| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove premature call of tevent_req_done() from sdap_get_initgr_done().
Request is correctly marked as done at sdap_get_initgr_pgid().
Resolves:
https://fedorahosted.org/sssd/ticket/2334
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init
If you enable enumeration and use different providers for id and sudo(autofs)
then another periodic task will be scheduled.
This can cause weird behaviour (e.g. missing members of group)
Perodic tasks will be started only by id_provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2153
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original patches submitted by: mpesari(Thanks!!)
It can cause problems if user will hit spaces before entering username.
(e.g in gdm). Spaces are ignored by LDAP; it's better to escape them.
Resolves:
https://fedorahosted.org/sssd/ticket/1955
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2b8208b45feb2aab64d560d3e12e01e7b6d00d39)
|
|
|
|
|
|
|
|
|
|
|
| |
struct nss_cmd_ctx was not released in function nss_cmd_setnetgrent_done
and it wasn't used in the other function, because getnetgrent creates its own
nss_cmd_ctx context. struct nss_cmd_ctx was released after closing client
because it was allocated under client context. Memory leak is apparent with
long living clients.
Resolves:
https://fedorahosted.org/sssd/ticket/2170
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2077
If during the LDAP authentication we find out that the originalDN to
bind as is missing (because the ID module is not LDAP based), we can try
to look up the user from LDAP without saving him just in order to
receive the originalDN.
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user.
|
|
|
|
|
| |
If the user's GECOS as returned by the proxied module is an empty string
(as opposed to NULL), the ldb transaction would error out.
|
|
|
|
|
|
|
|
|
| |
When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.
Resolves:
https://fedorahosted.org/sssd/ticket/2051
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2123
Previously, the subdomains were always unbound even if the administrator
limited the ranges with min_id/max_id. This could have posed problems
when running programs that scan the whole ID space, such as "groupadd
-r".
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the beginning of a LDAP request we check if we are connecte and have
a valid sdap handle. But for some requests more than one LDAP operation,
typically a search, is needed. Due to the asynchronous handling of LDAP
request it might be possible that a second request might detect a server
error and close the connection while the first request just finished one
LDAP search and wants to start a new LDAP search.
This patch tries to make sure that there is a valid sdap handle before
sending a LDAP search to the server.
Fixes https://fedorahosted.org/sssd/ticket/2126
|
|
|
|
|
| |
resolves:
https://fedorahosted.org/sssd/ticket/2049
|
|
|
|
|
|
| |
If the environment variable _SSS_MC_SPECIAL is set to "NO", the
mmap cache is skipped in the client code. The name is not very
descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
|
|
|
|
|
|
|
|
|
|
|
| |
It is not very likely, that record will have the same hash1 and hash2, but it
is possible. In this situation, it does not make sense to remove record twice.
Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash
in this situation. It was only possible if record was alone in chain.
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1992
|
|
|
|
| |
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code uses 2 hashes for each record, but only one hash table to
index them both, furthermore each record has only one single 'next'
pointer.
This means that in certain conditions a record main end up being on a
hash chain even though its hashes do not match the hash chain. This can
happen when another record 'drags' it in from another hash chain where
they both belong.
If the record without matching hashes happens to be the second of the
chain and the first record is removed, then the non matching record is
left on the wrong chain. On removal of the non-matching record the hash
chain will not be updated and the hash chain will end up pointing to an
invalid slot.
This slot may be later reused for another record and may not be the
first slot of this new record. In this case the hash chain will point to
arbitrary data and may cause issues if the slot is interpreted as the
head of a record.
By skipping any block that has no matching hashes upon removing the
first record in a chain we insure that dangling references cannot be
left in the hash table
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
|
|
|
|
| |
This patch adds function to store corrupted mmap cache file to
disk for further analysis.
|
|
|
|
|
| |
We introduced new way to check integrity of memcache in the
client code. We should use similiar checks in the responder.
|
|
|
|
|
| |
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
|
|
|
|
|
| |
We had pattern in client code with 3 conditions
that can be replaced with one.
|
|
|
|
|
|
|
|
| |
data->name value must be checked to prevent segfaults in
case of corrupted memory cache.
resolves:
https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2059
If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number,
we can end up with totlen < len and return EINVAL.
It also does not pad the length, but usually allocates
much more memory than is desired.
len = 1024
n = 1024 % 512 + 1 = 0 + 1 = 1
totlen = 1 * 512 = 512
=> totlen < len
len = 511
n = 511 % 512 + 1 = 511 + 1
totlen = 512 * 512 = 262144
totlen is way bigger than it was supposed to be
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1892
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1827
|
|
|
|
|
|
|
|
| |
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1891
|
|
|
|
|
|
|
| |
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
|
|
| |
Wait for c-ares to finish before checking for memory leaks.
https://fedorahosted.org/sssd/ticket/1899
|
|
|
|
|
|
|
| |
Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966
To avoid the problem mentioned in the ticket above, option
dns_discovery_domain must be set properly
|
|
|
|
|
|
|
|
| |
c-ares timeout to wait for response from DNS server
before moving to next DNS server is lowered from 5s
to 2s.
Partially solves https://fedorahosted.org/sssd/ticket/1966
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1932
There is a rather strange workaround in the nested groups processing
code that calls tevent_req_post outside _send(). However, it broke in
certain situations where the tevent_req_call resulted in req being freed,
which freed state by extension and then the subsequent _post call was a
use-after-free. This patch saves the two variables used outside state so
that it's safe to use them even after the callback.
|
|
|
|
| |
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
|
|
|
|
|
|
| |
We did not set port status for metaservers (srv servers)
in fo_reset_services().
Fixes:
https://fedorahosted.org/sssd/ticket/1933
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1947
Otherwise we will do the SRV expansion once again:
1. leaving the old servers in server list
2. meta server is not inserted back in the list, the newly found
servers are inserted behind meta server, meta server is orphaned
and the new servers are forgotten
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1947
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1737
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1817
|
|
|
|
|
|
|
|
|
| |
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
|
|
|
|
|
|
|
| |
File descriptors leaked every time sss_mmap_cache_reinit was
called and also the old memory cache was still maped in memory
(munmap was not called). This patch adds destructor for memory
cache context to call close() and munmap() automaticly.
https://fedorahosted.org/sssd/ticket/1826
|
|
|
|
|
|
| |
This patch adds debug message for the case if sssd
fails to open old mc file for some other reason than
the file does not exist.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1710
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1841
|
|
|
|
|
|
|
|
|
|
|
| |
Storing cyclic groups into sysdb can cause adding ghost members,
which has already been stored. Function ldb_modify will fail
with error [Attribute or value exists].
With permisive control, duplicated attributes will be skipped
as if it was never added.
https://fedorahosted.org/sssd/ticket/1846
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1886
|
|
|
|
|
|
|
| |
Due to a comparison error, the last warning when an LDAP password was in
its grace period was never displayed.
https://fedorahosted.org/sssd/ticket/1890
|