summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* IPA: store forest name for forest member domainsSumit Bose2013-09-278-16/+158
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* IPA: Ignore dns_discovery_domain in server modeJakub Hrozek2013-09-261-0/+36
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
* ad: store group in correct tree on initgroups via tokenGroupsPavel Březina2013-09-261-11/+41
| | | | | | | | | If tokenGroups contains group from different domain than user's, we stored it under the user's domain tree in sysdb. This patch changes it so we store it under group's domain tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* sysdb: sysdb_update_members can take either name or dnPavel Březina2013-09-264-25/+65
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2013-09-262-16/+55
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* util: add get_domains_head()Pavel Březina2013-09-262-0/+15
| | | | | | | This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066
* KRB5: Fix bad comparisonJakub Hrozek2013-09-261-1/+1
|
* util: Allways fall back to old find_uid methodSimo Sorce2013-09-251-4/+4
| | | | | | | | systemd-login still fails with su/sudo login shells, so always fall back for now. Resolves: https://fedorahosted.org/sssd/ticket/2094
* krb5: Be more lenient on failures for old ccacheSimo Sorce2013-09-252-2/+2
| | | | | | | | | | | Fix a check for an error return code that can be returned when the ccache is not found. Even in case of other errors still do not fail authentication but allow it to proceed using a new ccache file if necessary. Related: https://fedorahosted.org/sssd/ticket/2053
* NSS: Failure to store entry negative cache should not be fatalJakub Hrozek2013-09-251-18/+31
| | | | | The only effect the failure to store a result to negative cache might have would be a slower lookup next time.
* NSS: Set UID and GID to negative cache after searching all domainsJakub Hrozek2013-09-251-66/+105
| | | | | | | https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.
* Include header file in implementation module.Lukas Slebodnik2013-09-2422-0/+22
| | | | | Declarations of public functions was in header files, but header files was not included in implementation file.
* Include right header fileLukas Slebodnik2013-09-241-1/+1
| | | | | | | | | Public selinux functions are defined in file src/tools/selinux.c (selinux_file_context, reset_selinux_file_context, set_seuser, del_seuser), but wrong header file was included "util/util.h" All declarations are in header file "tools/tools_util.h". This patch include right header file.
* man: server side password policies always takes precedencePavel Březina2013-09-241-0/+5
| | | | https://fedorahosted.org/sssd/ticket/2091
* Convert IN_MULTICAST parameter to host orderJakub Hrozek2013-09-243-3/+3
| | | | | | | https://fedorahosted.org/sssd/ticket/2087 IN_MULTICAST accepts address in the host order, but network order was supplied.
* mmap_cache: Use two chains for hash collision.Lukas Slebodnik2013-09-236-34/+83
| | | | | | | | | | | | | | | | | | | | | | | struct sss_mc_rec had two hash members (hash1 and hash2) but only one next member. This was a big problem in case of higher probability of hash collision. structure sss_mc_rec will have two next members (next1, next2) with this patch. next1 is related to hash1 and next2 is related to hash1. Iterating over chains is changed, because we need to choose right next pointer. Right next pointer will be chosen after comparing record hashes. This behaviour is wrapped in function sss_mc_next_slot_with_hash. Adding new record to chain is also changed. The situation is very similar to iterating. We need to choose right next pointer (next1 or next2). Right next pointer will be chosen after comparing record hashes. Adding reference to next slot is wrapped in function sss_mc_chain_slot_to_record_with_hash Size of structure sss_mc_rec was increased from 32 bytes to 40 bytes. Resolves: https://fedorahosted.org/sssd/ticket/2049
* Revert "mmap_cache: Skip records which doesn't have same hash"Lukas Slebodnik2013-09-231-34/+2
| | | | This reverts commit 4662725ffef62b3b2502481438effa7c8fef9f80.
* krb5: do not expand enterprise principals is offlineSumit Bose2013-09-231-1/+1
| | | | | | | | Expanding a principle to an enterprise principal only makes sense if there is a KDC available which can process it. If we are offline the plain principal should be used, e.g. to create an expired ccache. Fixes https://fedorahosted.org/sssd/ticket/2060
* krb5: save canonical upn to sysdbSumit Bose2013-09-235-20/+58
| | | | | | | | | | | | | If the returned TGT contains a different user principal name (upn) than used in the request, i.e. the upn was canonicalized, we currently save it to sysdb into the same attribute where the upn coming from an LDAP server is stored as well. This means the canonical upn might be overwritten when the user data is re-read from the LDAP server. To avoid this this patch add a new attribute to sysdb where the canonical upn is stored and makes sure it is used when available. Fixes https://fedorahosted.org/sssd/ticket/2060
* Check return values of setenv and unsetenvJakub Hrozek2013-09-222-2/+10
|
* RESPONDER: Use right function prototypeLukas Slebodnik2013-09-202-1/+2
| | | | | | | Protype of function sss_ncache_check_netgr was different than definition of function sss_ncache_check_netgr. We did not catch it, because header file "responder/common/negcache.h" was not included in implementation file "responder/common/negcache.c"
* LDAP: Use primary cn to search netgroupLukas Slebodnik2013-09-203-7/+22
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2075
* AD: Failure to get flat name is not fatalJakub Hrozek2013-09-203-68/+86
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.
* sdap_domain_add: remove too strict consistency checkSumit Bose2013-09-201-10/+0
| | | | | The check worked for simple setups but fails e.g. in environment with trusts.
* man: improve sssd-sudo manual pagePavel Březina2013-09-201-2/+22
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2085
* LDAP: Deprecate ldap_{user,group}_search_filterJakub Hrozek2013-09-202-44/+12
|
* MAN: Fix provider man page subtitleJakub Hrozek2013-09-205-5/+5
|
* AD: Download master domain info when enumeratingJakub Hrozek2013-09-185-7/+211
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2068 With the current design, downloading master domain data was tied to subdomains refresh, triggered by responders. But because enumeration is a background task that can't be triggered on its own, we can't rely on responders to download the master domain data and we need to check the master domain on each enumeration request.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-184-18/+29
| | | | AD provider will override the default with its own.
* AD: async request to retrieve master domain infoJakub Hrozek2013-09-184-214/+414
| | | | Adds a reusable async request to download the master domain info.
* BE: Log domain name to journald if availableJakub Hrozek2013-09-184-0/+16
| | | | | | | | If the SSSD is compiled with journald support, then all sss_log() statements will include a new field called "SSSD_DOMAIN" that includes the domain name. Filtering only messages from the single domain is then as easy as: # journalctl SSSD_DOMAIN=foo.example.com
* Add journald supportJakub Hrozek2013-09-183-0/+68
|
* KRB5: Call umask before mkstemp in the krb5 child codeJakub Hrozek2013-09-171-0/+3
|
* Do not set HAVE_SYSTEMD_LOGIN if libsystemd-login is not availableSumit Bose2013-09-171-1/+1
| | | | | Even if HAVE_SYSTEMD_LOGIN is set to 0 #ifdef will still see it as defined.
* nss: Wrong debug message.Michal Zidek2013-09-171-1/+2
|
* simple provider: obey case sensitivity for subdomain users and groupsPavel Březina2013-09-171-7/+43
| | | | | | | | When comparing username and his groups to access list, we will obey case sensitivity of object from access list. Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple access test: initialize be_ctx for all testsPavel Březina2013-09-171-15/+16
| | | | | | | | | Recent simple access provider patches started using be_ctx during access check. This caused segfault in unit tests, since be_ctx wasn't initialized. Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple provider: support subdomain groupsPavel Březina2013-09-171-23/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2034
* util: add find_subdomain_by_object_name()Pavel Březina2013-09-172-0/+39
| | | | | | | | This function will parse object name into name and domain name part and return appropriate sss domain. Resolves: https://fedorahosted.org/sssd/ticket/2034
* util: add find_subdomain_by_sid()Pavel Březina2013-09-172-0/+35
| | | | | | | | | | | | | | This function takes domain SID (doesn't have the last component) or object SID (have all components) and returns subdomain. The subdomain is found by comparing domain->domainid with the SID. E.g. domain SID: S-1-5-21-3940105347-3434501867-2690409756 object SID: S-1-5-21-3940105347-3434501867-2690409756-513 Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple provider: support subdomain usersPavel Březina2013-09-171-5/+10
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2034
* simple access tests: fix typosPavel Březina2013-09-171-5/+5
|
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-177-61/+73
| | | | Remove code duplication.
* Add missing new line in DEBUG messageLukas Slebodnik2013-09-161-2/+3
|
* util: Use systemd-login to check user sessionsSimo Sorce2013-09-162-0/+24
| | | | | | | | | | | | | Use systemd-lgin in preference to check if the user is logged in or not. Fall back to the old method if no systemd-login support is available at compile time or if it returns a fatal error, and can't determine the status of the user on its own. This will allow to consider a user really active (in order to reuse or refresh crdentials) only if it really is logged into the system, and not just if one of the user's processes is stuck around. Resolves: https://fedorahosted.org/sssd/ticket/2084
* man sssd: Add note about SSS_NSS_USE_MEMCACHEMichal Zidek2013-09-131-0/+8
|
* Rename _SSS_MC_SPECIALMichal Zidek2013-09-131-2/+2
| | | | | | If the environment variable _SSS_MC_SPECIAL is set to "NO", the mmap cache is skipped in the client code. The name is not very descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
* IPA: Deprecate ipa_hbac_support_srchost optionOndrej Kos2013-09-133-23/+11
| | | | | | | | | This option got already deprecated on the ipa server side. Option is undocumented and warning is printed both to the sssd log files and syslog. Resolves: https://fedorahosted.org/sssd/ticket/1918
* MAN: Remove IPA specific LDAP settingsOndrej Kos2013-09-131-218/+0
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1187
* KRB: Remove unused function parametersLukas Slebodnik2013-09-121-4/+2
| | | | | Parameter "int *dp_err" and parameter "int *pam_status" were unused in static function krb5_auth_prepare_ccache_name.
generated by cgit (git 2.34.1) at 2024-06-21 17:37:13 +0000