summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* LDAP: Search for original DN during auth if it's missingsssd-1.9.2-129.2.el6Jakub Hrozek2013-12-031-16/+194
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2077 If during the LDAP authentication we find out that the originalDN to bind as is missing (because the ID module is not LDAP based), we can try to look up the user from LDAP without saving him just in order to receive the originalDN.
* LDAP: Split out a request to search for a user w/o savingJakub Hrozek2013-12-032-32/+146
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2077 Certain situations require that a user entry is downloaded for further inpection, but not saved to the sysdb right away. This patch splits the previously monolithic request into one that just downloads the data and one that uses the new one to download and save the user.
* PROXY: Handle empty GECOSJakub Hrozek2013-12-031-1/+8
| | | | | If the user's GECOS as returned by the proxied module is an empty string (as opposed to NULL), the ldb transaction would error out.
* proxy: Allow initgroup to return NOTFOUNDSimo Sorce2013-12-031-0/+16
| | | | | | | | | When the user is only member of its own primary group, initgroups_dyn may return NOTFOUND as, at least for the 'files' nss provider the code skips the passed in group. Resolves: https://fedorahosted.org/sssd/ticket/2051
* Inherit ID limits of parent domains if setsssd-1.9.2-129.1.el6Jakub Hrozek2013-12-031-3/+5
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2123 Previously, the subdomains were always unbound even if the administrator limited the ranges with min_id/max_id. This could have posed problems when running programs that scan the whole ID space, such as "groupadd -r".
* sdap_get_generic_ext_send: check if we a re still connectedsssd-1.9.2-129.el6Sumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* Check slot validity before MC_SLOT_TO_PTR.sssd-1.9.2-128.el6Michal Zidek2013-09-262-15/+79
| | | | | resolves: https://fedorahosted.org/sssd/ticket/2049
* Rename _SSS_MC_SPECIALMichal Zidek2013-09-261-2/+2
| | | | | | If the environment variable _SSS_MC_SPECIAL is set to "NO", the mmap cache is skipped in the client code. The name is not very descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
* mmap_cache: Do not remove record from chain twiceLukas Slebodnik2013-09-261-0/+6
| | | | | | | | | | | It is not very likely, that record will have the same hash1 and hash2, but it is possible. In this situation, it does not make sense to remove record twice. Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash in this situation. It was only possible if record was alone in chain. Resolves: https://fedorahosted.org/sssd/ticket/2049
* SIGCHLD handler: do not call callback when pvt data was freedPavel Březina2013-09-125-5/+41
| | | | https://fedorahosted.org/sssd/ticket/1992
* mmap_cache: Use stricter check for hash keys.Lukas Slebodnik2013-09-031-4/+6
| | | | ht_size is size of hash_table in bytes, but hash keys have type uint32_t
* mmap_cache: Skip records which doesn't have same hashLukas Slebodnik2013-09-031-2/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049
* mmap_cache: Store corrupted mmap cache before resetMichal Zidek2013-09-031-0/+66
| | | | | This patch adds function to store corrupted mmap cache file to disk for further analysis.
* mmap_cache: Use better checks for corrupted mc in responderMichal Zidek2013-09-032-5/+53
| | | | | We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder.
* mmap_cache: Off by one error.Michal Zidek2013-09-034-14/+17
| | | | | Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS.
* mmap_cache: Remove triple checks in client code.Michal Zidek2013-09-032-40/+20
| | | | | We had pattern in client code with 3 conditions that can be replaced with one.
* mmap_cache: Check data->name value in client codeMichal Zidek2013-09-032-0/+37
| | | | | | | | data->name value must be checked to prevent segfaults in case of corrupted memory cache. resolves: https://fedorahosted.org/sssd/ticket/2018
* sss_packet_grow: correctly pad packet length to 512BPavel Březina2013-09-031-1/+1
| | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2059 If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number, we can end up with totlen < len and return EINVAL. It also does not pad the length, but usually allocates much more memory than is desired. len = 1024 n = 1024 % 512 + 1 = 0 + 1 = 1 totlen = 1 * 512 = 512 => totlen < len len = 511 n = 511 % 512 + 1 = 511 + 1 totlen = 512 * 512 = 262144 totlen is way bigger than it was supposed to be
* Make IPA SELinux provider aware of subdomain usersJakub Hrozek2013-09-034-12/+29
| | | | Fixes https://fedorahosted.org/sssd/ticket/1892
* print hint about password complexity when new password is rejectedsssd-1.9.2-121.el6Pavel Březina2013-08-112-2/+22
| | | | https://fedorahosted.org/sssd/ticket/1827
* ldap, krb5: More descriptive msg on chpass failure.sssd-1.9.2-120.el6Michal Zidek2013-08-112-0/+31
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* providers: refresh expired netgroupssssd-1.9.2-119.el6Pavel Březina2013-08-116-3/+208
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: add refresh expired records periodic taskPavel Březina2013-08-1110-0/+68
| | | | | | https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
* back end: periodical refresh of expired records APIPavel Březina2013-08-112-0/+375
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: periodic task APIPavel Březina2013-08-112-0/+447
| | | | https://fedorahosted.org/sssd/ticket/1891
* mmap_cache: Check if slot and name_ptr are not invalid.sssd-1.9.2-118.el6Michal Zidek2013-08-115-2/+73
| | | | | | | This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
* resolv-tests failing with memory leaksssd-1.9.2-117.el6Michal Zidek2013-08-111-2/+4
| | | | | | Wait for c-ares to finish before checking for memory leaks. https://fedorahosted.org/sssd/ticket/1899
* Set default DNS resolution timeout to 6 seconds.Jakub Hrozek2013-08-113-3/+3
| | | | | | | Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly
* Lower timeout to contact DNS serverMichal Zidek2013-08-111-1/+1
| | | | | | | | c-ares timeout to wait for response from DNS server before moving to next DNS server is lowered from 5s to 2s. Partially solves https://fedorahosted.org/sssd/ticket/1966
* LDAP: Fix crash when processing nested groupssssd-1.9.2-116.el6Jakub Hrozek2013-08-091-4/+16
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1932 There is a rather strange workaround in the nested groups processing code that calls tevent_req_post outside _send(). However, it broke in certain situations where the tevent_req_call resulted in req being freed, which freed state by extension and then the subsequent _post call was a use-after-free. This patch saves the two variables used outside state so that it's safe to use them even after the callback.
* Removing unused functions.sssd-1.9.2-115.el6Lukas Slebodnik2013-08-092-36/+0
| | | | This patch remove unused functions sdap_parse_user and sdap_parse_group
* Always set port status to neutral when resetting service.Michal Zidek2013-08-091-1/+2
| | | | | | | | We did not set port status for metaservers (srv servers) in fo_reset_services(). Fixes: https://fedorahosted.org/sssd/ticket/1933
* failover: if expanded server is marked as neutral, invoke srv collapsePavel Březina2013-08-091-0/+7
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1947 Otherwise we will do the SRV expansion once again: 1. leaving the old servers in server list 2. meta server is not inserted back in the list, the newly found servers are inserted behind meta server, meta server is orphaned and the new servers are forgotten
* collapse_srv_lookup may free the server, make it clear from the APIPavel Březina2013-08-091-5/+8
| | | | https://fedorahosted.org/sssd/ticket/1947
* Remove enumerate=true from man sssd-ldapJakub Hrozek2013-08-091-1/+0
| | | | https://fedorahosted.org/sssd/ticket/1737
* if selinux is disabled, ignore that selogin dir is missingsssd-1.9.2-114.el6Pavel Březina2013-08-091-3/+15
| | | | https://fedorahosted.org/sssd/ticket/1817
* Adding option to disable retrieving large AD groups.sssd-1.9.2-113.el6Lukas Slebodnik2013-08-0911-13/+74
| | | | | | | | | This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
* File descriptor leak in nss responder.sssd-1.9.2-112.el6Michal Zidek2013-08-091-18/+43
| | | | | | | | | File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
* Debug message in sss_mc_create_file.Michal Zidek2013-08-091-0/+5
| | | | | | This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
* MAN: Fix the title of sssd-sudosssd-1.9.2-111.el6Jakub Hrozek2013-08-091-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1710
* Document what does access_provider=ad dosssd-1.9.2-110.el6Jakub Hrozek2013-08-091-0/+14
| | | | https://fedorahosted.org/sssd/ticket/1841
* Every time use permissive control in function memberof_mod.sssd-1.9.2-109.el6Lukas Slebodnik2013-08-091-0/+7
| | | | | | | | | | | Storing cyclic groups into sysdb can cause adding ghost members, which has already been stored. Function ldb_modify will fail with error [Attribute or value exists]. With permisive control, duplicated attributes will be skipped as if it was never added. https://fedorahosted.org/sssd/ticket/1846
* failover: set state->out when meta server remains in SRV_RESOLVE_ERRORsssd-1.9.2-108.el6Pavel Březina2013-08-091-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1886
* Display the last grace warning, toosssd-1.9.2-107.el6Jakub Hrozek2013-08-092-3/+3
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* Do not call sss_cmd_done in function check_cache.sssd-1.9.2-105.el6Lukas Slebodnik2013-08-081-6/+0
| | | | | | | | Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980
* init script: source /etc/sysconfig/sssdsssd-1.9.2-104.el6Pavel Březina2013-08-083-0/+18
| | | | https://fedorahosted.org/sssd/ticket/1959
* Configure SYSV init scripts properlyStephen Gallagher2013-08-083-9/+7
| | | | | | | Previously, these contained hard-coded paths. Now they are populated correctly by the configure script. https://fedorahosted.org/sssd/ticket/1986
* Handle too many results from getnetgr.Lukas Slebodnik2013-08-081-1/+13
|
* sudo responder: use fully qualified name for subdomain userssssd-1.9.2-103.el6Pavel Březina2013-08-081-1/+1
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1912 Patch that converts subdomain usernames into fully qualified format made it to the 1.9 branch but sudo wasn't aware of it. This patch changes sysdb_getpwnam call to sysdb_subdom_getpwnam which converts username into fqn if the domain is subdomain.
* Add ignore_group_members option.sssd-1.9.2-102.el6Paul B. Henson2013-08-089-18/+64
| | | | https://fedorahosted.org/sssd/ticket/1376