| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an object can't be resolved as a posix group we then try to resolve
it as a non-posix (without the gid attribute) nested group and store it as a
group stub into the sysdb.
The purpose is to be able to resolve nested posix groups which are
members of non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Create new set of attributes to be used when processing non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53.
The reason why the control was marked critical is that we expect
to get it back on reply, or it should fail. We should rather leave
the criticality bit and handle the error (by downgrading to not use
deref controls) if the server fails.
In other words, we should not workaround bugs in any LDAP server.
If server claim it support deref control, it should work with critical flag.
sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl
dn:
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h
#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16"
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \
-E '!deref=member:cn,uid' \
cn=ref_grp1 cn,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Don't log error if access is denied in function sdap_access_done().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Fixed typo and replaced duplicated string by macro definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was possible to send SIGUSR1 and to both sssd and sssd_be processes,
but only possible to send SIGUSR2 to sssd. This patches fixes the
dichotomy by making the sssd_be process handle SIGUSR2 as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
With this path, a user whose name is "space user" would match a sudo
rule while using the override_default_space option. Please note that the
option is only a client-side override, so the sudoUser attribute must
contain the space in order to match the original name. In other words,
when substituting space ( ) for underscore (_), this attribute would match:
sudoUser: space user
this would not:
sudoUser: space_user
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
The input of the InfoPipe responder substitutes the configured character
for space and the GetUserAttrs and GetUserGroups functions substitute
space for the configured character in their output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
When using the override_default_space option, this patch allows to log
in using both the original name (space user) as well as the normalized
name (space_user).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2400
Netgroups often have members that will not process correctly when we
require a fully-qualified name. This patch simply ignores the
default_domain setting for netgroup lookups - we ignore FQDN only
domains for netgroup lookups since
1933ff17513da1d979dd22776a03478341ef5e6b anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Amend the man page to reflect current behaviour.
https://fedorahosted.org/sssd/ticket/2401
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Data Provider lookup code user the original input string as the
lookup key instead of the parsed name component. For example, for an
input joe@mydomain, the backend would have searched for:
(&(cn=joe@mydomain)(objectclass=user))
This patch fixes the lookup to use the parsed name.
https://fedorahosted.org/sssd/ticket/2402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Don't install sssd-ipa and sssd-ad man pages if corresponding providers
weren't built (i.e. --without-samba was specified to configure).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command line utility ldapsearch does not set option LDAP_CONTROL_X_DEREF as
critical.
sssd performes similar ldap search as following command:
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.7 \
-b 'cn=ref_grp1,ou=qagroup,dc=example,dc=com'
-E '!deref=member:objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid' \
objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
The most important is "exclamation mark" before extensions. It indicates
criticality. This caused problem when openldap server was older
openldap-2.4.23-34.el6. Dereference is performed successfully if extension is
not critical: -E 'deref=member:objectClass ...
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As noted in the MIT KRB5 documentation, some servers send PAC with no
checksum, therefire the PAC validation should not be fatal, instead, we
should treat a failure from krb5_pac_verify as if there was no PAC at
all.
Reported on sssd-devel by Thomas Sondergaard
|
| |
|
|
|
|
| |
The function was unused since 2009 and moreover it was synchronous.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the LDAP schema was set to a different value than AD and ID mapping
was enabled, the value of ret was not defined.
Make sure we define ret for the condition below with the
default for ID mapping which is 'no GID'
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The meta server status consists of two parts:
A) port status - managed by failover mechanism
B) SRV lookup status - managed by SRV resolver
Both parts are resetted to "neutral" after some time, having
B timeout greater than A timeout.
We were hitting the following issue:
1. SRV lookup fails (DNS is not reachable), this will set A to
"not working and B to "resolve error". Then the next server is
tried but fails as well.
2. If SSSD tries to go back online the failover will set A to
"neutral" and it will try to resolve SRV again. But B status is
still set to "resolve error" since we haven't reached the timeout
yet and SRV resolution fails immediately. But the next server
is not tried since the port status (A) remains "neutral".
This patch sets the port status to "not working" making the
failover to continue with the next server as expected.
https://fedorahosted.org/sssd/ticket/2390
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds periodic check to test if
backend can exit offline mode and only
marks backend as not offline if server
for the service is available.
Prior to this patch we marked backend as not
offline if the offline_timeout was reached
without checking for the server availability
and when the next request failed again
we switched back to the offline mode.
This caused significant slowdowns in some
edge cases.
Fixes:
https://fedorahosted.org/sssd/ticket/2355
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Move the check for libini_config >= 1.1.0 from samba.m4 to
libini_config.m4 to have them all in one place, simplifying maintenance.
Set boolean variables for every detected version and use one of them in
samba.m4 instead.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Check for lowest versions of libini_config first, instead of the highest ones
in libini_config.m4. Define HAVE_LIBINI_CONFIG_V* for lower versions when
higher versions are present. Simplify preprocessor branching in sss_ini.c
accordingly.
This prepares libini_config.m4 for addition of a check for one more version of
libini_config.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use separate shell variable name prefixes for checks of separate libnl
versions, as repeated invocations of PKG_CHECK_MODULES with the same
prefix are not generally supposed to have an effect.
This prevents bugs similar to https://fedorahosted.org/sssd/ticket/2388
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use separate shell variable name prefixes for checks of separate
libini_config versions, as repeated invocations of PKG_CHECK_MODULES
with the same prefix are not generally supposed to have an effect.
Otherwise only the checks before and including the first one defining
both *_CFLAGS and *_LIBS variables will be done and all that follow will
assume success. This happens on RHEL6.5, where both "pkg-config
--cflags" and "pkg-config --libs" for ini_config produce non-empty
output and successful check for v0.6.1 results in incorrectly successful
check for v1.1.0.
Resolves:
https://fedorahosted.org/sssd/ticket/2388
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Specify minimum required libini_config version in a message in samba.m4
explaining the need for the library.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Remove substitution of *_OBJ variables (e.g. POPT_OBJ or PCRE_OBJ) from
configure scripts as they don't seem to be set or used by anything.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
