summaryrefslogtreecommitdiffstats
path: root/src/util
Commit message (Collapse)AuthorAgeFilesLines
* Allow usage of enterprise principalsSumit Bose2013-04-222-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
* DNS sites support - SRV lookup plugin interfacePavel Březina2013-04-102-0/+4
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1032 Introduces two new error codes: - ERR_SRV_NOT_FOUND - ERR_SRV_LOOKUP_ERROR Since id_provider is authoritative in case of SRV plugin choise, ability to override the selected pluging during runtime is not desirable. We rely on the fact that id_provider is initialized before all other providers, thus the plugin is set correctly.
* Allow using flatname for subdomain home dir templateJakub Hrozek2013-04-102-2/+15
| | | | https://fedorahosted.org/sssd/ticket/1609
* Check for correct variable nameJakub Hrozek2013-04-032-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1864
* pidfile(): Do not leak fd on errorJakub Hrozek2013-04-031-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1860
* Making the authtok structure really opaque.Lukas Slebodnik2013-04-022-43/+57
| | | | | | | | | | | | | | | | | | | | Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
* filename in comment is correctedAbhishek Singh2013-03-271-1/+1
|
* Include config.h to build io.c on RHEL5Jakub Hrozek2013-03-251-0/+2
|
* Move signal.m4 from src/util to externalJakub Hrozek2013-03-211-1/+0
|
* correct order in error_to_str tablePavel Březina2013-03-201-1/+1
| | | | Also fixed typo.
* Convert sdap_access to new error codesSimo Sorce2013-03-192-0/+2
| | | | Also simplify sdap_access_send to avoid completely fake _send() routines.
* Move SELinux processing to provider.Michal Zidek2013-03-192-5/+5
| | | | | | | | | | | | The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
* Use common error facility instead of sdap_resultSimo Sorce2013-03-194-8/+9
| | | | | | | | | Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
* Fix sss_client breakage.Lukas Slebodnik2013-03-184-4/+49
| | | | | | | | | | Adding missing dependencies for linker. Missing dependency was introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a in changed file src/sss_client/nss_mc_common.c All function declaration for io.c was moved from util.h to separate file io.h, https://fedorahosted.org/sssd/ticket/1838
* More generalized function open_debug_file_ex()Lukas Slebodnik2013-03-132-5/+7
| | | | | | | | Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
* Reuse sss_open_cloexec at other places in code.Lukas Slebodnik2013-03-132-0/+93
| | | | | | | | Functions open_cloexec and openat_cloexec were renamed with prefix "sss_" and moved to separete file. Replacing duplicated code of function sss_open_cloexec everywhere in the source code. https://fedorahosted.org/sssd/ticket/1794
* Improve IS_SSSD_ERROR() macroSimo Sorce2013-03-051-2/+2
| | | | | | | | | | We need to mask the first part with 0xFFFF or there is a slight chance an unrelated error code would match even if the upper part is not exactly equal to ERR_BASE but just has all it's bits and some more. Also make the macro more reasable by adding another helper macro for filtering the base. Finally compare err and ERR_LAST directly w/o masking err, or the comparison will always return true.
* Cleanup error message handling for krb5 childSimo Sorce2013-03-042-1/+11
| | | | | | | | | | | | | | | | | | | | Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
* Return ERR_INTERNAL instead of EIOSimo Sorce2013-03-041-1/+1
| | | | | | EIO has always been an odd match, but was used as an error to indicate that something had gone wrong internally before we had specific SSSD errors available. Use ERR_INTERNAL instead going forward.
* Use SSSD specific errors for offline authSimo Sorce2013-03-043-10/+22
| | | | | | This prevents reportin false errors when internal functions return a generic EINVAL or EACCES that should just be treated as internal errors.
* Add SSSD specific error codes and definitionsSimo Sorce2013-03-043-7/+117
| | | | | | | | | | This code adds a new range of error codes specific to SSSD, It also provides helper functions to print out error defintions like you can do with system error messages and the strerror() function. The sss_strerror() function can accept both the new sssd errors and system errno_t errors falling back to the system strerror() if the error code provide is not a valid SSSD error code.
* Improved readability of get_next_domain()Lukas Slebodnik2013-03-041-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1812
* get_next_domain() test dom->parent->next for NULLPavel Březina2013-02-141-1/+1
| | | | | Otherwise dom may be set to NULL and we will segfault when dereferencing dom.
* krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek2013-02-111-1/+7
| | | | | | | krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
* Introduce IS_SUBDOMAIN() macroSimo Sorce2013-02-102-1/+3
| | | | Fixes https://fedorahosted.org/sssd/ticket/1766
* Change the way domains are linked.Simo Sorce2013-02-103-26/+33
| | | | | | | | | | | | | | | | | | | - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
* Add ability to disable domainsSimo Sorce2013-02-101-8/+12
|
* Add function get_next_domain()Simo Sorce2013-02-103-2/+22
| | | | | | | Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
* Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce2013-02-101-0/+3
|
* Add realm info to sss_domain_infoSimo Sorce2013-02-102-1/+12
|
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-102-2/+14
| | | | https://fedorahosted.org/sssd/ticket/1805
* Correct format security for talloc_named of auth tokensStephen Gallagher2013-01-161-1/+1
|
* Stop creating fake sysdb contextsSimo Sorce2013-01-151-7/+2
| | | | | | Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.
* Move mpg flag to the domain where it belongsSimo Sorce2013-01-151-0/+1
| | | | | A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-152-1/+3
| | | | Also remove unused sysdb_search_domuser_by_name()
* Pass domain to sysdb_get<pw/gr>nam() functionsSimo Sorce2013-01-151-1/+1
| | | | | | Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.
* Refactor single domain initializationSimo Sorce2013-01-152-0/+40
| | | | | Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.
* Add authtok utility functions.Simo Sorce2013-01-102-0/+382
| | | | | | These functions allow handling of auth tokens in a completely opaque way, with clear semantics and accessor fucntions that guarantee consistency, proper access to data and error conditions.
* Add function to safely wipe memory.Simo Sorce2013-01-102-0/+18
| | | | | This is useful for wiping passwords, as it prevents the compiler from optimizing out a memset to zero before a free()
* memcache: make MC_PTR_TO_SLOT() more readablePavel Březina2013-01-071-2/+1
|
* memcache: add macro that validates record lengthPavel Březina2013-01-071-0/+6
|
* Search for SHORTNAME$@REALM instead of fqdn$@REALM by defaultJakub Hrozek2013-01-071-3/+35
| | | | | | | | The search was intended for the AD provider mostly, but keytabs coming from AD via samba don't contain fqdn$@REALM but rather uppercased SHORTNAME$@REALM https://fedorahosted.org/sssd/ticket/1740
* failover: Protect against empty host namesMichal Zidek2013-01-022-92/+72
| | | | | | | | | | Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484
* Carefully check records when forcibly invalidatingSimo Sorce2012-12-201-2/+4
| | | | | | | | | | | | We should never try to invalidate an already invalid record as internal pointers will not be consistent. Carefully test that the record really is valid when we are fishing for free space, and properly invalidate records or return a fatal error if something goes wrong. In order to make the code more robust always invalidate the whole data space on initialization by setting all bits to 1, and make sure to invalidate the whole last allocated slot by converting rec->len to the number of slots instead of just the space used.
* Free resources if fileno failedJakub Hrozek2012-12-201-0/+2
|
* select_principal_from_keytab() do wildcard lookups after specific onesSumit Bose2012-12-181-3/+3
| | | | | | | | | | Currently the wildcard lookup '*$' is done before the one for host/our.hostname@REALM. This means we would ignore a more specific match in favour of an unspecific match with a principal which is only used in a AD environment. I think this is wrong an wildcards should only be used is all specific lookups fail.
* select_principal_from_keytab() look for plain input as wellSumit Bose2012-12-181-2/+6
| | | | | | | Currently in select_principal_from_keytab() all kind of different versions of the host principal are looked up in the keytab except for the plain name the ldap_sasl_authid option. With this patch the plain name is looked up first.
* Set cloexec flag for log filesJakub Hrozek2012-12-181-0/+11
| | | | | | | | https://fedorahosted.org/sssd/ticket/1708 The services kept the fd to /var/log/sssd/sssd.log open. I don't think there's any point in keeping the logfiles open after exec-ing for the child, so I set the CLOEXEC flag.
* Avoid const warnings when deallocating memorySimo Sorce2012-11-281-1/+1
| | | | | | | In some case we allocate and assign data to a const pointer. When we then try to free it we would get a const warning because talloc_free accepts a void, not a const void pointer. Use discard_const to avoid the warning, it is safe in this case.
* Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."Simo Sorce2012-11-281-5/+1
| | | | | | | | | This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774. This commit doesn't really make sense, we are never accessing freed memory as all we are dealing with is a pointer which is never itsef part of the memory we are freeing (if it were, it would be an error in the caller and we shouldn't mask it in this macro).
generated by cgit (git 2.34.1) at 2024-07-02 18:50:55 +0000