| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some additional checks if the option for replacing
spaces in user and group names is used.
When replacing space with the replacement character it is checked if the
name already contains the replacement character. If it does the
unmodified name is returned because in this case a revers operation
would not be possible.
For the reverse operation is it checked if the input contains both a
space and the replacement character. If this is true the unmodified name
is returned as well, because we have to assume that it is the original
name because otherwise it wouldn't contain both characters.
Additionally a shortcut if the replacement characters is a space and
tests for the new checks are added. The man page is updated accordingly.
Related to https://fedorahosted.org/sssd/ticket/1854 and
https://fedorahosted.org/sssd/ticket/2397 .
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 92d19f76449817dfb125da9510d478a30eed37bc)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1f3127e88a87953f059c9a70d3582ae1719594b1)
|
|
|
|
|
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 022c6b90bb37851c0e8704c0e5388ebc113c6470)
Conflicts:
Makefile.am
src/util/util.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
|
|
|
|
|
|
|
|
| |
We need to treat the failure to connect to the system bus as non-fatal.
In this commit, we introduce a special error code and only print a DEBUG
message when this error code is returned from the startup function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2349
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26510727739c3e8d14f804568e496b7d7b073964)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The macros SOL_TCP and IPPROTO_TCP have the same value on linux,
but the first one is not portable.
man in.h says:
The <netinet/in.h> header shall define the following macros for use as
values of the level argument of getsockopt() and setsockopt():
IPPROTO_IP Internet protocol.
IPPROTO_IPV6 Internet Protocol Version 6.
IPPROTO_ICMP Control message protocol.
IPPROTO_RAW Raw IP Packets Protocol.
IPPROTO_TCP Transmission control protocol.
IPPROTO_UDP User datagram protocol.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit cf901f549abe18f32562cbe1ef7a1ef258edab1a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The older version of glibc and different implementations of libs
requires feature macros for enabling function getline.
getline(), getdelim():
Since glibc 2.10:
_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700
Before glibc 2.10:
_GNU_SOURCE
All feature macros are in header file config.h and are detected by configure
script. The header file config.h was included after few other header files.
The problem is that header files stdio.h is included just once and
is included from many external header files. We need to include config.h
before any other header file to prevent problems.
src/util/nscd.c: In function ‘sss_nscd_parse_conf’:
src/util/nscd.c:150: error: implicit declaration of function ‘getline’
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b3007e32fa5d6b722f3aaaf9fe7593103cb443c3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc contains two versions of finction stpncpy
sh-4.2$ nm --dynamic --defined-only /lib64/libc.so.6 | grep stpncpy
0000003ce1c89b00 i stpncpy
0000003ce1c89b00 i __stpncpy
0000003ce1d040a0 T __stpncpy_chk
We should use more portable version of stpncpy without prefix with underscores.
The function __stpncpy was used in initial veersion
e65c65fc710fa030bfb8319efc43fcdc9ce5a26f, which was based on
http://people.redhat.com/drepper/SHA-crypt.txt
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 83e1ea9e24aabe6ade180649ecfc9c253ad19395)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an async request sbus_get_sender_id_{send,recv} that allows
retrieval of UID based on "sender" as returned by
dbus_message_get_sender().
The UID is an int64_t to be able to use "-1" to as a fallback value for
uknown or error cases.
The unit test is added as a standalone one, not part of the sbus_tests
because the request, and by extension the unit test relies on being
connected to the system bus, which is very unlikely to work in a build
system.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
(cherry picked from commit 0161a3c5637a0c0092bf54c436bb3d6508d7df26)
Conflicts:
Makefile.am
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Function expand_homedir_template had lot of parameters.
After adding new expand option, all function call should be rewritten,
(usually argument NULL will be added)
This patch wraps all necessary arguments to structure.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
sss_parse_name now supports NULL as output parameters so existing calls passing
arguments which were never read were substituted by NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Variable with type 'const char *' can be used as output argument in function
sss_parse_name, but there will be warning.
warning: passing 'const char **' to parameter of type 'char **'
discards qualifiers in nested pointer types
[-Wincompatible-pointer-types-discards-qualifiers]
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The responders were copying code to parse input and on encountering an
uknown domain, send the discover subdomain request. This patch adds a
reusable request that can always be called in responders and in case the
name can be parsed, just shortcut.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926)
Conflicts:
Makefile.am
|
|
|
|
| |
(cherry picked from commit 9de5878d247b77b8f520a57727cd55f42e179caa)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7f4ff1b4c829af421a64aa11c992780eac4a9fde)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove support for specifying old debug levels to the DEBUG macro:
* remove debug_get_level function which was used for conversion,
* remove debug_get_level tests,
* remove mentions of old/new levels from DEBUG and DEBUG_IS_SET
macro descriptions,
* rename "newlevel" argument of debug_fn to just "level".
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 5c233380e1ebf641f6106a34d7b94f9e9a606589)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script (identical to commit
83bf46f4066e3d5e838a32357c201de9bd6ecdfd) to update DEBUG* macro
invocations, which use literal numbers for levels, to use bitmask macros
instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
|
|
|
|
|
|
|
|
|
|
| |
Fix mistakes made by the update script in "Make DEBUG macro invocations
variadic".
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 45a1d9d597df977354428440aeff11c6a0a947fe)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code
(identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150):
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Update DEBUG macro definition to accept format string and its arguments
as direct variadic macro arguments, instead of expecting them as an
expression in parens.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit cc026fd9ba386f2197e3217940d597dcad1a26fe)
|
|
|
|
|
|
|
|
|
| |
Cleanup debug_fn to better match coding conventions.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 1eedbd1bd2037437f5b9aed1f4061af396ef6733)
|
|
|
|
|
|
|
|
|
| |
Remove extra fflush(3) invocation when outputting debug messages.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit 63ec0cbd668b251708fad23b60cf557163963dc4)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move DEBUG macro body to the debug_fn function, adding "function"
argument to the latter.
Rename "debug_fn" in sssd_krb5_locator_plugin.c to "plugin_debug_fn" to
remove conflict with the sssd debug_fn.
Replace DEBUG_MSG macro usage with debug_fn function usage.
Remove DEBUG_MSG macro along with tests.
The above makes the total size of binaries drop by 20% for the standard
Fedora build and by 44% for a build configured according to Debian
packaging script.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit fb0332565892bc10998ca98b567d4dde2213844d)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 3b35ff47651e4893ce537a273466766b962362da)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original patches submitted by: mpesari(Thanks!!)
It can cause problems if user will hit spaces before entering username.
(e.g in gdm). Spaces are ignored by LDAP; it's better to escape them.
Resolves:
https://fedorahosted.org/sssd/ticket/1955
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2b8208b45feb2aab64d560d3e12e01e7b6d00d39)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the schema is set to AD and ID mapping is not used, there is a one-time
check ran when searching for users to detect the presence of POSIX
attributes in LDAP. If this check fails, the search fails as if no entry
was found and returns a special error code.
The sdap_server_opts structure is filled every time a client connects to
a server so the posix check boolean is reset to false again on connecting
to the server.
It might be better to move the check to where the rootDSE is retrieved,
but the check depends on several features that are not known to the code
that retrieves the rootDSE (or the connection code for example) such as what
the attribute mappings are or the authentication method that should be used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Some override parameters were not inherited when creating subdomains.
Especially with AD trusts, this gave strange results.
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2164
The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch makes sure that a completely lower-cased version of a fully
qualified name is used for case insensitive searches. Currently there
are code paths where the domain name was used as configured and was not
lower-cased.
To make sure this patch does not break with old entries in the cache or
case sensitive domains a third template was added to the related filters
templates which is either filled with a completely lower-cased version or
with the old version. The other two template values are unchanged.
|
|
|
|
|
|
|
| |
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
|
| |
Specific error message is logged for missing sssd.conf file. New sssd specific
error value is introduced for this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2156
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2123
Previously, the subdomains were always unbound even if the administrator
limited the ranges with min_id/max_id. This could have posed problems
when running programs that scan the whole ID space, such as "groupadd
-r".
|
|
|
|
|
|
|
| |
Supporting the latest INI release brought an incompatible change. Lines
beginning with a whitespace were treated as continuation of the previous
line. This patch reverts to ignoring the whitespace as we did previously
so that the existing configurations keep working.
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
|
|
|
|
|
| |
This function will return head of the domain list.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
|
|
|
|
| |
This function will parse object name into name and domain
name part and return appropriate sss domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function takes domain SID (doesn't have the last component)
or object SID (have all components) and returns subdomain.
The subdomain is found by comparing domain->domainid with the SID.
E.g.
domain SID: S-1-5-21-3940105347-3434501867-2690409756
object SID: S-1-5-21-3940105347-3434501867-2690409756-513
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
|
|
|
| |
Remove code duplication.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1945
|
| |
|
| |
|
| |
|