| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far
it's the same code as if enumeration was used, so there are no limits.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
In order to support wildcard request, we need to introduce an optionally
relaxed version of sss_filter_sanitize that allows to select which
characters are exempt from sanitizing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds two new functions to the cache_req API:
- cache_req_user_by_filter_send
- cache_req_group_by_filter_send
These functions can be used to retrieve users or groups that match a
specified filter.
Also renames a variable to avoid constant confusion -- the variable is
only used for debug output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Extends the Data Provider interface and the responder<->Data provider
interface with wildcard lookups.
The patch uses a new "wildcard" prefix rather than reusing the existing
user/group prefixes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
filter
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds new sysdb function:
- sysdb_enumpwent_filter
- sysdb_enumpwent_filter_with_views
- sysdb_enumgrent_filter
- sysdb_enumgrent_filter_with_views
These are similar to enumeration functions, but optionally allow to
specify a filter to be applied on user/group names. Also an additional
custom filter can be applied.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Avoids code duplication
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
pam_helpers.h had to be included after util.h.
Removed exara empty line.
Fixed code alignment
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce new user attribute lastOnlineAuthWithCurrentToken.
This attribute behaves similarly to lastOnlineAuth but is set to NULL
after password is changed.
This attribute is needed for use-case when cached authentication is used, to
request online authentication after password is locally changed.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2701
Previously, only the krb5 provides used to queue requests, which
resulted in concurrent authentication requests stepping on one another.
This patch queues requests by default.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2581
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the sma lock was used as for communication with
responder. However it would cause a deadlock in case of
re-checking memcache after acquiring the lock and before communication with
responder..
Required by:
https://fedorahosted.org/sssd/ticket/2581
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If user is removed from sysdb cache then
it should be also removed from initgroups memory cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
If group was not found in nss_cmd_getgrnam_search
then we tied to invalidate entry in memory cache.
But function delete_entry_from_memory cache only invalidated
in passwd memory cache.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
It seems that gcc did some optimization and
used execve instead of execle when the code was
instrumented for coverage analysis.
So the exec* function was not wrapped and it tried to call
real binary ipa-getkeytab
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
resolv.conf can be missing during boot. This is not
fatal and we will check for its existence later.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
If resolv.conf is not available when SSSD is starting,
check for its existence later.
Ticket:
https://fedorahosted.org/sssd/ticket/2590
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2641
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
We're attempting to use strerror() to print the result from
ad_gpo_access_check(), but that function returns an extended SSSD errno
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_get_real_name overrode reurned code LDAP
and thus user was not removed from cache after removing it from LDAP.
This patch also do not try to set initgroups flag if user
does not exist. It reduce some error message.
Resolves:
https://fedorahosted.org/sssd/ticket/2681
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2326
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems that gcc 5.1 optimize enum in some ways and expects that
unctions ifp_cache_build_path and ifp_cache_build_base_dn
can return unitialized value due to missing default in switch.
src/responder/ifp/ifp_cache.c:118:13: warning: 'base_dn' may be used uninitialized in this function [-Wmaybe-uninitialized]
ldb_ret = ldb_search(sysdb_ctx_get_ldb(domain->sysdb), tmp_ctx, &result,
^
src/responder/ifp/ifp_cache.c: scope_hint: In function 'ifp_cache_get_cached_objects'
src/responder/ifp/ifp_cache.c:135:18: warning: 'path' may be used uninitialized in this function [-Wmaybe-uninitialized]
paths[i] = ifp_cache_build_path(paths, type, domain, result->msgs[i]);
^
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IFP now exports cached users and groups in introspection.
After a user is cached with:
dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \
org.freedesktop.sssd.infopipe.Cache.Object.Store
And Introspection called with:
dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.DBus.Introspectable.Introspect
The cached users would be visible in the Introspection XML as:
<node name="ipaldap/397400000" />
</node>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
It is alright for an interface to not have any GetAll invoker set
if it doesn't have any properties, but we still want to return
an empty message.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2338
Example use:
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.FindByName \
string:admin
object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000"
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Cache.List
array [
]
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \
org.freedesktop.sssd.infopipe.Cache.Object.Store
boolean true
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Cache.List
array [
object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000"
]
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \
org.freedesktop.sssd.infopipe.Cache.Object.Remove
boolean true
$ dbus-send --print-reply --system \
--dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Cache.List
array [
]
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Otherwise each connection would clobber the environment variable with
its own.
This is a temporary workaround until SSSD's ldap_child is able to store
ccaches in a collection.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2638
Reviewed-by: Sumit Bose <sbose@redhat.com>
|