summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* print hint about password complexity when new password is rejectedPavel Březina2013-08-112-2/+22
| | | | https://fedorahosted.org/sssd/ticket/1827
* ldap, krb5: More descriptive msg on chpass failure.Michal Zidek2013-08-112-0/+31
| | | | | | | | Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029
* providers: refresh expired netgroupsPavel Březina2013-08-116-3/+208
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: add refresh expired records periodic taskPavel Březina2013-08-1110-0/+68
| | | | | | https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
* back end: periodical refresh of expired records APIPavel Březina2013-08-112-0/+375
| | | | https://fedorahosted.org/sssd/ticket/1713
* back end: periodic task APIPavel Březina2013-08-112-0/+447
| | | | https://fedorahosted.org/sssd/ticket/1891
* mmap_cache: Check if slot and name_ptr are not invalid.Michal Zidek2013-08-115-2/+73
| | | | | | | This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
* resolv-tests failing with memory leakMichal Zidek2013-08-091-2/+4
| | | | | | Wait for c-ares to finish before checking for memory leaks. https://fedorahosted.org/sssd/ticket/1899
* Set default DNS resolution timeout to 6 seconds.Jakub Hrozek2013-08-093-3/+3
| | | | | | | Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly
* Lower timeout to contact DNS serverMichal Zidek2013-08-091-1/+1
| | | | | | | | c-ares timeout to wait for response from DNS server before moving to next DNS server is lowered from 5s to 2s. Partially solves https://fedorahosted.org/sssd/ticket/1966
* init script: source /etc/sysconfig/sssdPavel Březina2013-08-083-0/+18
| | | | https://fedorahosted.org/sssd/ticket/1959
* Configure SYSV init scripts properlyStephen Gallagher2013-08-083-9/+7
| | | | | | | Previously, these contained hard-coded paths. Now they are populated correctly by the configure script. https://fedorahosted.org/sssd/ticket/1986
* Handle too many results from getnetgr.Lukas Slebodnik2013-08-081-1/+13
|
* Do not call sss_cmd_done in function check_cache.Lukas Slebodnik2013-08-081-6/+0
| | | | | | | | Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980
* MAN: Clarify the min_id/max_id limits furtherJakub Hrozek2013-08-081-0/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2005 Some users were confused by our description of min_id/max_id and thought the limits only applied to returning entries from the NSS responder. However, the limits are actually enforced on the back end side, so the entries are not even saved to cache.
* NSS: Clear cached netgroups if a request comes in from the sss_cacheLukas Slebodnik2013-08-084-0/+55
| | | | | | | In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759
* NSS: allow removing entries from netgroup hash tableLukas Slebodnik2013-08-083-1/+32
| | | | | | | | | There is a timed desctructor in the nss responder that, when the entry timeout passes, removes the netgroup from the hash table while the netgroup is freed. This patch adds a hash delete callback so that if the netgroup is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
* LDAP: Fix crash when processing nested groupsJakub Hrozek2013-08-081-4/+16
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1932 There is a rather strange workaround in the nested groups processing code that calls tevent_req_post outside _send(). However, it broke in certain situations where the tevent_req_call resulted in req being freed, which freed state by extension and then the subsequent _post call was a use-after-free. This patch saves the two variables used outside state so that it's safe to use them even after the callback.
* sudo: print better debug message when a rule has multiple cn valuesPavel Březina2013-08-061-1/+5
|
* sudo: skip rule on error instead of failing completelyPavel Březina2013-08-061-1/+3
| | | | https://fedorahosted.org/sssd/ticket/2031
* Every time use permissive control in function memberof_mod.Lukas Slebodnik2013-07-171-0/+7
| | | | | | | | | | | Storing cyclic groups into sysdb can cause adding ghost members, which has already been stored. Function ldb_modify will fail with error [Attribute or value exists]. With permisive control, duplicated attributes will be skipped as if it was never added. https://fedorahosted.org/sssd/ticket/1846
* Always set port status to neutral when resetting service.Michal Zidek2013-07-151-1/+2
| | | | | | | | We did not set port status for metaservers (srv servers) in fo_reset_services(). Fixes: https://fedorahosted.org/sssd/ticket/1933
* sudo responder: use different callback for oob refreshPavel Březina2013-06-271-6/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().
* IPA: Do not download or store the member attribute of host groupsJakub Hrozek2013-06-242-2/+0
| | | | | | | | https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
* failover: if expanded server is marked as neutral, invoke srv collapsePavel Březina2013-06-211-0/+7
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1947 Otherwise we will do the SRV expansion once again: 1. leaving the old servers in server list 2. meta server is not inserted back in the list, the newly found servers are inserted behind meta server, meta server is orphaned and the new servers are forgotten
* collapse_srv_lookup may free the server, make it clear from the APIPavel Březina2013-06-211-5/+8
| | | | https://fedorahosted.org/sssd/ticket/1947
* failover: set state->out when meta server remains in SRV_RESOLVE_ERRORPavel Březina2013-06-171-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1886
* Add ignore_group_members option.Paul B. Henson2013-05-319-18/+64
| | | | https://fedorahosted.org/sssd/ticket/1376
* Adding option to disable retrieving large AD groups.Lukas Slebodnik2013-05-2311-13/+74
| | | | | | | | | This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
* Removing unused functions.Lukas Slebodnik2013-05-232-36/+0
| | | | This patch remove unused functions sdap_parse_user and sdap_parse_group
* sudo responder: use fully qualified name for subdomain usersPavel Březina2013-05-101-1/+1
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1912 Patch that converts subdomain usernames into fully qualified format made it to the 1.9 branch but sudo wasn't aware of it. This patch changes sysdb_getpwnam call to sysdb_subdom_getpwnam which converts username into fqn if the domain is subdomain.
* SUDO: IPA providerLukas Slebodnik2013-05-106-29/+110
| | | | | | This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733
* Display the last grace warning, tooJakub Hrozek2013-05-022-3/+3
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* Only try to relink ghost users if we're not enumeratingJakub Hrozek2013-04-292-4/+17
| | | | | | | | https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user.
* Updating the translations for the 1.9.5 releasesssd-1_9_5Jakub Hrozek2013-04-2315-7353/+8232
|
* LDAP: do not invalidate pointer with realloc while processing ghost usersJakub Hrozek2013-04-191-3/+13
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
* Fix simple access group control in case-insensitive domainsJakub Hrozek2013-04-152-18/+11
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
* Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2013-04-152-35/+85
| | | | | | | | | | | | | | | | In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
* krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek2013-04-152-2/+8
| | | | | | | krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
* sssd fails with readonly SELinux login filesMichal Zidek2013-04-121-1/+4
| | | | | | | Do not try to remove SELinux login file if SELinux support is not available. https://fedorahosted.org/sssd/ticket/1868
* Allocate PAM DP request data on responder contextJakub Hrozek2013-04-083-5/+54
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
* Document what does access_provider=ad doJakub Hrozek2013-03-211-0/+14
| | | | https://fedorahosted.org/sssd/ticket/1841
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-2113-11/+227
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Resolve GIDs in the simple access providerJakub Hrozek2013-03-194-303/+1020
| | | | | | | | | | | | | | Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
* Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek2013-03-191-0/+2
| | | | | | | | | | | The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
* Add unit tests for simple access test by groupsJakub Hrozek2013-03-191-32/+253
| | | | | | | I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
* Provide a be_get_account_info_send functionJakub Hrozek2013-03-192-19/+149
| | | | | | | | | | | | | | In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
* krb5-utils-tests: remove invalid conditionPavel Březina2013-03-131-2/+0
| | | | | This condition is invalid because different_realm is not set, when EINVAL is returned. It can make the test fail sometimes.
* Debug message in sss_mc_create_file.Michal Zidek2013-03-071-0/+5
| | | | | | This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
* File descriptor leak in nss responder.Michal Zidek2013-03-071-18/+43
| | | | | | | | | File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
generated by cgit (git 2.34.1) at 2024-04-24 06:53:42 +0000