summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* add sdap_sudo_schedule_refresh()Pavel Březina2012-12-182-43/+77
| | | | Reduces amount of code duplication.
* try primary server after retry_timeout + 1 seconds when switching to backup1.9.2-48Pavel Březina2012-12-184-2/+14
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1679 The problem is when we are about to reset the server status, we don't get through the timeout (30 seconds) because the "switch to primary server" task is scheduled 30 seconds after fall back to a backup server. Thus the server status remains "not working" and is resetted after another 30 seconds. We need to make sure that the server status is tried after the timeout period. retry_timeout is currently hardcoded to 30, thus the change in man page.
* RESOLV: Do not steal the resulting hostent on errorJakub Hrozek2012-12-181-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1706
* MEMBEROF: silence compilation warningsJakub Hrozek2012-12-181-15/+15
| | | | | | | | | | | | src/ldb_modules/memberof.c: In function ‘mbof_get_ghost_from_parent_cb’: src/ldb_modules/memberof.c:3085: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_inherited_mod’: src/ldb_modules/memberof.c:3253: warning: declaration of ‘dup’ shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here src/ldb_modules/memberof.c: In function ‘mbof_fill_vals_array’: src/ldb_modules/memberof.c:3786: warning: declaration of ‘index’ shadows a global declaration /usr/include/string.h:489: warning: shadowed declaration is here
* PROXY: fix groups caching1.9.2-47Ondrej Kos2012-12-171-0/+6
| | | | | | https://fedorahosted.org/sssd/ticket/1685 Properly react on deleting group which was not found in sysdb.
* let ldap_chpass_uri failover work when using same hostname1.9.2-46Pavel Březina2012-12-151-11/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
* sssd_pam: Cleanup requests cache on sbus reconect1.9.2-45Simo Sorce2012-12-141-1/+4
| | | | | | | | | The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes: https://fedorahosted.org/sssd/ticket/1655
* tools: sss_userdel and groupdel remove entries from memory cache1.9.2-44Michal Zidek2012-12-142-0/+47
| | | | https://fedorahosted.org/sssd/ticket/1659
* sssd_nss: Remove entries from memory cache if not found in sysdbMichal Zidek2012-12-141-0/+23
| | | | | Functions nss_cmd_getXXnam remove entries from memory cache if not found in sysdb cache of a local domain.
* sudo: include primary group in user group list1.9.2-43Pavel Březina2012-12-141-1/+41
| | | | https://fedorahosted.org/sssd/ticket/1677
* sysdb_get_sudo_user_info() initialize attrs on declarationPavel Březina2012-12-141-4/+3
|
* SUDO: strdup the input variable1.9.2-42Jakub Hrozek2012-12-141-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1701
* sudo manpage: clarify that sudoHost may contain wildcards and not regular ↵1.9.2-41Pavel Březina2012-12-142-2/+2
| | | | | | expression https://fedorahosted.org/sssd/ticket/1690
* let krb5_kpasswd failover work1.9.2-40Pavel Březina2012-12-141-3/+4
| | | | | | | https://fedorahosted.org/sssd/ticket/1680 Bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
* NSS: Fix the error handler in sss_mc_create_fileJakub Hrozek2012-12-141-10/+16
| | | | | | | https://fedorahosted.org/sssd/ticket/1704 The function is short enough so that we can simply stick with return and release resources before returning as appropriate.
* sudo: don't get stuck in rules and smart refresh when offline1.9.2-39Pavel Březina2012-12-141-4/+14
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1682 The problem was in following code: if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) { tevent_req_error(req, ret); return; } In situation when data provider error occurs (e.g. when offline), ret == EOK but dp_error != DP_ERR_OK and we take the true branch. This results in calling tevent_req_error(req, EOK). Unfortunately, with EOK tevent_req_error only returns false, but does not trigger callback and this tevent request hangs forever, because no tevent_req_done(req) is called.
* MEMBEROF: Fix copy-n-paste errorJakub Hrozek2012-12-141-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1703
* LDAP: remove dead assignmentJakub Hrozek2012-12-141-1/+0
|
* SYSDB: Move misplaced assignmentJakub Hrozek2012-12-141-2/+1
|
* PAC: check the return value of diff_git_listsJakub Hrozek2012-12-141-0/+4
|
* PROXY: fix negative cache1.9.2-38Ondrej Kos2012-12-141-20/+24
| | | | | | | | https://fedorahosted.org/sssd/ticket/1685 The PROXY provider wasn't storing credentials to negative cache due to bad return value. This was delegated from attempt to delete these credentials from local cache. Therefore ENOENT is replaced as EOK.
* MAN: Move ssh_known_hosts_timeout documentation to the correct sectionJan Cholasta2012-12-141-12/+12
|
* LDAP: Continue adjusting group membership even if there is nothing to add1.9.2-37Jakub Hrozek2012-12-071-2/+1
| | | | https://fedorahosted.org/sssd/ticket/1695
* do not crash when id_provider is not set1.9.2-36Pavel Březina2012-12-071-0/+6
| | | | https://fedorahosted.org/sssd/ticket/1686
* NSS: Fix netgroup midpoint cache refresh1.9.2-35Jakub Hrozek2012-12-073-3/+3
| | | | | | | | https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* MEMBEROF: Keep inherited ghost users around on modify operation1.9.2-34Jakub Hrozek2012-12-062-34/+637
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1652 It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.
* MEMBEROF: Implement the modify operation for ghost usersJakub Hrozek2012-12-062-36/+715
| | | | | | | Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.
* MEMBEROF: Split the add ghost operation into a separate functionJakub Hrozek2012-12-061-17/+73
| | | | This new function will be reused by the modify operation later
* MEMBEROF: Split the del ghost attribute op into a reusable functionJakub Hrozek2012-12-061-12/+22
| | | | This new function is going to be reused by the modify operation
* MEMBEROF: split processing the member modify into a separate functionJakub Hrozek2012-12-061-47/+73
| | | | This will allow to process ghost users in a similar fashion
* MEMBEROF: Implement delete operation for ghost usersJakub Hrozek2012-12-062-7/+362
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1668 The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.
* TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek2012-12-061-0/+248
|
* MEMBEROF: Do not add the ghost attribute to selfJakub Hrozek2012-12-062-13/+87
| | | | | | | | | | | | When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
* Always append rctx as private data1.9.2-33Simo Sorce2012-12-061-1/+1
| | | | This is used for the new calls back from the data provider.
* Add backchannel NSS provider query on initgr callsSimo Sorce2012-12-061-0/+165
| | | | | | | | | This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
* Hook for mmap cache update on initgroup callsSimo Sorce2012-12-064-0/+148
| | | | | This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
* Hook to perform a mmap cache update from sssd_nssSimo Sorce2012-12-064-0/+124
| | | | | This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
* mmap cache: public functions to invalidate recordsSimo Sorce2012-12-062-0/+135
| | | | | | These functions can be called from the nss responder to invalidate records that have ceased to exist or that need to be refreshed the first time an application needs them.
* Missing parameter in DEBUG message.Michal Zidek2012-12-061-1/+2
|
* Dereference after null check in sss_idmap_sid_to_unixMichal Zidek2012-12-061-1/+5
| | | | https://fedorahosted.org/sssd/ticket/1684
* warn user if password is about to expirePavel Březina2012-12-061-3/+4
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
* RESOLV: return ENOENT if the address list is emptyJakub Hrozek2012-12-061-0/+8
|
* IPA: Handle bad results from c-ares lookupStephen Gallagher2012-12-061-1/+11
| | | | | | | | | In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
* Monitor quit when not exists no process no stopsAriel O. Barria2012-11-281-1/+3
| | | | https://fedorahosted.org/sssd/ticket/1669
* Null pointer dereferenced.Michal Zidek2012-11-281-96/+100
| | | | https://fedorahosted.org/sssd/ticket/1674
* idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek2012-11-286-80/+125
| | | | | | | | When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
* do not default fullname to gecos when schema = adPavel Březina2012-11-281-0/+14
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1482 When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
* Uninitialized pointer readMichal Zidek2012-11-281-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1673
* fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina2012-11-271-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
* debug: print fatal and critical errors if debug level is unresolvedMichal Zidek2012-11-272-7/+4
| | | | | | | If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors. https://fedorahosted.org/sssd/ticket/1345