| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2157
If AD matching rule was selected, but the group was empty, the SSSD
accessed random data. Initializing count to zero prevents that.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2154
|
|
|
|
|
|
|
|
| |
Specific error message is logged for missing sssd.conf file. New sssd specific
error value is introduced for this case.
Resolves:
https://fedorahosted.org/sssd/ticket/2156
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2077
If during the LDAP authentication we find out that the originalDN to
bind as is missing (because the ID module is not LDAP based), we can try
to look up the user from LDAP without saving him just in order to
receive the originalDN.
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2077
Certain situations require that a user entry is downloaded for further
inpection, but not saved to the sysdb right away. This patch splits the
previously monolithic request into one that just downloads the data and
one that uses the new one to download and save the user.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was not easy find out why netgroup could not be covert into result entries.
Problem was that nisNetgroupTriple contained unexpected string "(,user01)"
This patch will ignore only malformed attribute and processing of netgroup
will not fail.
Resolves:
https://fedorahosted.org/sssd/ticket/2137
|
|
|
|
|
|
|
|
| |
ldap_get_options can fail in time of ldap back end initialisation
and then sssd try to release uninitialised sdap_options.
Resolves:
https://fedorahosted.org/sssd/ticket/2147
|
|
|
|
|
| |
If any function before failed, sss_idmap_free_sid() might have been
called with random data.
|
|
|
|
|
|
|
|
|
|
| |
Some groups could be skipped, but packet length was not trimmed.
This is a reason why valgrind reported access to uninitialised bytes.
Actually, it isn't a problem, because the first uint32 in body is number of
sended gids.
Resolves:
https://fedorahosted.org/sssd/ticket/2138
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. We need
to make sure that we store subdomain users with correct
domain name.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
| |
This function will find sdap domain by comparing object dn
with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
| |
Groups may contain members from different domains. Remembering
base dn in domain object gives us the ability to simply lookup
correct domain by comparing object dn with domain base dn.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
|
|
|
|
|
|
|
|
|
|
| |
When getByID or getBySID comes from responder, the request doesn't
necessarily have to contain correct domain, since responder iterates
over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut if
domain does not match and avoid LDAP round trip. Responder will
continue with next domain until it finds the correct one.
|
| |
|
| |
|
|
|
|
|
|
| |
If talloc_array return NULL we should return right error code from function
sdap_domain_subdom_add. It might happen that we could return either wrong error
code or uninitialized variable ret.
|
| |
|
|
|
|
|
|
|
| |
The code wrote into the middle of the packet to a space that was already
reserved and allocated but then still advanced the pointer to the buffer.
https://fedorahosted.org/sssd/ticket/2124
|
| |
|
|
|
|
|
|
|
| |
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all, which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a workaround until
https://fedorahosted.org/sssd/ticket/2129 is fixed properly.
Consider a group entry such as:
cn: subgroup@subdom
ghost: someuser
ghost: anotheruser@subdom
Currently in order to print all group members as FQDN (which is the default
for AD provider), the code needs to iterate over the ghost attributes and
parse them into (name,domain) and optionally re-add the domain.
The proper fix would be to store always just the FQDN in the hardcoded
form of user@domain
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have group with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent group 5000' and this request goes through data
provider, searching in parent domain first. Even though this
group does not belong to this domain it is found and stored as
ad.pb group.
With this patch we look at group's SID and put it into correct domain.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GC contains objects from both parent domain and subdomain.
Lets say we have user with UID 5000 that belongs to a subdomain and
overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now
we call 'getent passwd 5000' and this request goes through data
provider, searching in parent domain first. Even though this
user does not belong to this domain it is found and stored as
ad.pb user.
With this patch we look at user's SID and put it into correct domain.
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
| |
This is a wrapper around be_ptask_create() that allows to create
synchronous periodic tasks.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
| |
Every request is attached to be_ctx->domain by default. We
will change the domain to a subdomain if it is relevant.
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2082
In order to allow the ad_access_filter option to work for subdomain
users as well, the Global Catalog must be searched. This patch adds a
wrapper request atop sdap_access_send that selects the right connection
(GC or LDAP) and optionally falls back to LDAP.
|