| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Coverity 10886
|
|
|
|
|
|
|
|
|
|
| |
sss_ldap_err2string() - function created
https://fedorahosted.org/sssd/ticket/986
sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()
https://fedorahosted.org/sssd/ticket/986
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for python HBAC bindings
These changes were proposed during a review:
* Change the signature of str_concat_sequence() to const char *
* use a getsetter for HbacRule.enabled to allow string true/false and
integer 1/0 in addition to bool
* fix a minor memory leak (HbacRequest.rule_name)
* remove overzealous discard consts
Fix python HBAC bindings for python <= 2.4
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
Remove dead code from python HBAC bindings
https://fedorahosted.org/sssd/ticket/935
Handle allocation error in python HBAC bindings
https://fedorahosted.org/sssd/ticket/934
HBAC rule validation Python bindings
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sockaddr_storage to sdap_service
Add sdap_call_conn_cb() to call add connection callback directly
Use name based URI instead of IP address based URIs
Use ldap_init_fd() instead of ldap_initialize() if available
Do not access state after tevent_req_done() is called.
Call ldap_install_tls() on ldaps connections
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add utility function to return IP address as string
Add a utility function to escape IPv6 address for use in URIs
Use escaped IP addresses in LDAP provider
Escape IPv6 IP addresses in the IPA provider
https://fedorahosted.org/sssd/ticket/880
Fix bad merge
We merged in a patch, but missed that it missed a dependency added
by another earlier patch.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/752
|
| |
|
|
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/711
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/730
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/720
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Also adds a unit test.
|
| |
|
| |
|
|
|
|
|
| |
If there is a problem with reopening the logs, it can be an audit
trail issue.
|
|
|
|
|
|
|
|
| |
We used strtol() on a number of places to convert into uid_t or gid_t
from a string representation such as LDAP attribute, but on some
platforms, unsigned long might be necessary to store big id_t values.
This patch converts to using strtoul() instead.
|
|
|
|
|
| |
strcasecmp() is defined in strings.h which might not be included under
certain conditions.
|
|
|
|
|
| |
sss_hash_create() produces a dhash table living in the talloc
hierarchy.
|
| |
|
| |
|
|
|
|
|
|
| |
Three assignments deleted, two return code inspection added.
Also found and fixed one critical bug caused by dead assignment.
Ticket: #590
|
|
|
|
|
|
|
| |
Adds two utility functions to obfuscate a password and inverse to
extract the cleartext password back.
So far, only NSS-based implementation is provided.
|
| |
|
|
|
|
|
|
| |
A refactoring patch that creates a common util/crypto subdir with
per-implementation subdirectories for each underlying crypto library
supported by SSSD.
|
| |
|
|
|
|
| |
Includes a unit test
|
|
|
|
|
|
|
|
| |
In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.
Fixes: #556
|
| |
|
|
|
|
|
| |
Right now, this log function writes to the syslog. In the future,
it could be modified to work with ELAPI or another logging API.
|
|
|
|
| |
Fixes: #462
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/544
|
|
|
|
| |
Fixes: #503
|
|
|
|
| |
Fixes: #541
|
| |
|
|
|
|
|
|
|
| |
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new failover API call fo_add_srv_server that allows the caller
to specify a server that is later resolved into a list of specific
servers using SRV requests.
Also adds a new failover option that specifies how often should the
servers resolved from SRV query considered valid until we need a
refresh.
The "real" servers to connect to are returned to the user as usual,
using the fo_resolve_service_{send,recv} calls.
Make SRV resolution work with c-ares 1.6
|
|
|
|
|
|
| |
The correct memory deallocation sequence is:
- clear pointer to memory first
- then deallocate memory
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a small window between running lstat() on a filename and
opening it where it's possible for the file to have been modified.
We were protecting against this by saving the stat data from the
original file and verifying that it was the same file (by device
and inode) when we opened it again, but this is an imperfect
solution, as it is still possible for an attacker to modify the
permissions during this window.
It is much better to simply open the file and test on the active
file descriptor.
Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as
without the initial lstat, we are implicitly accepting symlinks
and only verifying the target file.
|
|
|
|
|
|
|
|
|
| |
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|