summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* AD: Don't mark domain as enumerated twiceJakub Hrozek2014-01-291-13/+0
| | | | | The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.
* sudo: memset tm when converting time attributesPavel Březina2014-01-291-0/+2
| | | | | | | | | | strptime() which is used to parse LDAP time value does not initialize all fields of tm structure (especially tm_isdst). This results in random behavior - when the tm is converted into timestamp via mktime(), the result depends on current value of tm_isdst. Resolves: https://fedorahosted.org/sssd/ticket/2213
* AD SRV: use right domain name for CLDAP pingSumit Bose2014-01-281-1/+1
| | | | | | Currently always the name of the configured domain was passed to the CLDAP request. This will fail if the CLDAP request is send to a DC form a different domain.
* LDAP: Don't abort request if no id mapping domain matchesJakub Hrozek2014-01-242-6/+40
| | | | | | | | | If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
* krb5: hint to increase krb5_auth_timeoutPavel Reichl2014-01-241-1/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2202
* sdap_idamp: Fall back to another method if sid is wrongLukas Slebodnik2014-01-221-2/+8
| | | | | | | | | | | sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: update id mapping detection for ldap providerLukas Slebodnik2014-01-221-0/+5
| | | | | | | | For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Don't fail if subdomain cannot be found by sidLukas Slebodnik2014-01-221-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Fix error checkJakub Hrozek2014-01-201-2/+2
| | | | https://fedorahosted.org/sssd/ticket/2199
* MAN: Fix a typoJakub Hrozek2014-01-201-1/+1
|
* AD: Don't fail the request if ad_account_can_shortcut failsJakub Hrozek2014-01-201-1/+3
|
* AD: Return right error code from netlogon_get_flat_nameLukas Slebodnik2014-01-161-1/+1
| | | | | | | EOK was returned in done section of netlogon_get_flat_name, even if error code was set in variable ret. This patch fixes also warnings from scan-build.
* NSS: add support for subdomain_homedirPavel Reichl2014-01-151-0/+8
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2169
* simple access: refresh master domain infoPavel Reichl2014-01-152-45/+92
| | | | | | | | | | To correctly decide if an object is a member of the main sssd domain, a flat name is needed. However, the information may not be available when the module is inited so it may be necessary to refresh this data later while processing a request. Resolves: https://fedorahosted.org/sssd/ticket/2189
* simple access: match objects using flat namePavel Reichl2014-01-151-1/+3
| | | | | | | Use flat name to recognise users and groups belonging to main sssd domain. Resolves: https://fedorahosted.org/sssd/ticket/2189
* NSS: Use plain user name when expanding homedirJakub Hrozek2014-01-151-1/+12
|
* UTIL: Inherit parent domain's default_shellJakub Hrozek2014-01-151-1/+4
| | | | | Some override parameters were not inherited when creating subdomains. Especially with AD trusts, this gave strange results.
* tests: Remove tests that check creating public directoriesJakub Hrozek2014-01-091-121/+0
| | | | | The functionality was removed, but we forgot to remove the corresponding tests, mostly because these tests were only ever ran as root.
* LDAP: Add a new error code for malformed access control filterJakub Hrozek2014-01-096-10/+18
| | | | | | | https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-098-18/+87
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* FAST: when parsing krb5_child response, make sure to not miss OTP message if ↵Alexander Bokovoy2014-01-091-3/+4
| | | | | | | | | | | | | it was last one The last message in the stream might be with empty payload which means we get only message type and message length (0) returned, i.e. 8 bytes left remaining in the stream after processing preceding message. This makes our calculation at the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be equal to len, after all. Fixes FAST processing for FreeIPA native OTP case: https://fedorahosted.org/sssd/ticket/2186
* LDAP: Fix typo and use the right attribute mapJakub Hrozek2014-01-081-1/+1
| | | | | | | | https://fedorahosted.org/sssd/ticket/2191 There was a copy-n-paste bug in the code that resulted in using a wrong attribute map. This could lead to the primary name not being selected correctly.
* IPA: fix for recent AD group membership changesSumit Bose2014-01-081-0/+2
|
* Updating translations for the 1.11.3 releasesssd-1_11_3Jakub Hrozek2013-12-1915-4818/+5441
|
* AD: Enable fallback to LDAP of trusted domainJakub Hrozek2013-12-192-16/+5
| | | | | Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.
* AD: Add a new option to turn off GC lookupsJakub Hrozek2013-12-196-13/+58
| | | | | | | | | | SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-197-41/+291
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: cross-domain membership fixSumit Bose2013-12-196-30/+261
| | | | | | | | | | | | | | | | | | | A recent patch directed all call related to group membership lookups to the AD LDAP port to fix an issue related to missing group memberships in the Global Catalog. As a side-effect it broke cross-domain group-memberships because those cannot be resolved by the connection to the LDAP port. The patch tires to fix this by restoring the original behaviour in the top-level lookup calls in the AD provider and switching to the LDAP port only for the LDAP request which is expected to return the full group membership. Additionally this patch contains a related fix for the tokenGroups with Posix attributes patch. The original connection, typically a Global Catalog connection in the AD case is passed down the stack so that the group lookup after the tokenGroups request can run over the same connection.
* AD: filter domain local groups for trusted/sub domainsSumit Bose2013-12-194-64/+138
| | | | | | | | | | | | | | In Active Directory groups with a domain local scope should only be used inside of the specific domain. Since SSSD read the group memberships from LDAP server of the user's domain the domain local groups are included in the LDAP result. Those groups should be filtered out if the domain is a sub/trusted domain, i.e. is not the domain the client running SSSD is joined to. The groups will still be in the cache but marked as non-POSIX groups and no GID will be assigned. Fixes https://fedorahosted.org/sssd/ticket/2178
* Add sysdb_attrs_get_int32_tSumit Bose2013-12-192-0/+28
|
* Add new option ldap_group_typeSumit Bose2013-12-1910-0/+32
|
* Use lower-case name for case-insensitive searchesSumit Bose2013-12-197-18/+108
| | | | | | | | | | | | The patch makes sure that a completely lower-cased version of a fully qualified name is used for case insensitive searches. Currently there are code paths where the domain name was used as configured and was not lower-cased. To make sure this patch does not break with old entries in the cache or case sensitive domains a third template was added to the related filters templates which is either filled with a completely lower-cased version or with the old version. The other two template values are unchanged.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-195-55/+27
|
* Add sysdb_attrs_add_lc_name_aliasSumit Bose2013-12-193-0/+53
|
* sss_cache: fix case-sensitivity issueSumit Bose2013-12-191-27/+36
| | | | | | | For case-insensitive domains the lower-case name for case-insensitive searches is stored in SYSDB_NAME_ALIAS. Related to https://fedorahosted.org/sssd/ticket/1741
* sss_cache: initialize names member of sss_domain_infoSumit Bose2013-12-191-13/+10
| | | | | | | | | sss_tc_fqname() called by sss_get_domain_name() requires that the names member of the sss_domain_info struct is set to work properly. If the names struct is properly initialized in sss_domain_info the separate one in the tool context is not needed anymore. Related to https://fedorahosted.org/sssd/ticket/1741
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* AD: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-17/+32
| | | | | | | | | | Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.
* ad: use tokengroups even when id mapping is disabledPavel Březina2013-12-183-26/+525
| | | | https://fedorahosted.org/sssd/ticket/1568
* ad: refactor tokengroups initgroupsPavel Březina2013-12-183-231/+357
| | | | | sdap_get_ad_tokengroups_initgroups is split into more parts so it can be reused later.
* AD: use LDAP for group lookupsSumit Bose2013-12-133-3/+152
| | | | | | | | | | | | | | | | The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
* AUTOTOOLS: krb5 1.12 is also supported krb5 libsLukas Slebodnik2013-12-101-1/+2
| | | | pac responder was not properly detected with krb5 1.12 library
* NSS: Fix memory leak in sss_setnetgrentLukas Slebodnik2013-12-101-1/+1
| | | | | | | | | | | struct nss_cmd_ctx was not released in function nss_cmd_setnetgrent_done and it wasn't used in the other function, because getnetgrent creates its own nss_cmd_ctx context. struct nss_cmd_ctx was released after closing client because it was allocated under client context. Memory leak is apparent with long living clients. Resolves: https://fedorahosted.org/sssd/ticket/2170
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-092-2/+13
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* failover: check dns_domain if primary servers lookup failedPavel Březina2013-12-091-3/+7
| | | | | | | If primary servers lookup failed, dns_domain is not set. Resolves: https://fedorahosted.org/sssd/ticket/2173
* sysv/gentoo: Send debug output to a file instead of stderrMarkos Chandras2013-12-041-1/+1
| | | | | | | Output from init scripts should go to a file (ideally in /var/log directory) instead of stderr. Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
* sysv/gentoo: Use xdm if possibleMarkos Chandras2013-12-041-1/+1
| | | | | | | Allow sssd to use the xdm wrapper so login managers can use sssd to authenticate users. Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
* SSSD: Unit test - sss_ldap_dn_in_search_basesPavel Reichl2013-11-291-0/+191
| | | | | | | Unit test testing detection of the right domain when processing group with members from several domains Resolves: https://fedorahosted.org/sssd/ticket/2132
* SSSD: Improved domain detectionPavel Reichl2013-11-293-16/+57
| | | | | | | A bit more elegant way of detection of what domain the group member belongs to Resolves: https://fedorahosted.org/sssd/ticket/2132
generated by cgit (git 2.34.1) at 2024-05-03 06:45:04 +0000