summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina2013-02-271-3/+7
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
* Do not process success case in an elseJakub Hrozek2013-02-261-24/+24
|
* Remove enumerate=true from man sssd-ldapJakub Hrozek2013-02-261-1/+0
| | | | https://fedorahosted.org/sssd/ticket/1737
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-264-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* if selinux is disabled, ignore that selogin dir is missingPavel Březina2013-02-261-3/+15
| | | | https://fedorahosted.org/sssd/ticket/1817
* Fix the krb5 password expiration warningJakub Hrozek2013-02-211-1/+7
| | | | https://fedorahosted.org/sssd/ticket/1808
* Fix uninitialized time_t var in responderOndrej Kos2013-02-211-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1810
* tools: append new line to string from poptStrerror()Milan Cejnar2013-02-211-1/+13
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1756 Messages from poptStrerror() passed to BAD_POPT_PARAMS macro were printed out to the console without new line character at the end of the message. BAD_POPT_PARAMS should now behave correctly with strings both with or without new line character at the end.
* subdomains: replace invalid characters with underscore in krb5 mapping file namePavel Březina2013-02-141-1/+26
| | | | | | | https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
* Lower the DEBUG level if an entry cannot be deleted from memcacheJakub Hrozek2013-02-141-3/+3
|
* get_next_domain() test dom->parent->next for NULLPavel Březina2013-02-141-1/+1
| | | | | Otherwise dom may be set to NULL and we will segfault when dereferencing dom.
* Filter out multicast addresses from IPA DNS updatesJakub Hrozek2013-02-121-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1804
* LDAP: Check for authtok validityJakub Hrozek2013-02-111-7/+9
| | | | | | | | | | The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
* krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek2013-02-112-2/+8
| | | | | | | krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
* Introduce IS_SUBDOMAIN() macroSimo Sorce2013-02-108-13/+15
| | | | Fixes https://fedorahosted.org/sssd/ticket/1766
* Parent and subdomains use the same sysdbSimo Sorce2013-02-102-71/+8
| | | | | | Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.
* Change the way domains are linked.Simo Sorce2013-02-1013-414/+225
| | | | | | | | | | | | | | | | | | | - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
* Add ability to disable domainsSimo Sorce2013-02-102-8/+14
|
* Add function get_next_domain()Simo Sorce2013-02-1018-112/+119
| | | | | | | Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
* Remove sysdb_subdom completelySimo Sorce2013-02-104-127/+131
| | | | | struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.
* Add sysdb_subdomain_store() functionSimo Sorce2013-02-102-37/+103
| | | | Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.
* Refactor sysdb_master_domain_add_info()Simo Sorce2013-02-103-51/+28
|
* Update main domain info in placeSimo Sorce2013-02-104-62/+38
|
* Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce2013-02-106-102/+60
|
* Add realm info to sss_domain_infoSimo Sorce2013-02-1010-10/+25
|
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-106-8/+29
| | | | https://fedorahosted.org/sssd/ticket/1805
* Correct sss_ssh_knowhostsproxy typo in man pagesJohn Hodrien2013-02-011-1/+1
|
* dp: check whether hostid backend is configured before filing be requestPavel Březina2013-02-011-0/+8
|
* Fix minor grammar error in logStephen Gallagher2013-01-301-1/+1
|
* krb: recreate ccache if it was deletedPavel Březina2013-01-301-1/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
* TESTS: include error message on failOndrej Kos2013-01-291-8/+8
|
* TESTS: Fix coverity issues 13126, 13127Ondrej Kos2013-01-291-2/+6
| | | | https://fedorahosted.org/sssd/ticket/1763
* Unchecked return value in files.cMichal Zidek2013-01-291-1/+9
| | | | | Found by coverity. https://fedorahosted.org/sssd/ticket/1791
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-281-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* TOOLS: Compile on old platforms such as RHEL5Jakub Hrozek2013-01-281-37/+140
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* MAN: Clarify that saving users after enumerating large domain might be CPU ↵Jakub Hrozek2013-01-281-1/+9
| | | | | | intensive https://fedorahosted.org/sssd/ticket/1732
* Possible null derefence in ipa_subdomains.c.Michal Zidek2013-01-251-0/+4
| | | | | Found by coverity. https://fedorahosted.org/sssd/ticket/1790
* SYSDB: Expire group if adding ghost users fails with EEXISTJakub Hrozek2013-01-231-2/+36
|
* SYSDB: make the sss_ldb_modify_permissive function publicJakub Hrozek2013-01-232-2/+11
|
* TOOLS: Use file descriptor to avoid races when creating a home directoryJakub Hrozek2013-01-234-354/+364
| | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-01-231-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2013-01-232-7/+7
| | | | | | | | SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
* sudo responder: change num_rules type from size_t to uint32_tPavel Březina2013-01-227-25/+25
| | | | | | | | https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
* Convert the value of pwd_exp_warning to secondsJakub Hrozek2013-01-221-5/+6
| | | | | | | | When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
* fix backend callbacks: remove callback properly from dlistPavel Březina2013-01-221-6/+18
| | | | | | | | https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
* Fix code styleJakub Hrozek2013-01-221-1/+2
|
* Make struct be_req opaqueSimo Sorce2013-01-212-18/+18
|
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-2117-32/+45
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-2122-133/+155
| | | | In preparation for making be_req opaque
* Add be_req_create() helperSimo Sorce2013-01-213-40/+38
|
generated by cgit (git 2.34.1) at 2024-06-18 06:11:25 +0000