summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* DOC: Fix names of arguments in doxygen commentsLukas Slebodnik2014-02-263-5/+5
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 3b35ff47651e4893ce537a273466766b962362da)
* MAN: Clarify that changing ID mapping options might require purging the cacheJakub Hrozek2014-02-261-0/+42
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2252 Currently SSSD chokes when IDs of users change, we don't support ID changes yet. Because some users were confused about the failures, this patch adds additional clarification. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 3dfa09a826e5f63b4948462c2452937fc329834d)
* MAN: Clarify the ldap_access_filter option furtherJakub Hrozek2014-02-261-4/+5
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2235 The memberof example was misleading and was making aministrators think that the ldap_access_filter can resolve nested group memberships. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit 604d46e028ab62f83060fb88bdd3319a31aca2d1)
* DP: Provide separate dp_copy_defaults functionJakub Hrozek2014-02-265-22/+464
| | | | | | | https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 90afedb00608547ae1f32aa7aafd552c4b306909)
* OPTS: Allow using defaults for blobsJakub Hrozek2014-02-261-0/+3
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit ddd21d5dc3c89712d9286d1f66f4b2af73651cf2)
* IPA: check ranges for collisions before saving themSumit Bose2014-02-261-20/+63
| | | | Fixes https://fedorahosted.org/sssd/ticket/2253
* IPA: refactor idmap code and add testSumit Bose2014-02-263-147/+358
|
* IDMAP: add sss_idmap_check_collision(_ex)Sumit Bose2014-02-263-37/+244
|
* UTIL: Sanitize whitespaces.Lukas Slebodnik2014-02-261-0/+10
| | | | | | | | | | | | | Original patches submitted by: mpesari(Thanks!!) It can cause problems if user will hit spaces before entering username. (e.g in gdm). Spaces are ignored by LDAP; it's better to escape them. Resolves: https://fedorahosted.org/sssd/ticket/1955 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2b8208b45feb2aab64d560d3e12e01e7b6d00d39)
* LDAP: Setup periodic task only once.Lukas Slebodnik2014-02-261-13/+41
| | | | | | | | | | | | | | | If id provider is {ipa, ad} periodic task will be stared in sssm_{ipa,ad}_init If you enable enumeration and use different providers for id and sudo(autofs) then another periodic task will be scheduled. This can cause weird behaviour (e.g. missing members of group) Perodic tasks will be started only by id_provider. Resolves: https://fedorahosted.org/sssd/ticket/2153 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 057cb583f02bf47678c393cb8f1f74861c2b960b)
* IPA: Don't fail if apply_subdomain_homedir returns ENOENTJakub Hrozek2014-02-201-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
* IPA: Don't call tevent_req_post outside _sendJakub Hrozek2014-02-201-1/+0
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
* Updating translations for the 1.11.4 releasesssd-1_11_4Jakub Hrozek2014-02-1715-5990/+6425
|
* MAN: Clarify the new krb5_use_fast IPA defaultJakub Hrozek2014-02-172-1/+35
|
* IPA: default krb5_fast_principal to host/$client@$realmPavel Březina2014-02-171-3/+5
| | | | | | | | | If krb5_fast_principal is not set in sssd.conf it was set to host/$client, KRB5 default realm was used which doesn't have to be the same as realm used for IPA, thus authentication failed when using FAST. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> (cherry picked from commit e325cabe762fad7d696e014a7fdbb47a5cb8174a)
* IPA: Default to krb5_use_fast=tryJakub Hrozek2014-02-132-1/+28
| | | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* SSS_CACHE: Reset the initgroups attribute when resetting usersJakub Hrozek2014-02-121-0/+6
| | | | | (cherry picked from commit 30ee051025753b63ceb19d3b83c44019a19554a1) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Handle errors from sdap_id_op properly in enum codeJakub Hrozek2014-02-121-1/+41
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 93dabb2fe0a798f22bb802b9c6521ab9e6a4ac36)
* AD: Remove dead codeJakub Hrozek2014-02-121-8/+0
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d3436880c0ec1a7776698c739d4a3edc9a6ac57c)
* AD: Only download domains that are set to enumerateJakub Hrozek2014-02-121-1/+5
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 957c55df7a7086166fb3c14cead6a0dab8f574c1)
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-1210-15/+504
| | | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e81deec535d11912b87954c81a1edd768c1386c9)
* utils: handling NULL params in sss_parse_namePavel Reichl2014-02-112-26/+30
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: update of subdomain_homedir usagePavel Reichl2014-02-111-1/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: support for subdomain_homedirPavel Reichl2014-02-111-0/+190
| | | | | | | | | Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Revert "NSS: add support for subdomain_homedir"Pavel Reichl2014-02-111-8/+0
| | | | | | This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MONITOR: Incorrect permissions on sssd.confPavel Reichl2014-02-111-1/+7
| | | | | | | | | | | Print user friendly warning when permissions on sssd.conf are incorrect and provide hint. Resolves: https://fedorahosted.org/sssd/ticket/2208 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> (cherry picked from commit b3cc9b98966fa2d90172348c334b3b70c5261ab3)
* LDAP: require attribute groupType for AD groupsLukas Slebodnik2014-01-291-1/+1
| | | | | | | | | Commit 8280c5213094 introduced filtering local groups for trusted/sub domains, but attribute groupType was not available with configuration id_provide ldap and ldap_schema ad. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: store group if subdomain cannot be found by sidLukas Slebodnik2014-01-291-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, group couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* krb5: fix warning may be used uninitializedLukas Slebodnik2014-01-291-0/+1
|
* dlopen-tests: Check the result of asprintfBenjamin Franzke2014-01-291-1/+2
| | | | | According to asprintf(3) the content off errmsg is undefined on error, lets set it to NULL.
* MAN: clarify which shell option takes precedenceJakub Hrozek2014-01-291-6/+7
|
* AD: Establish cross-domain memberships after enumeration finishesJakub Hrozek2014-01-292-22/+379
| | | | | | | | | | | | | | | | Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142
* DB: Add sss_ldb_el_to_string_listJakub Hrozek2014-01-293-13/+75
|
* LDAP: Don't clobber original_member during enumerationJakub Hrozek2014-01-291-6/+11
|
* AD: Enumerate users from GC, other entities from LDAPJakub Hrozek2014-01-291-3/+17
|
* LDAP: Add enum request with custom connectionJakub Hrozek2014-01-292-125/+191
| | | | | | | | | This commit changes the enumerate-sdap-domain request to accept a connection context per object that can be enumerated. Internally in the request, an sdap_id_op is also created per enumerated object type. This change will allow i.e. users to be enumerated using GC connection, while keeping the LDAP connection for groups and services.
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-297-36/+52
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* AD: Store info on whether a subdomain is set to enumerateJakub Hrozek2014-01-291-5/+33
| | | | | | Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.
* AD: Don't mark domain as enumerated twiceJakub Hrozek2014-01-291-13/+0
| | | | | The domain was already marked as enumerated using sysdb_set_enumerated in the enumeration request itself.
* sudo: memset tm when converting time attributesPavel Březina2014-01-291-0/+2
| | | | | | | | | | strptime() which is used to parse LDAP time value does not initialize all fields of tm structure (especially tm_isdst). This results in random behavior - when the tm is converted into timestamp via mktime(), the result depends on current value of tm_isdst. Resolves: https://fedorahosted.org/sssd/ticket/2213
* AD SRV: use right domain name for CLDAP pingSumit Bose2014-01-281-1/+1
| | | | | | Currently always the name of the configured domain was passed to the CLDAP request. This will fail if the CLDAP request is send to a DC form a different domain.
* LDAP: Don't abort request if no id mapping domain matchesJakub Hrozek2014-01-242-6/+40
| | | | | | | | | If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200
* krb5: hint to increase krb5_auth_timeoutPavel Reichl2014-01-241-1/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2202
* sdap_idamp: Fall back to another method if sid is wrongLukas Slebodnik2014-01-221-2/+8
| | | | | | | | | | | sss_idmap_domain_has_algorithmic_mapping can return also IDMAP_SID_INVALID, but it does not mean that idmaping is unavailable. We should fall back to another method of detection (sss_idmap_domain_by_name_has_algorithmic_mapping) and do not return false immediately. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: update id mapping detection for ldap providerLukas Slebodnik2014-01-221-0/+5
| | | | | | | | For id_provider ldap, it is only necessary to enable option ldap_id_mapping. It is an regression introduced in the commit d3e1d88ce7de3216a862b Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Don't fail if subdomain cannot be found by sidLukas Slebodnik2014-01-221-4/+6
| | | | | | | | | Domain needn't contain sid if id_provider is ldap. With enabled id mapping, user couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172
* LDAP: Fix error checkJakub Hrozek2014-01-201-2/+2
| | | | https://fedorahosted.org/sssd/ticket/2199
* MAN: Fix a typoJakub Hrozek2014-01-201-1/+1
|
* AD: Don't fail the request if ad_account_can_shortcut failsJakub Hrozek2014-01-201-1/+3
|
* AD: Return right error code from netlogon_get_flat_nameLukas Slebodnik2014-01-161-1/+1
| | | | | | | EOK was returned in done section of netlogon_get_flat_name, even if error code was set in variable ret. This patch fixes also warnings from scan-build.
generated by cgit (git 2.34.1) at 2024-04-30 17:46:51 +0000