| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
| |
The AD provider cannot function with canonicalization because of
a bug in Active Directory rendering it unable to complete a
password-change while canonicalization is enabled.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1379
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1421
|
| |
|
|
|
|
|
| |
We should always download the defaults because even if there are no
rules, we might want to use (or update) the defaults.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
|
|
|
|
| |
This function copies all values from one sysdb_attrs structure to
another
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1411
|
| |
|
|
|
|
|
| |
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
|
|
|
| |
SIGSEGV occured when sss_sudo_cli was run without any arguments.
|
|
|
|
|
|
|
|
|
| |
allocated on stack
If we provide a hostname that was allocated on stack, it may contain
invalid data in the time when it is actually resolved.
This patch fixes it.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
The name context was not being initialized for local provider
domains because it was handled after skipping over the back-end
initialization routine. This patch moves the name context init
routine to occur earlier.
https://fedorahosted.org/sssd/ticket/1412
|
|
|
|
|
|
|
|
|
|
|
|
| |
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1410
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1409
|
|
|
|
| |
Coverity #12770
|
|
|
|
| |
Coverity #12781
|
|
|
|
| |
Coverity #12782
|
|
|
|
| |
Coverity #12783
|
|
|
|
| |
Coverity #12784
|
|
|
|
| |
Coverity #12786
|
|
|
|
| |
Coverity #12797
|
|
|
|
| |
Coverity #12798
|
|
|
|
| |
Coverity #12800
|
|
|
|
| |
Coverity #12801
|
|
|
|
| |
Coverity #12802
|
|
|
|
| |
Coverity #12803
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This simplifies configuration by eliminating the need to
specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is
not located at /etc/krb5.keytab
|
|
|
|
|
| |
This patch adds support for checking whether a user is expired or
disabled in AD.
|
|
|
|
|
|
| |
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
|
|
|
|
|
|
| |
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
|
|
|
| |
This will eliminate ambiguity for the AD provider
|
|
|
|
|
| |
This will reduce code duplication between the krb5, ipa and ad
providers
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|