summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* krb5: fix entry order in MEMORY keytabSumit Bose2015-01-192-28/+172
| | | | | | | | | | | | | | | Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY type keytab and not at the end a simple copy into a MEMORY type keytab will revert the order of the keytab entries. Since e.g. the sssd_krb5 man page give hints about where to add entries into keytab files to help SSSD to find a right entry we have to keep the order when coping a keytab into a MEMORY type keytab. This patch fixes this by doing a second copy to retain the original order. Resolves https://fedorahosted.org/sssd/ticket/2557 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: add dots as valid character in domain namesPavel Reichl2015-01-151-1/+1
| | | | | | | | | Add dots into a set of allowed characters for domain names. Resolves: https://fedorahosted.org/sssd/ticket/2527 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: dyndns_iface supports only one interfacePavel Reichl2015-01-152-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2548 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Amend the description of ignore_group_membersJohn Dickerson2015-01-151-1/+19
| | | | | | | | | | | | The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: add systemd-user to gpo default permit listPavel Reichl2015-01-152-1/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2556 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-1510-57/+68
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Remove child_cleanupJakub Hrozek2015-01-152-24/+0
| | | | | | Not used anymore after previous patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructorJakub Hrozek2015-01-151-22/+17
| | | | | | | | ldap_child was the only child process that used child_cleanup instead of the common child_io_destructor. Unify the implementation to use the common function instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TESTS: Cover child_common.c with unit testsJakub Hrozek2015-01-152-1/+330
| | | | | | The module wasn't tested properly, which made it harder to patch it Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Make two child_common.c functions staticJakub Hrozek2015-01-152-20/+20
| | | | | | | Two functions were only used internally, makes no sense to keep them in the child_common module API. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* server-tests: use strtouint32 instead strtolPavel Březina2015-01-151-4/+7
| | | | | | | | | | PID may be greater than 0xffff thus we remove this check but it is supposed to be in range of uint32. There are also some improvements to get more information from assertions. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix warning: for loop has empty bodyLukas Slebodnik2015-01-151-3/+9
| | | | | | | | Example of warning: src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body] src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: Remove indentation in element programlisteningLukas Slebodnik2015-01-146-38/+38
| | | | | | | | The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEWJakub Hrozek2015-01-141-0/+1
| | | | | | Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLISTSumit Bose2015-01-141-0/+14
| | | | | | | Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve missing membersSumit Bose2015-01-141-14/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()Sumit Bose2015-01-141-50/+50
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: process_members() optionally return missing members listSumit Bose2015-01-141-18/+67
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing breakSumit Bose2015-01-141-0/+1
| | | | | | | The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: Reduce code duplication in sysdb_gpo.cJakub Hrozek2015-01-132-52/+27
| | | | | | | | | Two places in sysdb_gpo.c were searching for the GPO result object while the only difference was the attributes searched for. Remove this duplication and make the search function static as it's not used outside the module. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: ipa_resolve_user_list_send() take care of overridesSumit Bose2015-01-131-10/+8
| | | | | | | Currently ipa_resolve_user_list_send() only looks up the related user objects but do not check for overrides. This patch tries to fix this. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: fix group members with overridden namesSumit Bose2015-01-132-11/+63
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve ghost members if a non-default view is appliedSumit Bose2015-01-132-0/+213
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add get_be_acct_req_for_user_name()Sumit Bose2015-01-132-0/+18
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Extract server hostname after connectingJakub Hrozek2015-01-131-29/+29
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Don't use stdout for output in gpo_childJakub Hrozek2015-01-133-6/+12
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-137-22/+39
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Set libsmb debugging to stderrJakub Hrozek2015-01-131-0/+1
| | | | | | | | | | | | libsmb logs to stdout by default. It's much more reasonable to log to stderr by default. Please also note: https://bugzilla.samba.org/show_bug.cgi?id=11036 and: https://fedorahosted.org/sssd/ticket/2544 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Python3 support in SSSDBohuslav Kabrda2015-01-1312-141/+292
| | | | https://fedorahosted.org/sssd/ticket/2017
* IFP: use new cache interfacePavel Březina2015-01-091-320/+45
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: enable views in cache requestPavel Březina2015-01-091-3/+9
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: new interface for cache requestPavel Březina2015-01-093-0/+1155
| | | | | | | | | | | | | | | | Many areas of responders performs an expiration check and refresh of cached objects during single or multiple domain search. This code is duplicated on many areas of the code with small or none modifications. This interface aims to reduce code duplication between responders, by providing one universal API for requesting cached objects. This API will take care of cache lookup, expiration check, cache refresh, out of band cache request, negative cache in both single and multi domain searches. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: remove code duplication in single domain cleanupPavel Březina2015-01-099-81/+29
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: add test_multidom_suite_cleanup()Pavel Březina2015-01-092-0/+69
| | | | | | Cleanup multiple domains. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: add create_multidom_test_ctx()Pavel Březina2015-01-092-21/+58
| | | | | | This will allow to create a multi domain test environment. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: refactor create_dom_test_ctx()Pavel Březina2015-01-091-61/+193
| | | | | | | Separate the function into more functions as a preparation for creating a multi domain test environment. Reviewed-by: Michal Židek <mzidek@redhat.com>
* logrotate: Fix warning file size changed while zippingLukas Slebodnik2015-01-091-0/+1
| | | | | | | | | | | | Postpone compression of the previous log file to the next rotation cycle. This only has effect when used in combination with compress. We need to use it because we cannot tell sssd to close log files and thus sssd processes might continue writing to the previous log file for some time. Resolves: https://fedorahosted.org/sssd/ticket/2547 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Fix a typoJakub Hrozek2015-01-081-1/+1
| | | | Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* TESTS: Cover sysdb_gpo.c with unit testsJakub Hrozek2015-01-082-0/+80
| | | | | | Untested code is risky to change. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()Jakub Hrozek2015-01-081-1/+4
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2542 If the GPO result object was missing completely, we would error out with a fatal error code. It's more user-friendly to treat the missing object as if the requested attribute was missing on the provider level. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Updating translations for the 1.12.3 releasesssd-1_12_3Jakub Hrozek2015-01-0816-17640/+18596
|
* TESTS: typo in 'assert message'Pavel Reichl2015-01-081-2/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* monitor: Service restart fixesStephen Gallagher2015-01-071-20/+74
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are actually two bugs here: 1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned failure (for any reason), we would talloc_free(svc) which removed it from being eligible for restart, resulting in the service never starting again without an SSSD service restart. 2) There is a fairly wide race condition where it's possible for a SIGKILL timer to "catch up" to the child exit handler between us noticing the termination and actually restarting it. The race happens because we re-enter the mainloop and add a restart timeout to avoid a quick failure if we keep restarting due to a transitory issue (the mt_svc object, and therefore the SIGKILL timer, were never freed until we got to the actual service restart). We can minimize this race by recording the timer_event for the SIGKILL timeout in the mt_svc object. This way, if the process exits via SIGTERM, we will immediately remove the timer for the SIGKILL. Additionally, we'll catch the special-case of an ESRCH response from the kill(SIGKILL) and assume that it means that the process has exited. The only other two possible errors are * EINVAL: (an invalid signal was specified) - This should be impossible, obviously. * EPERM: This process doesn't have permission to send signals to this PID. If this happens, it's either an SELinux bug or else the process has terminated and a new process that SSSD doesn't control has taken the ID over. So in the incredibly unlikely case that one of those occurs, we'll just go ahead and try to start a new process. This patch also removes the incorrect talloc_free(svc) calls on the kill() failures and replaces them with an attempt to just start up the service again and hope for the best. Resolves: https://fedorahosted.org/sssd/ticket/2525 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Add test for sysdb_store_overrideSumit Bose2015-01-071-0/+70
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* CONFDB: Typo in debug messagePavel Reichl2015-01-051-1/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* libwbclient: initialize some return valuesSumit Bose2014-12-191-0/+36
| | | | | | | | | | Some callers of libwbclient functions expects the return values are initialized even it the functions returns an error. This patch adds some initializations to meet this requirement. Resolves https://fedorahosted.org/sssd/ticket/2537 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: handle GID overrides for MPG domains on clientsSumit Bose2014-12-171-0/+26
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: do not try to add override gid twiceSumit Bose2014-12-171-1/+7
| | | | | | | | | | By default user and group overrides use the same attribute name for the GID and this cause SSSD machinery to add the same value twice which cause an error in ldb_add() or ldm_modify(). Related to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-28 08:12:40 +0000