| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback.
|
|
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|
|
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch makes sure that a completely lower-cased version of a fully
qualified name is used for case insensitive searches. Currently there
are code paths where the domain name was used as configured and was not
lower-cased.
To make sure this patch does not break with old entries in the cache or
case sensitive domains a third template was added to the related filters
templates which is either filled with a completely lower-cased version or
with the old version. The other two template values are unchanged.
|
| |
|
| |
|
|
|
|
|
|
|
| |
For case-insensitive domains the lower-case name for case-insensitive
searches is stored in SYSDB_NAME_ALIAS.
Related to https://fedorahosted.org/sssd/ticket/1741
|
|
|
|
|
|
|
|
|
| |
sss_tc_fqname() called by sss_get_domain_name() requires that the names
member of the sss_domain_info struct is set to work properly. If the
names struct is properly initialized in sss_domain_info the separate one
in the tool context is not needed anymore.
Related to https://fedorahosted.org/sssd/ticket/1741
|
|
|
|
|
|
| |
ipa_ad_subdom_refresh was called before IPA server context was
initialized. On IPA server, this caused the code to dereference a NULL
pointer and crash.
|
|
|
|
|
| |
Write domain-mappings at startup and initialize internal data structures
on provider startup, not only during updates.
|
|
|
|
|
|
|
|
|
|
| |
Previously, if no changes were done to the list of subdomains, the SSSD
didn't update its list of sdap_domain mappings for the new subdomain.
This resulted in errors as no id_ctx was present for the subdomain
during lookup.
This patch moves the block of code performed during update to a function
of its own and calls it during provider initialization as well.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1568
|
|
|
|
|
| |
sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
|
|
|
|
| |
pac responder was not properly detected with krb5 1.12 library
|
|
|
|
|
|
|
|
|
|
|
| |
struct nss_cmd_ctx was not released in function nss_cmd_setnetgrent_done
and it wasn't used in the other function, because getnetgrent creates its own
nss_cmd_ctx context. struct nss_cmd_ctx was released after closing client
because it was allocated under client context. Memory leak is apparent with
long living clients.
Resolves:
https://fedorahosted.org/sssd/ticket/2170
|
|
|
|
|
|
|
|
|
|
| |
If Data Provider was unable to refresh the subdomain list, the
sss_domain_info->subdomains list was NULL. Which meant that no DP
request matched any known domain and hence offline authentication was
not working correctly.
Resolves:
https://fedorahosted.org/sssd/ticket/2168
|
|
|
|
|
|
|
| |
If primary servers lookup failed, dns_domain is not set.
Resolves:
https://fedorahosted.org/sssd/ticket/2173
|
|
|
|
|
|
|
| |
Output from init scripts should go to a file (ideally in
/var/log directory) instead of stderr.
Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
|
|
|
|
|
|
|
| |
Allow sssd to use the xdm wrapper so login managers can
use sssd to authenticate users.
Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
|
|
|
|
|
|
|
| |
Unit test testing detection of the right domain when processing group with members from several domains
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
| |
A bit more elegant way of detection of what domain the group member belongs to
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_add_user fails with EIO if enumeration is disabled and user contains
backslashes.
We try to remove ghost attributes from groups with disabled enumeration,
but unsanitized filter is used to find ghost attributes
"(|(ghost=usr\\\\002)" and ldb cannot parse this filter.
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
|
|
|
|
|
|
|
|
|
| |
sysdb_delete_user fails with EIO if user does not exist and contains
backslashes.
ldb could not parse filter (&(objectclass=group)(ghost=usr\\\\001)),
because ghost value was not sanitized
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2157
If AD matching rule was selected, but the group was empty, the SSSD
accessed random data. Initializing count to zero prevents that.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2154
|
|
|
|
|
|
|
|
| |
Specific error message is logged for missing sssd.conf file. New sssd specific
error value is introduced for this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2156
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2077
If during the LDAP authentication we find out that the originalDN to
bind as is missing (because the ID module is not LDAP based), we can try
to look up the user from LDAP without saving him just in order to
receive the originalDN.
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was not easy find out why netgroup could not be covert into result entries.
Problem was that nisNetgroupTriple contained unexpected string "(,user01)"
This patch will ignore only malformed attribute and processing of netgroup
will not fail.
Resolves:
https://fedorahosted.org/sssd/ticket/2137
|
|
|
|
|
|
|
|
| |
ldap_get_options can fail in time of ldap back end initialisation
and then sssd try to release uninitialised sdap_options.
Resolves:
https://fedorahosted.org/sssd/ticket/2147
|
|
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
|
|
|
|
|
|
|
|
|
| |
Some groups could be skipped, but packet length was not trimmed.
This is a reason why valgrind reported access to uninitialised bytes.
Actually, it isn't a problem, because the first uint32 in body is number of
sended gids.
Resolves:
https://fedorahosted.org/sssd/ticket/2138
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|