summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Updating translation for the 1.11.2 releasesssd-1_11_2Jakub Hrozek2013-10-3015-2244/+3694
|
* AD: Fix ad_access_filter parsing with empty filterJakub Hrozek2013-10-302-0/+24
|
* NSS: Fix parenthesisJakub Hrozek2013-10-301-1/+1
|
* LDAP: Check all search bases during nested group processingJakub Hrozek2013-10-301-13/+42
|
* nested groups: pick correct domain for cache lookupsPavel Březina2013-10-301-4/+12
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap_fill_memberships: pick correct domain for every memberPavel Březina2013-10-301-4/+19
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ghosts: pick correct domain for every memberPavel Březina2013-10-301-10/+15
| | | | | | | | | Groups may contain members from different domains. We need to make sure that we store subdomain users with correct domain name. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: add sdap_domain_get_by_dn()Pavel Březina2013-10-302-0/+28
| | | | | | | | This function will find sdap domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* sdap: store base dn in sdap_domainPavel Březina2013-10-302-15/+22
| | | | | | | | | Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn. Resolves: https://fedorahosted.org/sssd/ticket/2064
* ad: shortcut if possible during get object by ID or SIDPavel Březina2013-10-301-0/+96
| | | | | | | | | | When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match. Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.
* free sid obtained from sss_idmap_unix_to_sid()Pavel Březina2013-10-301-0/+2
|
* be_spy_create: free be_req and not the long living dataSumit Bose2013-10-301-1/+1
|
* LDAP: Return correct error codeLukas Slebodnik2013-10-301-1/+1
| | | | | | If talloc_array return NULL we should return right error code from function sdap_domain_subdom_add. It might happen that we could return either wrong error code or uninitialized variable ret.
* MAN: Document that krb5 directories can only be created as privateJakub Hrozek2013-10-291-10/+3
|
* NSS: Fix service enumerationJakub Hrozek2013-10-291-1/+5
| | | | | | | The code wrote into the middle of the packet to a space that was already reserved and allocated but then still advanced the pointer to the buffer. https://fedorahosted.org/sssd/ticket/2124
* ad_subdom_store: check ID mapping of the domain not of the parentSumit Bose2013-10-291-2/+2
|
* KRB5: Handle ERR_CHPASS_FAILEDJakub Hrozek2013-10-291-0/+6
| | | | | | | The Kerberos provider didn't handle ERR_CHPASS_FAILED at all, which resulted in the default return code (System Error) to be returned if password change failed for pretty much any reason, including password too recent etc.
* NSS: Print FQDN for groups with mixed domain membershipJakub Hrozek2013-10-292-9/+239
| | | | | | | | | | | | | | | | | This patch is a workaround until https://fedorahosted.org/sssd/ticket/2129 is fixed properly. Consider a group entry such as: cn: subgroup@subdom ghost: someuser ghost: anotheruser@subdom Currently in order to print all group members as FQDN (which is the default for AD provider), the code needs to iterate over the ghost attributes and parse them into (name,domain) and optionally re-add the domain. The proper fix would be to store always just the FQDN in the hardcoded form of user@domain
* TEST: Test getgrnam with emphasis on membersJakub Hrozek2013-10-291-8/+386
|
* sdap_save_group: try to determine domain by SIDPavel Březina2013-10-291-7/+18
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have group with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent group 5000' and this request goes through data provider, searching in parent domain first. Even though this group does not belong to this domain it is found and stored as ad.pb group. With this patch we look at group's SID and put it into correct domain.
* sdap_save_user: try to determine domain by SIDPavel Březina2013-10-291-22/+32
| | | | | | | | | | | | | GC contains objects from both parent domain and subdomain. Lets say we have user with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent passwd 5000' and this request goes through data provider, searching in parent domain first. Even though this user does not belong to this domain it is found and stored as ad.pb user. With this patch we look at user's SID and put it into correct domain.
* ad: destroy ptasks when subdomain is removedPavel Březina2013-10-251-0/+3
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* ipa: destroy cleanup task when subdomain is removedPavel Březina2013-10-251-0/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: convert cleanup task to be_ptaskPavel Březina2013-10-254-73/+64
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* be_ptask: add be_ptask_create_sync()Pavel Březina2013-10-252-0/+117
| | | | | | | | This is a wrapper around be_ptask_create() that allows to create synchronous periodic tasks. Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-252-0/+15
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: add function to terminate request of specific domainPavel Březina2013-10-252-0/+23
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: set request domainPavel Březina2013-10-251-0/+43
| | | | | | | | Every request is attached to be_ctx->domain by default. We will change the domain to a subdomain if it is relevant. Resolves: https://fedorahosted.org/sssd/ticket/1968
* utils: add ERR_DOMAIN_NOT_FOUND error codePavel Březina2013-10-252-0/+2
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: store list of ongoing requestsPavel Březina2013-10-252-0/+18
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-257-9/+24
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* AD: Add extended access filterJakub Hrozek2013-10-254-5/+595
| | | | | | | https://fedorahosted.org/sssd/ticket/2082 Adds a new option that allows the admin to specify a LDAP access filter that can be applied globally, per-domain or per-forest.
* AD: Search GC by default during access control, fall back to LDAPJakub Hrozek2013-10-253-10/+163
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2082 In order to allow the ad_access_filter option to work for subdomain users as well, the Global Catalog must be searched. This patch adds a wrapper request atop sdap_access_send that selects the right connection (GC or LDAP) and optionally falls back to LDAP.
* AD: Use the ad_access_filter if it's setJakub Hrozek2013-10-254-19/+49
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-254-0/+27
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* LDAP: Parse FQDN into name/domain for subdomain usersJakub Hrozek2013-10-251-1/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 When a subdomain user logs in, the username the account request receives is a FQDN. This hackish patch parses the FQDN and only uses the name to search the LDAP.
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-255-26/+44
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* tests: Use right format string for type size_tLukas Slebodnik2013-10-251-3/+3
| | | | | | | | This patch fixes few format string warnings in the file test_utils.c src/tests/cmocka/test_utils.c:54:56: warning: format specifies type 'unsigned int' but the argument has type 'size_t' (aka 'unsigned long') [-Wformat]
* LDAP: Delete entry by SID if not foundJakub Hrozek2013-10-251-3/+19
| | | | | In case the entry was deleted from the server, the search didn't notice and kept returning the cached data.
* SYSDB: Add sysdb_delete_by_sidJakub Hrozek2013-10-253-0/+65
|
* AD: fall back to LDAP if GC is not available.Lukas Slebodnik2013-10-253-4/+24
| | | | | | | | | | | | AD provider went offline if the Global Catalog could not be connected although there was also the LDAP port available. With this patch, AD provider will fall back to the LDAP port before going offline. New boolean flag ignore_mark_offline was added to structure sdap_id_conn_ctx If this flag is enabled function be_mark_offline will not be called. Resolves: https://fedorahosted.org/sssd/ticket/2104
* AD: Prefer GC port from SRV recordLukas Slebodnik2013-10-251-2/+6
| | | | | | | We had a hard coded value of Global Catalog port (3268). Informations from SRV record was ignored. This patch prefer port number from SRV record and hard coded value is used only as a fall back if port number was not initialized.
* IPA: add trusted domains with missing idrangeSumit Bose2013-10-251-0/+137
| | | | | | | | | | If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-259-2/+24
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()Sumit Bose2013-10-253-4/+114
|
* find_subdomain_by_sid: skip domains with missing domain_idSumit Bose2013-10-252-11/+240
|
* subdomains: first destroy ptask then remove sdomPavel Březina2013-10-241-3/+3
| | | | | be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
* Inherit ID limits of parent domains if setJakub Hrozek2013-10-241-3/+5
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2123 Previously, the subdomains were always unbound even if the administrator limited the ranges with min_id/max_id. This could have posed problems when running programs that scan the whole ID space, such as "groupadd -r".
* sdap_get_generic_ext_send: check if we a re still connectedSumit Bose2013-10-221-0/+7
| | | | | | | | | | | | | | At the beginning of a LDAP request we check if we are connecte and have a valid sdap handle. But for some requests more than one LDAP operation, typically a search, is needed. Due to the asynchronous handling of LDAP request it might be possible that a second request might detect a server error and close the connection while the first request just finished one LDAP search and wants to start a new LDAP search. This patch tries to make sure that there is a valid sdap handle before sending a LDAP search to the server. Fixes https://fedorahosted.org/sssd/ticket/2126
* IPA: add callback to reset subdomain timeoutsSumit Bose2013-10-221-0/+23
| | | | Fixes https://fedorahosted.org/sssd/ticket/2030