summaryrefslogtreecommitdiffstats
path: root/src/util
Commit message (Collapse)AuthorAgeFilesLines
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-161-2/+1
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use NSCD path in execl()Jakub Hrozek2015-07-151-1/+1
| | | | | | | | | | man execl says: The first argument, by convention, should point to the filename associated with the file being executed. We used just 'nscd' instead. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-152-3/+30
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-031-0/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* utils: add get_last_x_chars()Sumit Bose2015-06-192-0/+19
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* certs: add PEM/DER conversion utilitiesSumit Bose2015-06-193-0/+369
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Fetch keytab for 1way trustsJakub Hrozek2015-06-142-0/+4
| | | | | | | | | Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domainsJakub Hrozek2015-06-142-0/+2
| | | | | | | | | | | Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it privateJakub Hrozek2015-06-142-144/+0
| | | | | | | | | | | In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Store trust direction for subdomainsJakub Hrozek2015-06-142-2/+5
| | | | | | | | | | | | We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Don't override homedir with subdomain_homedirPavel Reichl2015-06-142-0/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2583 Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-051-0/+9
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util-tests: Add validation of internal error messagesLukas Slebodnik2015-06-011-4/+4
| | | | | | | The function sss_strerror() should not return a sentence. It shoudl return string; the same as strerror() Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: add sbus_opath_decompose[_exact]Pavel Březina2015-05-222-0/+2
| | | | | | | | This function decomposes object path into array of strings. The "_exact" version expects a certain number of parts otherwise an error is thrown. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SELINUX: Avoid disconnecting disconnected handleJakub Hrozek2015-05-111-2/+7
| | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-081-0/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* utils: add sss_authtok_[gs]et_2faSumit Bose2015-05-084-0/+369
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: do not add domain name unconditionallySumit Bose2015-05-061-1/+1
| | | | | | | | | | | Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* simple-access-provider: make user grp res more robustPavel Reichl2015-04-282-0/+2
| | | | | | | | | Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-142-0/+73
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-141-6/+14
| | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-141-3/+10
| | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Add a simple function to get the fd of debug_fileJakub Hrozek2015-04-142-0/+10
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* ncache: Silence critical error from filter_users when default_domain_suffix ↵Jakub Hrozek2015-04-091-2/+1
| | | | | | | | | | | | | | | is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Use custom error codes when validating HBAC rulesJakub Hrozek2015-03-242-0/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-202-0/+32
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-178-19/+20
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* test: Check ERR_LASTMichal Zidek2015-03-132-1/+2
| | | | | | Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DEBUG: Add missing strings for error messagesMichal Zidek2015-03-132-1/+4
| | | | | | | | We had more error codes than corresponding messages. Also order of two messages was wrong. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use FQDN if default domain was setMichal Zidek2015-03-112-0/+2
| | | | | | https://fedorahosted.org/sssd/ticket/2569 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-054-0/+58
| | | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: enable change phase of pw expire policy checkPavel Reichl2015-03-031-0/+3
| | | | | | | | | | | | | Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Remove python wrapper sss_python_unicode_from_stringLukas Slebodnik2015-02-252-13/+0
| | | | | | The function PyUnicode_FromString is available in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Remove compatibility macro PyModule_AddIntMacroLukas Slebodnik2015-02-251-5/+0
| | | | | | The macro PyModule_AddIntMacro is defined in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Remove python wrapper sss_python_set_checkLukas Slebodnik2015-02-252-13/+0
| | | | | | The macro PySet_Check is defined in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Remove python wrapper sss_python_set_addLukas Slebodnik2015-02-252-18/+0
| | | | | | The function PySet_Add is available in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Remove python wrapper sss_python_set_newLukas Slebodnik2015-02-252-11/+0
| | | | | | The function PySet_New is available in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* BUILD: Remove detection of type Py_ssize_tLukas Slebodnik2015-02-251-14/+0
| | | | | | The type Py_ssize_t is defined in python >= 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* Fix warning: equality comparison with extraneous parenthesesLukas Slebodnik2015-02-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Example of warning: src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: error: equality comparison with extraneous parentheses [-Werror,-Wparentheses-equality] if (((wbc_status) == WBC_ERR_SUCCESS)) { ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: note: remove extraneous parentheses around the comparison to silence this warning if (((wbc_status) == WBC_ERR_SUCCESS)) { ~ ^ ~ src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: note: use '=' to turn this equality comparison into an assignment if (((wbc_status) == WBC_ERR_SUCCESS)) { ^~ = The reason is definition of some macros which were used in if conditions. Reviewed-by: Michal Židek <mzidek@redhat.com>
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-271-0/+4
| | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com>
* add missing '\n' in debug messagesPavel Reichl2015-01-271-4/+5
| | | | | | Also reformat debug strings not to exceed 80 columns long lines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-232-0/+75
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-153-23/+36
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Remove child_cleanupJakub Hrozek2015-01-152-24/+0
| | | | | | Not used anymore after previous patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Make two child_common.c functions staticJakub Hrozek2015-01-152-20/+20
| | | | | | | Two functions were only used internally, makes no sense to keep them in the child_common module API. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Fix warning: for loop has empty bodyLukas Slebodnik2015-01-151-3/+9
| | | | | | | | Example of warning: src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body] src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-132-8/+26
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Python3 support in SSSDBohuslav Kabrda2015-01-131-1/+15
| | | | https://fedorahosted.org/sssd/ticket/2017
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-072-0/+42
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-031-2/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-25 02:05:32 +0000