially insecure)
[-Wformat-security]
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1992
dyndns test will crash with this patch
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1778
When trying to copy special file, only message is logged now.
|
| |
|
|
|
|
|
| |
The mpg flag will be read from the cache for subdomains and the domain
object will be created accordingly.
|
|
|
|
|
|
| |
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
|
|
|
|
| |
This patch implements some unit tests for the recent enhancements to
libsss_idmap.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1972
Coverity IDs: 11870,11871
Do not call unlink with NULL pointer.
|
|
|
|
|
|
|
|
|
|
|
| |
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|