summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* TESTS: unit tests can use confdb without using sysdbJakub Hrozek2014-10-071-24/+28
|
* UTIL: Add the possibility to unit test server_setupJakub Hrozek2014-10-071-4/+23
|
* SSSD: Add the possibility to specify a UID and GID to run asJakub Hrozek2014-10-0712-10/+53
|
* UTIL: Do not depend on monitor codeJakub Hrozek2014-10-076-39/+39
| | | | | Just moves code around. There should be a way to use the server.c module without linking the monitor code.
* TESTS: Add a test to change user IDsJakub Hrozek2014-10-076-0/+222
|
* BUILD: Detect nss_wrapper and uid_wrapper during configureJakub Hrozek2014-10-071-0/+31
| | | | | | Unit testing the utilities to become another user requires the use of the cwrap libraries. This patch augments our build system with macros to detect the nss_wrapper and and uid_wrapper libraries.
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-073-9/+9
| | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree.
* MONITOR: Remove useless memory contextsJakub Hrozek2014-10-071-12/+2
|
* SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.cJakub Hrozek2014-10-064-53/+104
| | | | | | | | | | | The sysdb.c should be reserved for utility and setup functions. Search functions belong to sysdb_search.c Keeping functions in specialized modules helps to maintain nice dependencies and in overall makes unit testing easier. Moreover, the function was not unit tested, which needed fixing. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MONITOR: Make internal functions staticJakub Hrozek2014-10-062-16/+13
| | | | | | | Several functions in the monitor.c file were not marked as static even though they were only used inside monitor.c Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* GPO: remove unused talloc contextsLukas Slebodnik2014-10-031-11/+8
| | | | | | | Talloc context was not used in functions ad_gpo_parse_gpo_child_response ad_gpo_process_cse_recv, ad_gpo_store_policy_settings. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* GPO: Use argument ndg_flags instead of constantLukas Slebodnik2014-10-031-6/+6
| | | | | | | | | | | | Some internal gpo functions [1] were called just once and with constant NDR_SCALARS as 2nd argument(ndr_flags), but 2nd argument was not used in these functions[1]. They used constant NDR_SCALARS. [1] ndr_pull_security_ace_flags, ndr_pull_security_ace_type, ndr_pull_security_ace_object_flags, ndr_pull_security_acl_revision, ndr_pull_security_descriptor_revision, ndr_pull_security_descriptor_type Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD-GPO resolve conflicting policy settings correctlyYassir Elley2014-10-024-555/+743
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* AD GPO: Fix incorrect return of EACCESStephen Gallagher2014-10-021-2/+2
| | | | | | | | | | | | In the access providers, we expect to receive ERR_ACCESS_DENIED when access is denied, but we were returning EACCES here. The effect was the same, except that it presented ultimately as a system error instead of a proper denial. Related: https://fedorahosted.org/sssd/ticket/2437 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Document the domains option of pam_sssJakub Hrozek2014-10-011-0/+27
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* nss: Preserve case of group membersMichal Zidek2014-10-011-1/+1
| | | | | | | | | | Preserve case of group members in getgrnam when 'case_sensitive = preserving' is set. Fixes: https://fedorahosted.org/sssd/ticket/2453 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* pam: sub-domain authentication fixSumit Bose2014-10-011-1/+11
| | | | | | | | | | With a recent patch sysdb_getpwnam() was replaced by sysdb_get_user_by_name() in the PAM responder. Unfortunately both behave differently with respect to sub-domain users. As a consequence the PAM responder was not able to resolve users from sub-domains. This patch reverts this change and uses sysdb_getpwnam() again. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* sssd.api.conf: Declare case_sensitive as stringMichal Zidek2014-10-011-1/+1
| | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2452 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: add support for new extdom plugin versionSumit Bose2014-09-301-87/+802
| | | | | | | | | | | | | | | | | | | Initially the extdom plugin was only used to translate SIDs of AD user and groups to names or POSIX IDs. On IPA clients group memberships were resolved with the help of the PAC in the Kerberos ticket which required that the user has logged in at least once. Home directory and the login shell were auto generated. The new version of the extdom plugin can return the complete list of group memberships of a user and the list of all members of a group. Additionally the gecos field, home directory and login shell are returned together with an optional list of key-value pairs for arbitrary data which is written unmodified to the cache. Fixes https://fedorahosted.org/sssd/ticket/2159 and https://fedorahosted.org/sssd/ticket/2041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Do not require a dereference control to be retuned in a replyJakub Hrozek2014-09-291-1/+6
| | | | | | | | | When we attempt to request attributes that are not present in the dereferenced links, some serves might not send the dereference control back at all. Be permissive and treat the search as if it didn't find anything. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Add domains= option to pam_sssDaniel Gollub2014-09-294-3/+79
| | | | | | | | | | | | | | Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: new options pam_trusted_users & pam_public_domainsPavel Reichl2014-09-299-3/+299
| | | | | | | | | | | | | pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: Add a missing break statement to the GPO codeJakub Hrozek2014-09-291-1/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD GPO: Fix incorrect sAMAccountName selectionStephen Gallagher2014-09-291-2/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make get_primary() a public callStephen Gallagher2014-09-292-3/+13
| | | | | | | This patch changes get_primary() into sss_krb5_get_primary() so it can be used by the AD provider to get the sAMAccountName from the hostname. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix debug messages - trailing '.'Pavel Reichl2014-09-294-4/+4
| | | | | | Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Use GC for group lookups in server modeJakub Hrozek2014-09-251-5/+9
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* TESTS: Add a unit test for matching the secondary objectclassJakub Hrozek2014-09-251-0/+37
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Do not change SSSD domains in get_domains_headStephen Gallagher2014-09-241-3/+0
| | | | | | | | | | When there was more than one SSSD domain configured, actions performed against domains later in the list would be incorrectly told to use the first domain as the base for locating subdomains. This was because we were rewinding the ->prev list on the sss_domain_info object, which is only intended to be used by confdb code. The correct approach was to use only the parent linkage, which would take us up to the top-level domain in this SSSD domain.
* tests: Add a test for storing custom attrs with automatic IDJakub Hrozek2014-09-181-0/+51
| | | | Reviewed-by: Daniel Gollub <dgollub@brocade.com>
* MAN: AD is allowed value of subdomains_providerJakub Hrozek2014-09-181-0/+9
| | | | | | https://fedorahosted.org/sssd/ticket/2442 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* TESTS: Add a case-insensitive group search sysdb testJakub Hrozek2014-09-171-8/+25
| | | | | | | A recent fix enabled searching for groups by name in a case-insensitive domain. This patch adds a unit test to check that behaviour. Reviewed-by: Sumit Bose <sbose@redhat.com>
* sysdb: sysdb_search_group_by_name should work like sysdb_search_user_by_nameSumit Bose2014-09-171-43/+42
| | | | | | | | | | | | Currently sysdb_search_group_by_name uses an optimization which might fail in case-insensitive environments. The DN of the group object is generated with the help of the given name. Since the DN is case-sensitive a group lookup will fail if different cases are used. sysdb_search_user_by_name already handles case-insensitive searches well and sysdb_search_group_by_name should use the same scheme. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: Write additional attrs in sysdb_add_userDaniel Gollub2014-09-171-1/+2
| | | | | | | | In the uid=0 case (to obtain new free id) only uidNumber and gidNumber attributes got written, but not the additonal provided attributes like alias or others. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Free retrieved sid in test_getsidbynameNikolai Kondrashov2014-09-161-1/+5
| | | | | | Free sid retrieved with sss_nss_getsidbyname in test_getsidbyname. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Free link paths in symlink testsNikolai Kondrashov2014-09-161-0/+2
| | | | | | | Free malloc'd symlink paths in test_symlink and test_follow_symlink tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Free compiled regexes in krb5_utils-testsNikolai Kondrashov2014-09-161-0/+2
| | | | | | Free compiled regular expressions after use in krb5_utils-tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Free hbac_infoNikolai Kondrashov2014-09-161-9/+41
| | | | | | Free hbac_info structs after use in ipa_hbac-tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Do not clobber return value when multiple controls are returnedJakub Hrozek2014-09-161-3/+4
| | | | | | | | We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* name2sid: Check negative cache for users and groupsSumit Bose2014-09-161-15/+19
| | | | | | | | | | | | Since we cannot know if a SID belongs to a user or a group a lookup should only fail if the given name is in both the negative cache for the users and the groups. Currently if the SID for a group called 'abc' should be looked up and the negative cache for the users contain an entry for 'abc' the request fails. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Use the alternative objectclass in group maps.Michal Zidek2014-09-157-29/+117
| | | | | | | | | Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add alternative objectClass to group attribute mapsMichal Zidek2014-09-154-1/+7
| | | | | | | | | | | | | In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Always free talloc_reqJakub Hrozek2014-09-101-2/+1
| | | | | | | | On failure, the subreq wasn't freed, which was not a big deal given the parent request would free the subreq anyway, but it's better to follow the usual pattern. Reviewed-by: Simo Sorce <simo@redhat.com>
* Updating translations for the 1.12.1 releasesssd-1_12_1Jakub Hrozek2014-09-0816-12884/+24359
|
* LDAP: Check return valueJakub Hrozek2014-09-081-0/+6
| | | | | | Reported by Coverity Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: delete stale GPOsYassir Elley2014-09-083-0/+134
| | | | | | https://fedorahosted.org/sssd/ticket/2431 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Add sss_rpcidmapd.5.xml to the list of translatable man pagesJakub Hrozek2014-09-081-0/+1
|
* libwbclient: avoid collision with Samba versionSumit Bose2014-09-083-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* dlopen test: only test libwbclient when it is buildSumit Bose2014-09-081-0/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Add a unit test for dereference parsingJakub Hrozek2014-09-081-1/+169
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-18 10:27:45 +0000