| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Add option to follow symlinks to check_file()
Append PID to sbus server socket name, let clients use a symlink
https://fedorahosted.org/sssd/ticket/1034
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for python HBAC bindings
These changes were proposed during a review:
* Change the signature of str_concat_sequence() to const char *
* use a getsetter for HbacRule.enabled to allow string true/false and
integer 1/0 in addition to bool
* fix a minor memory leak (HbacRequest.rule_name)
* remove overzealous discard consts
Fix python HBAC bindings for python <= 2.4
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
Remove dead code from python HBAC bindings
https://fedorahosted.org/sssd/ticket/935
Handle allocation error in python HBAC bindings
https://fedorahosted.org/sssd/ticket/934
HBAC rule validation Python bindings
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new resolv_hostent data structure and utility functions
Resolve hosts by name from files into resolv_hostent
Resolve hosts by name from DNS into resolv_hostent
Switch resolver to using resolv_hostent and honor TTL
Conflicts:
src/providers/fail_over.c
Provide TTL structure names for c-ares < 1.7
https://fedorahosted.org/sssd/ticket/898
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
|
|
|
|
|
|
|
|
| |
Added sysdb_attrs_get_bool() function
Non-posix group processing - sysdb changes
Non-posix group processing - ldap provider and nss responder
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add originalDN to fake groups
Use fake groups during IPA schema initgroups
https://fedorahosted.org/sssd/ticket/822
Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_group
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/807
|
|
|
|
|
|
|
|
| |
Sometimes, a value in LDAP will cease to exist (the classic
example being shadowExpire). We need to make sure we purge that
value from SSSD's sysdb as well.
https://fedorahosted.org/sssd/ticket/750
|
|
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
|
|
|
| |
Includes a unit test
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/714
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/732
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/728
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
|
|
|
|
|
| |
It was decided that IPA HBAC will move to a different format to specify
time ranges in access control rules. The evaluation based on the old
format is not needed anymore.
|
| |
|
| |
|
| |
|
|
|
|
| |
Also adds a unit test.
|
| |
|
|
|
|
|
|
|
|
| |
Previously, it assumed that all members were users. This changes
the interface so that either a user or a group can be specified.
Also, it eliminates the need for a memory context to be passed,
since the internal memory should be self-contained.
|
|
|
|
| |
Useful for optimizing the initgroups operation.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
| |
|
| |
|
|
|
|
| |
This might be useful for examining the test database manually with LDB tools
|
|
|
|
|
|
|
| |
Adds two utility functions to obfuscate a password and inverse to
extract the cleartext password back.
So far, only NSS-based implementation is provided.
|
|
|
|
|
|
|
|
| |
This function will take a user, a list of groups that this user
should be added to and a list of groups the user should be removed
from and will recursively call sysdb_[add|remove]_group_member
Includes a unit test
|
|
|
|
| |
Includes a unit test
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/542
|
|
|
|
| |
Fixes: #535
|
|
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
|
|
|
|
|
|
| |
RFC 2782 defines a way to sort replies to a SRV query. In short, the
algorithm sorts all replies by priority and then does a weight-based
selection for every priority level.
For details, please see the sections "Usage rules" for overview of the
algorithm and section "The 'Weight' field" for description on the weight
selection.
|
|
|
|
|
|
| |
When we converted to the synchronous sysdb interface, the
synchronous-simulating function test_loop() became unnecessary,
but we forgot to remove it.
|
|
|
|
| |
This commit completes the migration to a synchronous sysdb
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
now all calls are synchronous
|