sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
...
*	Don't treat 0 as default for pam_pwd_expiration warning	Jakub Hrozek	2013-03-01	1	-1/+2
\|
*	if selinux is disabled, ignore that selogin dir is missing	Pavel Březina	2013-03-01	1	-3/+15
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1817
*	autofs: fix invalid header 'number of entries' in packet	Pavel Březina	2013-03-01	1	-1/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
*	sdap_fill_memberships: continue if a member is not foud in sysdb	Pavel Březina	2013-02-27	1	-3/+7
\| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
*	Remove enumerate=true from man sssd-ldap	Jakub Hrozek	2013-02-26	1	-1/+0
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1737
*	sysdb: try dealing with binary-content attributes	Jan Engelhardt	2013-02-26	4	-7/+17
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
*	Fix the krb5 password expiration warning	Jakub Hrozek	2013-02-21	1	-1/+7
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1808
*	subdomains: replace invalid characters with underscore in krb5 mapping file name	Pavel Březina	2013-02-14	1	-1/+25
\| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
*	NSS: Add original homedir to home directory template options	Stephen Gallagher	2013-02-10	6	-8/+29
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1805
*	Unchecked return value in files.c	Michal Zidek	2013-02-06	1	-1/+9
\| \| \| \| \|	Found by coverity. https://fedorahosted.org/sssd/ticket/1791
*	Fix minor grammar error in log	Stephen Gallagher	2013-01-30	1	-1/+1
\|
*	krb: recreate ccache if it was deleted	Pavel Březina	2013-01-30	1	-1/+8
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
*	Updating the translations for the 1.9.4 releasesssd-1_9_4	Jakub Hrozek	2013-01-28	16	-2810/+13240
\|
*	nested groups: fix group lookup hangs if member dn is incorrect	Pavel Březina	2013-01-28	1	-0/+24
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
*	TOOLS: Compile on old platforms such as RHEL5	Jakub Hrozek	2013-01-28	1	-37/+140
\| \| \| \| \|	Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
*	MAN: Clarify that saving users after enumerating large domain might be CPU ↵	Jakub Hrozek	2013-01-28	1	-1/+9
\| \| \| \| \| \|	intensive https://fedorahosted.org/sssd/ticket/1732
*	SYSDB: Expire group if adding ghost users fails with EEXIST	Jakub Hrozek	2013-01-23	1	-2/+36
\|
*	SYSDB: make the sss_ldb_modify_permissive function public	Jakub Hrozek	2013-01-23	2	-2/+11
\|
*	TOOLS: Use file descriptor to avoid races when creating a home directory	Jakub Hrozek	2013-01-23	4	-354/+364
\| \| \| \| \| \| \| \| \| \| \|	When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
*	TOOLS: Use openat/unlinkat when removing the homedir	Jakub Hrozek	2013-01-23	1	-42/+41
\| \| \| \| \| \| \| \| \| \|	The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
*	Check that strings do not go beyond the end of the packet body in autofs and ↵	Jan Cholasta	2013-01-23	2	-7/+7
\| \| \| \| \| \| \| \|	SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
*	sudo responder: change num_rules type from size_t to uint32_t	Pavel Březina	2013-01-22	7	-25/+25
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
*	Convert the value of pwd_exp_warning to seconds	Jakub Hrozek	2013-01-22	1	-5/+6
\| \| \| \| \| \| \| \|	When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
*	fix backend callbacks: remove callback properly from dlist	Pavel Březina	2013-01-22	1	-6/+18
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
*	TOOLS: invalidate parent groups in memory cache, too	Jakub Hrozek	2013-01-21	4	-8/+71
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1775
*	LDAP: Compare lists of DNs when saving autofs entries	Jakub Hrozek	2013-01-21	3	-137/+173
\| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
*	Invalidate user entry even if there are no groups	Jakub Hrozek	2013-01-16	2	-11/+8
\| \| \| \| \| \| \| \| \|	Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
*	NSS: invalidate memcache user entry on initgr, too	Jakub Hrozek	2013-01-16	1	-0/+11
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.
*	autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32	Jakub Hrozek	2013-01-16	1	-10/+5
\|
*	LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships	Jakub Hrozek	2013-01-15	1	-12/+4
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
*	TOOLS: Refresh memcache after changes to local users and groups	Jakub Hrozek	2013-01-15	2	-0/+42
\|
*	TOOLS: Provide a convenience function to refresh a list of groups	Jakub Hrozek	2013-01-15	2	-0/+22
\|
*	TOOLS: Split querying nss responder into a separate function	Jakub Hrozek	2013-01-15	4	-32/+68
\| \| \| \| \| \|	The tools query the responder in order to sync the memcache after performing changes to the local database. The functions will be reused by other tools so I split them into a separate functions.
*	TOOLS: move memcache related functions to tools_mc_utils.c	Jakub Hrozek	2013-01-15	3	-161/+188
\| \| \| \| \| \| \|	The upcoming patches will link only users of this file with client libs, so it's better to have it separate. There is no functional change in this patch
*	Fix invalidating autofs maps	Simo Sorce	2013-01-14	1	-1/+1
\|
*	let ldap_backup_chpass_uri work	Pavel Březina	2013-01-14	1	-2/+4
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1760
*	AD: Add user as a direct member of his primary group	Jakub Hrozek	2013-01-09	1	-8/+109
\| \| \| \| \| \| \| \| \| \| \| \|	In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
*	AD: replace GID/UID, do not add another one	Jakub Hrozek	2013-01-09	4	-7/+41
\| \| \| \| \| \| \|	The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
*	IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP	Jakub Hrozek	2013-01-08	3	-4/+6
\| \| \| \|	It is not a map, but a default context. The name should reflect that.
*	SELINUX: Process maps even when offline	Jakub Hrozek	2013-01-08	1	-226/+429
\| \| \| \| \|	Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
*	SYSDB: Split a function to read all SELinux maps	Jakub Hrozek	2013-01-08	2	-23/+49
\|
*	SYSDB: Remove duplicate selinux defines	Jakub Hrozek	2013-01-08	3	-5/+2
\|
*	Refactor gid handling in the PAC responder	Sumit Bose	2013-01-08	4	-105/+238
\| \| \| \| \| \|	Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
*	PAC responder: check if existing user differs	Sumit Bose	2013-01-08	3	-13/+64
\| \| \| \| \| \|	If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
*	Add tests for get_gids_from_pac()	Sumit Bose	2013-01-08	1	-0/+256
\|
*	Use hash table to collect GIDs from PAC to avoid dups	Sumit Bose	2013-01-08	1	-18/+86
\| \| \| \| \| \| \|	To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
*	Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXIST	Sumit Bose	2013-01-08	1	-0/+1
\| \| \| \| \| \| \| \|	Currently only the LDB error code indicating that an entry already exists is translated to EEXIST. To make debugging easier and return a better indication of the reason for an error in the logs this patch translates the LDB error code for an already existing attribute or value to EEXIST as well.
*	Read remote groups from PAC	Sumit Bose	2013-01-08	1	-3/+52
\| \| \| \| \| \| \|	Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
*	Remote groups do not have an original DN attribute	Sumit Bose	2013-01-08	1	-40/+34
\| \| \| \| \| \| \|	Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
*	Save domain and GID for groups from the configured domain	Sumit Bose	2013-01-08	3	-17/+47
\| \| \| \| \| \| \| \| \| \|	Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.