summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Remove unneeded become_user() callsnonrootJakub Hrozek2014-11-281-22/+2
|
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-11-281-25/+76
|
* KRB5: Pass the sssd_be uid and gid to krb5_childJakub Hrozek2014-11-285-4/+34
|
* krb5/ldap: use MEMORY ccache and keytab in *_child processesSumit Bose2014-11-282-7/+63
|
* krb5: add copy_keytab_into_memory()Sumit Bose2014-11-282-0/+153
|
* krb5: add copy_ccache_into_memory()Sumit Bose2014-11-282-0/+108
|
* tests: be_ptaskPavel Březina2014-11-281-0/+864
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: do not store sync ctx to _taskPavel Březina2014-11-281-4/+0
| | | | | | | | The _task is an output variable of type struct be_ptask * which is filled by be_ptask_create(). However, we tried to set sync ctx there as a result of copy and paste error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: add next_execution time to struct be_ptaskPavel Březina2014-11-282-0/+3
| | | | | | For debugging and testing purposes. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: handle OFFLINE_DISABLE mode before task executionPavel Březina2014-11-281-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: create a private header filePavel Březina2014-11-282-23/+48
| | | | | | This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix: always check return value of unlink()Pavel Reichl2014-11-284-7/+38
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Never store case_sensitive as "true" to confdbMichal Zidek2014-11-281-4/+6
| | | | | | | | | | | | | | If case_sensitive was set 'true' for AD backend, we ignore it and continue with AD default (false). However we still set confdb to whatever was set in sssd.conf for the responders. We should store to confdb the value that is used by the backend. Also fixes some misleading DEBUG messages in that code area. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* confdb: Make confdb_set_string accept const char pointerMichal Zidek2014-11-282-2/+2
| | | | | | | | The last parameter (value) in the confdb_set_string is not modified, so it makes sense to make it const to avoid unnecessary warnings or casts. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: Check return value of sss_krb5_princ_realmLukas Slebodnik2014-11-283-0/+25
| | | | | | | | | | sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: Check return value of krb5_principal_get_realmLukas Slebodnik2014-11-281-2/+9
| | | | | | | Function krb5_principal_get_realm can return NULL an it would case segfault in function strlen. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* views: allow view name change at startupSumit Bose2014-11-252-24/+85
| | | | | | | | | | Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_invalidate_overrides()Sumit Bose2014-11-253-0/+195
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_delete_view_tree()Sumit Bose2014-11-253-0/+110
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Move is_uid_trusted from pam_ctx to preqJakub Hrozek2014-11-252-12/+13
| | | | | | Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Check for trusted domain before sending the request to BEJakub Hrozek2014-11-251-41/+26
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SBUS: Initialize DBusError before using itJakub Hrozek2014-11-251-0/+1
| | | | | | | | In case either handler_fn() or invoker_fn() failed in sbus_request_invoke_or_finish() we would have accessed an uninitialized DBusError variable, causing a segfault. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: sss_get_domain_name regex mismatch not fatalMichal Zidek2014-11-251-1/+7
| | | | | | | | | | Assume name is not FQDN if sss_parse_name fails to match domain with regular expression. Fixes: https://fedorahosted.org/sssd/ticket/2487 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: Special-case PCRE_ERROR_NOMATCH in sss_parse_nameMichal Zidek2014-11-254-8/+10
| | | | | | | Add new SSSD specific error code for the case when pcre_exec returns PCRE_ERROR_NOMATCH. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* test: Wrong parameter type in sss_parse_name_checkMichal Zidek2014-11-251-1/+1
| | | | | | | This caused aritmetic overflow when SSSD specific error codes where used. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-2514-3/+256
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix KRB5_CONF_PATHSumit Bose2014-11-252-1/+3
| | | | | | | Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Make pam_forwarder_parse_data staticJakub Hrozek2014-11-241-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Hint about removing sysdb if initializing ID map failsJakub Hrozek2014-11-241-1/+7
| | | | | | https://fedorahosted.org/sssd/ticket/2477 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Handle IPA groups returned from extop pluginJakub Hrozek2014-11-241-4/+9
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* BE: Fix a debug messageJakub Hrozek2014-11-241-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sss_client: Fix race condition in memory cacheLukas Slebodnik2014-11-244-13/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_client: Extract destroying of mmap cache to functionLukas Slebodnik2014-11-241-16/+14
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* Man: debug_timestamps and debug_microsecondsMichal Zidek2014-11-201-2/+6
| | | | | | | | | Add note that these two options are ignored if journald is used. https://fedorahosted.org/sssd/ticket/2498 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Update case_sensitive=Preserving in man pages.Michal Zidek2014-11-201-2/+5
| | | | https://fedorahosted.org/sssd/ticket/2462
* Enable views for all domainsSumit Bose2014-11-201-2/+1
| | | | | | | | | Currently views and overrides were only available for sub-domains, this patch enables the lookup for the configured domains as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: check overrrides for IPA users as wellSumit Bose2014-11-203-4/+432
| | | | | | | | | Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make get_object_from_cache() publicSumit Bose2014-11-202-4/+10
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add get_be_acct_req_for_uuid()Sumit Bose2014-11-202-6/+40
| | | | | | | | | | This new call creates the needs data for a lookup by UUID which is needed when trying to find the original object for an IPA override object. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: always store UUID if availableSumit Bose2014-11-202-13/+52
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: add support for lookups by UUIDSumit Bose2014-11-202-5/+55
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-203-0/+97
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_search_object_by_uuid()Sumit Bose2014-11-203-0/+135
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: sysdb_idmap_get_mappings returns ENOENTPavel Reichl2014-11-193-7/+12
| | | | | | | | | sysdb_idmap_get_mappings returns ENOENT if no results were found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: page edit for ldap_use_tokengroupsDan Lavu2014-11-191-1/+12
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2448 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BE: Become a regular user after initializationJakub Hrozek2014-11-181-0/+13
| | | | | | | | | | | Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Do not switch_creds() if already the specified userJakub Hrozek2014-11-182-8/+28
| | | | | | | | | | | | | | The code didn't have to handle this case previously as sssd_be was always running as root and switching to the ccache as the user logging in. Also handle NULL creds on restore_creds() in case there was no switch. One less if-condition and fewer indentation levels. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-188-246/+270
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move checking for illegal RE to krb5_utils.cJakub Hrozek2014-11-187-97/+73
| | | | | | | | | | | | Otherwise we would have to link krb5_child with pcre and transfer the regex, which would be cumbersome. Check for illegal patterns when expanding the template instead. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-1811-709/+785
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-25 03:39:36 +0000