| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1648
Adds another expansion in the printf format that allows the user to use
the domain flat name in the format.
|
| |
|
|
|
| |
Empty directory tests_path is removed in function test_dom_suite_cleanup.
Function test_dom_suite_cleanup is reused in other tests.
|
| |
|
|
|
|
|
|
|
| |
--removed duplicated test-io
--reusing library libsss_test_common in other tests
--cmocka test sss_nss_idmap-tests was moved to cmocka dir
--moved leak_check.c to libsss_test_common
--moved common_tev.c,common_dom.c to libsss_test_common
(leak_check.c,common_tev.c,common_dom.c) are test framework independent
|
| |
|
|
|
|
|
| |
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options.
|
| |
|
|
| |
The tests_set_cwd() function was called twice in the dyndns unit test.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
| |
|
|
|
|
| |
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
| |
|
|
|
| |
This is a requirement to update the PTR records.
Includes a unit test.
|
| |
|
|
|
|
|
| |
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
|
| |
|
|
|
|
| |
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch add a library for client side lookups for a SID or with a
SID through the calls:
- sss_nss_getsidbyname
- sss_nss_getsidbyid
- sss_nss_getnamebysid
- sss_nss_getidbysid
The library is called libsss_nss_idmap and the contributed spec file
will create two new packages libsss_nss_idmap and
libsss_nss_idmap-devel.
|
| |
|
|
|
| |
tests_set_cwd is used and relativepath calculation method is changed and is made general based on
basedir.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If configure isn't being run with argument --with-test-dir, then variable
TEST_DIR will be defined, but its value will be empty (""). In this case
opendir will fail with uncatched error "Directory does not exist, or name is
an empty string". Finally function call dirfd will segfault because its
argument is NULL.
I changed default value of TEST_DIR (if --with-test-dir was not used).
Function tests_set_cwd does not ignore return value of chdir, because
TEST_DIR should not be the empty string.
|
| |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1893
When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.
|
| | |
|
| |
|
|
|
|
| |
* Remove check-specific failure reporting from common_check.c
* Check-specific abstraction over memleak checks
* Rename common_check.c to leak_check.c
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
| |
|
|
|
|
| |
Function create_pam_data() should be only one way how to create new
struct pam_data, because it also initialize destructor to created
object.
|
| |
|
|
| |
const char const * --> const char *const
|
| |
|
|
|
|
|
| |
Print warning if sysdb-tests or sysdb-ssh test are run
individually and LDB_MODULES_PATH was not set.
https://fedorahosted.org/sssd/ticket/1820
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
| |
|
|
|
|
|
| |
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
|
| |
|
|
|
|
| |
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1811
|
| |
|
|
|
| |
This condition is invalid because different_realm is not set, when
EINVAL is returned. It can make the test fail sometimes.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1833
state is expected to be a pointer
|
| | |
|
| |
|
|
|
|
| |
There was shared code for several unit tests that connected to their own
sysdb instance. This patch adds common code to run a generic request to
completion or connect to a test sysdb.
|
| |
|
|
|
|
| |
This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
| |
|
|
|
| |
struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1763
|
| |
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
also fix sysdb_svc_add declarations
|
