| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
In order to support wildcard request, we need to introduce an optionally
relaxed version of sss_filter_sanitize that allows to select which
characters are exempt from sanitizing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Allows to distinguish the trust directions for trusted domains. For
domains where we don't know the direction in server mode, we assume
two-way trusts.
Member domains do not have the direction, but rather the forest root
direction is used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make updating the subdomain list a two-step process.
Therefore we need to make sure that update_subdomains() is the only
interface towards the SSSD that changes the subdomain list.
Move the new_subdomain() function to sysdb_subdomains.c and only make it
available through a private header so it's usable by unit tests.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to store the subdomain trust direction in order to recover the
structure after SSSD restart.
The trust direction is a plain uint32_t to avoid leaking the knowledge
about AD trust directions to sysdb while at the same time making it easy
to compare values between sysdb and LDAP and avoid translating the
values.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2583
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
subdomain_inherit = ignore_group_members
in the domain section.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
The function sss_strerror() should not return a sentence.
It shoudl return string; the same as strerror()
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
This function decomposes object path into array of strings. The
"_exact" version expects a certain number of parts otherwise an
error is thrown.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2649
libsemanage is very strict about its API usage and actually doesn't
allow disconnecting a handle that is not connected. The unpatched code
would fail with:
selinux_child: handle.c:231: semanage_disconnect: Assertion `sh !=
((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect !=
((void *)0)' failed.
If semanage_connect() failed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.
Resolves https://fedorahosted.org/sssd/ticket/2647
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2624
Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.
Adds talloc dependency to libsss_semanage.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Transaction should be started and commited on the same code nesting or
abstraction level. Also, transactions are really costly with libselinux
and splitting them from initialization will make init function reusable
by read-only libsemanage functions.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsemanage documentation says:
~~~~
be sure that a semanage_disconnect() was previously called if the handle
was connected.
~~~~
Otherwise we get a memory leak.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is set
When default_domain_suffix is used and filter_users is set (at least
root is always, by default), SSSD tried to add the negcache entry to the
default domain. But since the default domain is not known after start
up, adding the entries fail with a verbose error message.
This patch handles EAGAIN returned from the parsing function while
setting negcache entries gracefully and also makes the debug message in
parsing function more precise.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2603
Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This
will be useful in the next patch where we act on certain codes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Check if number of error codes and messages is the same.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
We had more error codes than corresponding
messages. Also order of two messages was
wrong.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
The function PyUnicode_FromString is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The macro PyModule_AddIntMacro is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The macro PySet_Check is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The function PySet_Add is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The function PySet_New is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
The type Py_ssize_t is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example of warning:
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
error: equality comparison with extraneous parentheses
[-Werror,-Wparentheses-equality]
if (((wbc_status) == WBC_ERR_SUCCESS)) {
~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
note: remove extraneous parentheses around the comparison
to silence this warning
if (((wbc_status) == WBC_ERR_SUCCESS)) {
~ ^ ~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
note: use '=' to turn this equality comparison into an assignment
if (((wbc_status) == WBC_ERR_SUCCESS)) {
^~
=
The reason is definition of some macros which were used in if conditions.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Also reformat debug strings not to exceed 80 columns long lines.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The responder and child_common modules each had their own
implementation. Unify it instead and add a unit test.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Not used anymore after previous patch.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Two functions were only used internally, makes no sense to keep them in the
child_common module API.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Example of warning:
src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body]
src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2017
|
|
|
|
|
|
|
|
|
| |
krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older
platforms this patch adds sss_krb5_kt_have_content() as a wrapper.
Resolves https://fedorahosted.org/sssd/ticket/2518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2503
Currently all child processes use the same arguments, the construction
of argv[] is even hardcoded in exec_child(). Add an extra_args[] array
that extends the common set of argvs so that we can have child-specific
arguments. Also adds a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2506
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|