summaryrefslogtreecommitdiffstats
path: root/src/util
Commit message (Collapse)AuthorAgeFilesLines
* sysdb: Unify name format for groups and usersMichal Zidek2016-01-132-2/+2
| | | | | | | | | | | | | | | | | | This is WIP patch to unify format of usernames and groupnames in sssd internals. In current form it breaks just about everything. The sysdb update function is just placeholder and it's contents are irelevant. Currently I am working on fqname attribute removal because it seems to just add confusion. If you decide to look into the code, please use sunglasses or other other protective gear and play some calm music in your backgroun to prevent eye or brain injury.
* util: sss_ioname2internalMichal Židek2016-01-132-0/+38
|
* util: Add function to create internal fqnameMichal Zidek2016-01-132-0/+32
| | | | | Add function to create internal fqname in format shortname@domname where domain portion is lowercased.
* util: Add function to parse internal fqname formatMichal Zidek2016-01-132-0/+58
| | | | | | Add lightweight function to parse internal fqname format (shortname@domain). This function does not require the sss_names to be initialized.
* p11: enable ocsp checksSumit Bose2015-11-265-1/+65
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Fix memory leak in switch_credsLukas Slebodnik2015-11-111-0/+1
| | | | | | | | If we are already requested used then we needn't to call setreeuid(), setresgid(). But we forgot to relase local struct sss_creds *ssc, which is used for returnig saved credentials. Reviewed-by: Petr Cech <pcech@redhat.com>
* UTIL: More restrictive umask on sss_unique_file()Petr Cech2015-11-051-1/+1
| | | | | | | | | There is no need to have executable unique_file. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Fix leak of file descriptorsLukas Slebodnik2015-11-051-8/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The state "struct sss_ldap_init_state" contains socket created in function sss_ldap_init_send. We register callback sdap_async_sys_connect_timeout for handling issue with connection The tevent request "sss_ldap_init_send" is usually (nested) subrequest of "struct resolve_service_state" related request created in fucntion fo_resolve_service_send. Function fo_resolve_service_send also register timeout callback fo_resolve_service_timeout to state "struct resolve_service_state". It might happen that fo_resolve_service_timeout will be called before sss_ldap_init_send timeout and we could not handle tiemout error for state "struct sss_ldap_init_state" and therefore created socket was not closed. We tried to release resources in function sdap_handle_release. But the structure "struct sdap_handle" had not been initialized yet with LDAP handle and therefore associated file descriptor could not be closed. [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached [fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110] [sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory [be_resolve_server_done] (0x1000): Server resolution failed: 14 [be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14] [check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)] Resolves: https://fedorahosted.org/sssd/ticket/2792 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* server_setup: Log failed attempt to set localeMichal Židek2015-11-041-1/+7
| | | | | | | | Failed setlocale call could cause unexpected behaviour. It is better to generate DEBUG message if this happens. Reviewed-by: Michal Židek <mzidek@redhat.com>
* DEBUG: Preventing chown_debug_file if journald onPetr Cech2015-10-271-16/+19
| | | | | | | | | | | | There is function chown_debug_file() which didn't check if the SSSD is compiled with journald support. This patch add simple checking of this state. Resolves: https://fedorahosted.org/sssd/ticket/2493 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: Update get_next_domain's interfaceMichal Židek2015-10-233-16/+27
| | | | | | | | | | | | Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTILS: More restrictive permissions in domain_infoPetr Cech2015-10-141-2/+2
| | | | | | | | | | | | There are two occurances of creating temp. file under SSS_DFL_X_UMASK permissions which enable possibility to grant executable permission. After writting to those temp. files, they are renamed and they get 0644 permissions. So SSS_DFL_UMASK is good enough fot this case. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)Petr Cech2015-10-142-2/+5
| | | | | | | | | | | There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)Petr Cech2015-10-143-4/+6
| | | | | | | | | | | | There are many calls of umask function with 0177 argument. This patch add new constant SSS_DFL_UMASK which stands for 0177. So all occurences of umask(0177) (except responder code) are replaced by constant SSS_DFL_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Convert domain->disabled into tri-state with domain statesJakub Hrozek2015-09-214-3/+22
| | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Don't error out reading a minimal krb5.confJakub Hrozek2015-09-161-1/+4
| | | | | | | | With some setups, krb5.conf can be really minimal. In those cases, we should ignore PROF_NO_RELATION and PROF_NO_SECTION and just return "false" as in "no proxy" without a loud debug message. Reviewed-by: Petr Cech <pcech@redhat.com>
* utils: make sss_krb5_get_primary() privateSumit Bose2015-09-142-6/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Remove trailing whitespacePavel Reichl2015-09-032-8/+8
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* sbus: Add a special error code for messages sent by the bus itselfJakub Hrozek2015-09-012-0/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Don't ignore backslash in usernames with ldap providerLukas Slebodnik2015-09-012-1/+13
| | | | | | | | | | The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-312-0/+266
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DYNDNS: remove code duplicationPavel Reichl2015-08-142-0/+2
| | | | | | | | | | Move copy pasted code for converting sockaddr_storage to string into function. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Provide a common interface to safely create temporary filesJakub Hrozek2015-08-142-0/+148
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DEBUG: Add new debug category for fail over.Michal Židek2015-08-142-1/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-071-1/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5 utils: add sss_krb5_realm_has_proxy()Sumit Bose2015-08-052-0/+59
| | | | | Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Initgr memory cache should work with fq namesLukas Slebodnik2015-08-051-3/+4
| | | | | | | | | | | | | | | | | | | | | We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: "Override" functions for initgr mmap cacheLukas Slebodnik2015-08-051-1/+5
| | | | | | | | | | | | | | | | | | Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides data about strings for individual memory caches (passwd, ...) Their are used in generic responder mmap cache code to find a record in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_* are used for checking the validity of record. So in case of corrupted record the whole mmap cache can be invalidated. Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide data for initgroups mmap cache and therefore particular record could not be invalidated. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Rename variablesLukas Slebodnik2015-08-051-1/+1
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-313-0/+227
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-312-0/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* authok: add support for Smart Card related authtokensSumit Bose2015-07-312-0/+105
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* utils: add NSS version of cert utilsSumit Bose2015-07-311-0/+212
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Lower debug level in perform_checks()Jakub Hrozek2015-07-281-4/+4
| | | | | | | Failures in perform_checks() don't have to be fatal, therefore the debug messages shouldn't be either. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-161-2/+1
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use NSCD path in execl()Jakub Hrozek2015-07-151-1/+1
| | | | | | | | | | man execl says: The first argument, by convention, should point to the filename associated with the file being executed. We used just 'nscd' instead. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-152-3/+30
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-031-0/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* utils: add get_last_x_chars()Sumit Bose2015-06-192-0/+19
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* certs: add PEM/DER conversion utilitiesSumit Bose2015-06-193-0/+369
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Fetch keytab for 1way trustsJakub Hrozek2015-06-142-0/+4
| | | | | | | | | Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domainsJakub Hrozek2015-06-142-0/+2
| | | | | | | | | | | Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it privateJakub Hrozek2015-06-142-144/+0
| | | | | | | | | | | In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Store trust direction for subdomainsJakub Hrozek2015-06-142-2/+5
| | | | | | | | | | | | We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Don't override homedir with subdomain_homedirPavel Reichl2015-06-142-0/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2583 Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-051-0/+9
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util-tests: Add validation of internal error messagesLukas Slebodnik2015-06-011-4/+4
| | | | | | | The function sss_strerror() should not return a sentence. It shoudl return string; the same as strerror() Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sbus: add sbus_opath_decompose[_exact]Pavel Březina2015-05-222-0/+2
| | | | | | | | This function decomposes object path into array of strings. The "_exact" version expects a certain number of parts otherwise an error is thrown. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SELINUX: Avoid disconnecting disconnected handleJakub Hrozek2015-05-111-2/+7
| | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-081-0/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-26 00:51:31 +0000