sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	LDAP: Handle errors from sdap_id_op properly in enum code	Jakub Hrozek	2014-02-12	1	-1/+41
\| \| \| \|	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
*	AD: Remove dead code	Jakub Hrozek	2014-02-12	1	-8/+0
\| \| \| \|	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
*	AD: Only download domains that are set to enumerate	Jakub Hrozek	2014-02-12	1	-1/+5
\| \| \| \|	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
*	LDAP: Detect the presence of POSIX attributes	Jakub Hrozek	2014-02-12	10	-15/+504
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
*	SSS_CACHE: Reset the initgroups attribute when resetting users	Jakub Hrozek	2014-02-12	1	-0/+6
\|
*	NSS: Fix DEBUG formatting of cmdctx->id	Jakub Hrozek	2014-02-11	1	-26/+26
\| \| \| \| \| \| \|	Sometimes a UID/GID value was printed using the %d format specifier which caused overflows for very large values of ID. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
*	MONITOR: Incorrect permissions on sssd.conf	Pavel Reichl	2014-02-11	1	-1/+7
\| \| \| \| \| \| \| \| \| \|	Print user friendly warning when permissions on sssd.conf are incorrect and provide hint. Resolves: https://fedorahosted.org/sssd/ticket/2208 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
*	memberof: Removed unused parameter from mbof_fill_vals_array.	Lukas Slebodnik	2014-02-09	1	-13/+9
\| \| \| \|	Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
*	CONFDB: fail if there are domains with same name	Pavel Reichl	2014-02-09	1	-0/+18
\| \| \| \| \| \| \| \| \| \|	Fail to start sssd if the domains given in the domains option are the same as or only differ in case. Resolves: https://fedorahosted.org/sssd/ticket/2171 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
*	MAN: update of subdomain_homedir usage	Pavel Reichl	2014-02-05	1	-1/+2
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2169
*	responder: Use SAFEALIGN macros where appropriate.	Michal Zidek	2014-02-05	6	-52/+83
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1359
*	AD: support for subdomain_homedir	Pavel Reichl	2014-02-05	1	-0/+190
\| \| \| \| \| \| \|	Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169
*	Revert "NSS: add support for subdomain_homedir"	Pavel Reichl	2014-02-05	1	-8/+0
\| \| \| \|	This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8.
*	dyndns: Update PTR records separately	Nikolai Kondrashov	2014-02-01	1	-3/+6
\| \| \| \| \| \| \| \| \| \|	Generate nsupdate input for sending PTR record update messages separately instead of together in nsupdate_msg_add_ptr. This fixes updates with addresses from different networks (DNS zones), as nsupdate doesn't support such updates in a single message. Fixes https://fedorahosted.org/sssd/ticket/2179
*	AD: Remove unused memory contexts	Lukas Slebodnik	2014-02-01	2	-12/+10
\| \| \| \| \|	Memory context memctx was unused in functions _ad_servers_init sdap_ad_tokengroups_update_members
*	LDAP: require attribute groupType for AD groups	Lukas Slebodnik	2014-01-29	1	-1/+1
\| \| \| \| \| \| \| \| \|	Commit 8280c5213094 introduced filtering local groups for trusted/sub domains, but attribute groupType was not available with configuration id_provide ldap and ldap_schema ad. Resolves: https://fedorahosted.org/sssd/ticket/2172
*	LDAP: store group if subdomain cannot be found by sid	Lukas Slebodnik	2014-01-29	1	-4/+6
\| \| \| \| \| \| \| \| \|	Domain needn't contain sid if id_provider is ldap. With enabled id mapping, group couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
*	MAN: clarify which shell option takes precedence	Jakub Hrozek	2014-01-29	1	-6/+7
\|
*	sudo: memset tm when converting time attributes	Pavel Březina	2014-01-29	1	-0/+2
\| \| \| \| \| \| \| \| \| \|	strptime() which is used to parse LDAP time value does not initialize all fields of tm structure (especially tm_isdst). This results in random behavior - when the tm is converted into timestamp via mktime(), the result depends on current value of tm_isdst. Resolves: https://fedorahosted.org/sssd/ticket/2213
*	AD: Establish cross-domain memberships after enumeration finishes	Jakub Hrozek	2014-01-29	2	-22/+377
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any subdomains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142
*	DB: Add sss_ldb_el_to_string_list	Jakub Hrozek	2014-01-29	3	-13/+75
\|
*	LDAP: Don't clobber original_member during enumeration	Jakub Hrozek	2014-01-29	1	-4/+10
\|
*	AD: Enumerate users from GC, other entities from LDAP	Jakub Hrozek	2014-01-29	1	-3/+17
\|
*	LDAP: Add enum request with custom connection	Jakub Hrozek	2014-01-29	2	-125/+191
\| \| \| \| \| \| \| \| \|	This commit changes the enumerate-sdap-domain request to accept a connection context per object that can be enumerated. Internally in the request, an sdap_id_op is also created per enumerated object type. This change will allow i.e. users to be enumerated using GC connection, while keeping the LDAP connection for groups and services.
*	LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵	Jakub Hrozek	2014-01-29	7	-36/+52
\| \| \| \| \| \| \| \| \| \|	connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
*	AD: Store info on whether a subdomain is set to enumerate	Jakub Hrozek	2014-01-29	1	-5/+33
\| \| \| \| \| \|	Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.
*	AD SRV: use right domain name for CLDAP ping	Sumit Bose	2014-01-28	1	-1/+1
\| \| \| \| \| \|	Currently always the name of the configured domain was passed to the CLDAP request. This will fail if the CLDAP request is send to a DC form a different domain.
*	utils: handling NULL params in sss_parse_name	Pavel Reichl	2014-01-28	2	-26/+30
\|
*	CLIENT: Remove unused macros	Lukas Slebodnik	2014-01-24	1	-5/+0
\| \| \| \| \|	PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD I cannot find in git history where these macro were used.
*	TESTS: Fix authtok test for zero length string.	Lukas Slebodnik	2014-01-24	1	-1/+1
\| \| \| \| \| \| \|	There is a test for sss_authtok_set where '\0' is used as argument data. '\0' is evaluated as zero and zero is treated as a null pointer. And there is another test for NULL pointer few lines before. Patch changes 3rd argument '\0' into properly cast zero length sting ""
*	LDAP: Don't abort request if no id mapping domain matches	Jakub Hrozek	2014-01-24	2	-6/+38
\| \| \| \| \| \| \| \| \|	If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
*	krb5: hint to increase krb5_auth_timeout	Pavel Reichl	2014-01-22	1	-1/+4
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2202
*	sdap_idamp: Fall back to another method if sid is wrong	Lukas Slebodnik	2014-01-22	1	-2/+8
\| \| \| \| \| \| \| \| \| \| \|	sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172
*	LDAP: update id mapping detection for ldap provider	Lukas Slebodnik	2014-01-22	1	-0/+5
\| \| \| \| \| \| \| \|	For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172
*	LDAP: Don't fail if subdomain cannot be found by sid	Lukas Slebodnik	2014-01-22	1	-4/+6
\| \| \| \| \| \| \| \| \|	Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
*	LDAP: Fix error check	Jakub Hrozek	2014-01-20	1	-2/+2
\| \| \| \|	https://fedorahosted.org/sssd/ticket/2199
*	MAN: Fix a typo	Jakub Hrozek	2014-01-20	1	-1/+1
\|
*	AD: Don't fail the request if ad_account_can_shortcut fails	Jakub Hrozek	2014-01-20	1	-1/+3
\|
*	AD: Return right error code from netlogon_get_flat_name	Lukas Slebodnik	2014-01-16	1	-1/+1
\| \| \| \| \| \| \|	EOK was returned in done section of netlogon_get_flat_name, even if error code was set in variable ret. This patch fixes also warnings from scan-build.
*	NSS: add support for subdomain_homedir	Pavel Reichl	2014-01-15	1	-0/+8
\| \| \| \| \|	Resolves: https://fedorahosted.org/sssd/ticket/2169
*	simple access: refresh master domain info	Pavel Reichl	2014-01-15	2	-45/+92
\| \| \| \| \| \| \| \| \| \|	To correctly decide if an object is a member of the main sssd domain, a flat name is needed. However, the information may not be available when the module is inited so it may be necessary to refresh this data later while processing a request. Resolves: https://fedorahosted.org/sssd/ticket/2189
*	simple access: match objects using flat name	Pavel Reichl	2014-01-15	1	-1/+3
\| \| \| \| \| \| \|	Use flat name to recognise users and groups belonging to main sssd domain. Resolves: https://fedorahosted.org/sssd/ticket/2189
*	NSS: Use plain user name when expanding homedir	Jakub Hrozek	2014-01-15	1	-1/+12
\|
*	UTIL: Inherit parent domain's default_shell	Jakub Hrozek	2014-01-15	1	-1/+4
\| \| \| \| \|	Some override parameters were not inherited when creating subdomains. Especially with AD trusts, this gave strange results.
*	TESTS: Fix build with older version of check framework	Lukas Slebodnik	2014-01-15	1	-0/+8
\|
*	NSS: Don't use printf(3) on user provided strings.	Stef Walter	2014-01-12	6	-209/+97
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This also fixes several corner cases and crashers. It's not prudent to pass user input to (even admin) input as a format string to printf, and various distros now check for this. This can cause accessing memory incorrectly, and various also various libc abort()'s. In addition various assumptions were made about full_name_format that aren't necessarily the case if the user uses a more complex format. Use safe-printf.c implementation for formatting full_name_format. Adapt the NSS resolver so it doesn't barf on formatted strings that are shorter than expected given a full_name_format. Tests added and updated appropriately.
*	util: A safe printf for user provided format strings	Stef Walter	2014-01-12	3	-0/+634
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Since the default printf(3) implementation cannot safely be used on user (or admin) provided input, this is a safe implementation. This will be used in later patches by the full_name_format option The implementation came from realmd, but only has libc dependencies. The number of fields is pre-defined, and safe printf fails if an invalid field is accessed. Only string fields are supported, and only flags relevant to string fields are supported. Width and precision work as expected, but precision cannot read from a field. Tests are included, and ported to the check based testing that sssd uses.
*	util: Fix const cast failures when building with -Werror	Stef Walter	2014-01-10	3	-9/+9
\| \| \| \| \| \| \| \| \| \|	When building with -Werror 'make check' fails with many errors like: ../src/tests/cmocka/test_authtok.c: In function ‘test_sss_authtok_password’: ../src/tests/cmocka/test_authtok.c:98:48: error: cast discards ‘__attribute__((const))’ qualifier from pointer target type [-Werror=cast-qual] Make sss_authtok_set() @data argument const, and fix its documentation
*	tests: Remove tests that check creating public directories	Jakub Hrozek	2014-01-09	1	-121/+0
\| \| \| \| \|	The functionality was removed, but we forgot to remove the corresponding tests, mostly because these tests were only ever ran as root.
*	LDAP: Add a new error code for malformed access control filter	Jakub Hrozek	2014-01-09	6	-10/+18
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.