summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fixed debug message in sdap_save_group()Jan Zeleny2012-06-151-1/+1
|
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+20
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek2012-06-143-4/+34
|
* Use Kerberos context in KRB5_DEBUGJakub Hrozek2012-06-144-65/+73
| | | | | Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
* Add support for storing credential caches in the DIR: back endJakub Hrozek2012-06-1410-111/+615
| | | | https://fedorahosted.org/sssd/ticket/974
* Add a credential cache back end structureJakub Hrozek2012-06-149-198/+414
| | | | | | To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
* Handle trailing slash in the ccname templateJakub Hrozek2012-06-141-8/+14
| | | | | | With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
* Residual util functionsJakub Hrozek2012-06-142-0/+102
| | | | | | Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch adds a couple of utilities to support parsing if ccache locations, checking types etc.
* Add a krb5_child test toolJakub Hrozek2012-06-141-0/+551
| | | | https://fedorahosted.org/sssd/ticket/1127
* Split parse_krb5_child_response so it can be reusedJakub Hrozek2012-06-143-119/+170
| | | | | krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
* Allow redefining the KRB5_CHILD pathJakub Hrozek2012-06-141-3/+7
| | | | | The krb5-child-test will want to run the child from the current directory.
* Provide more debugging in krb5_child and ldap_childJakub Hrozek2012-06-142-14/+73
| | | | https://fedorahosted.org/sssd/ticket/1225
* Two small krb5_child fixesJakub Hrozek2012-06-141-3/+10
| | | | | * Allocation check was missing * a DEBUG statement overwrote errno
* Fix an issue in ghost usersJan Zeleny2012-06-131-75/+47
| | | | | | | | | | | | | | | | | There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B. The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces. The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
* LDAP: Auto-detect support for the ldap match ruleStephen Gallagher2012-06-137-6/+120
| | | | | | | | This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
* LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher2012-06-133-9/+325
|
* LDAP: Add support for AD chain matching extension in group lookupsStephen Gallagher2012-06-133-9/+417
|
* LDAP: Add ldap_*_use_matching_rule_in_chain optionsStephen Gallagher2012-06-138-0/+65
|
* sss_names_init: Report correct error code if allocation failedJakub Hrozek2012-06-131-1/+4
|
* Clarify how comments work in sssd.confAriel Barria2012-06-121-1/+2
|
* Make re_expression and full_name_format per domain optionsStef Walter2012-06-1219-83/+252
| | | | | | | | | | | * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
* LDAP: Make sdap_initgr_common_store() non-staticStephen Gallagher2012-06-122-7/+15
| | | | | Move it to a private header so it can be reused by other initgroups C files.
* LDAP: Add helper function to get list of a user's groups from sysdbStephen Gallagher2012-06-122-33/+69
|
* LDAP: Fix incorrect switch statement in sdap_get_initgr_done()Stephen Gallagher2012-06-121-1/+1
| | | | | | | SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(), not sdap_initgr_nested_recv(). By coincidence both recv functions happened to be identical, but if one or the other changed, this would break unexpectedly.
* LDAP: Remove redundant checkStephen Gallagher2012-06-121-11/+0
| | | | | The same block appeared earlier in the function and neither variable could have changed values since.
* SYSDB: Reduce noise level of debug messages in lookupsStephen Gallagher2012-06-121-6/+8
|
* Allow fast memcache timeout to be configurableJan Zeleny2012-06-107-5/+30
| | | | https://fedorahosted.org/sssd/ticket/1318
* IPA subdomains - ask for information about master domainJan Zeleny2012-06-1011-17/+358
| | | | | | | The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
* PAM: Better pam_reply messageStephen Gallagher2012-06-101-1/+2
|
* sss_idmap: fix typo which prevents sub auth larger then 2^31Sumit Bose2012-06-082-3/+40
| | | | A test to cover this is added as well.
* sss_idmap: add support for samba struct dom_sidSumit Bose2012-06-084-2/+405
| | | | | | | | The samba ndr libraries use struct dom_sid to handle SIDs. Since there is no public samba library which offers conversion from other representations, e.g. as string, this is added to libsss_idmap. To avoid compile-time or run-time dependency to any samba library or header file the definition of the struct is copied here.
* Fix the 0.11 sysdb upgradeJakub Hrozek2012-06-051-26/+26
| | | | | The block that upgraded the version was at a wrong indentation level, so it never ran if there were no fake users to convert
* Fix the default sssd.conf pathJakub Hrozek2012-06-051-1/+1
|
* Fixed setting of debug level in test suiteJan Zeleny2012-06-042-4/+2
|
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are ↵Jan Cholasta2012-05-311-36/+49
| | | | | | missing https://fedorahosted.org/sssd/ticket/1356
* SSH: Supress error message output in sss_ssh_knownhostsproxyJan Cholasta2012-05-312-15/+8
|
* Utilize attribute exclusion in LDAP initgroupsJan Zeleny2012-05-311-3/+33
| | | | | | | | | | Previous patch added the possibility to exclude some attributes from a map when building an attribute list to be sent to server. The original reason for this functionality is the code handling LDAP initgroups. In this code, there is no need to fetch members of groups in question. This can save some performance since the list of members can be pretty long in some cases. This case apllies only to RFC2307 and generic RFC2307bis, it doesn't apply for IPA schema.
* Add support for filtering atributesJan Zeleny2012-05-3117-41/+70
| | | | | This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
* SSH: Update sss_ssh_knownhostsproxy manual pageJan Cholasta2012-05-311-1/+1
| | | | | Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in OpenSSH 5.9.
* added DEBUG messages to krb5_child and ldap_childNick Guay2012-05-312-3/+19
|
* SSSDConfig: Make default config and schema file locations configurableStephen Gallagher2012-05-312-7/+7
| | | | https://fedorahosted.org/sssd/ticket/1008
* SSSDConfig: Make SSSDConfig a packageStephen Gallagher2012-05-314-5/+1
| | | | | We were polluting the primary Python space with several dependencies. We will now install them their own directory/module.
* Ghost members - various small changesJan Zeleny2012-05-313-3/+3
|
* Ghost members - modified sss_groupshowJan Zeleny2012-05-311-4/+40
|
* Ghost members - removed sdap_check_aliases()Jan Zeleny2012-05-314-127/+0
| | | | | | | This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
* Ghost members - NSS responder changesJan Zeleny2012-05-311-89/+147
| | | | | | | | | Since there are two attributes storing information about user memberships of the group we have to include both of them in results. This will apply only for objects that have ghost members (i.e. they contain the SYSDB_GHOST attribute). If an object has this attribute, values of this attribute are not projected to the memberuid attribute.
* Ghost members - sysdb upgrade routineJan Zeleny2012-05-313-1/+157
| | | | | | | | | | | | It is remotely possible to have sysdb in an inconsistent state that might need upgrade. Consider scenario when user asks for group information. Some fake users are added as a part of this operation. Before users can be fully resolved and stored properly, SSSD is shut down and upgrade is performed. In this case we need to go over all fake user records (uidNumber=0) and replace each of them with ghost record in all group objects that are stated in its memberof attribute.
* Ghost members - modifications in memberof pluginJan Zeleny2012-05-311-6/+41
|
* Ghost members - modifications in sysdbJan Zeleny2012-05-312-80/+153
| | | | | | | | | | | Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.
* Ghost members - support in proxy providerJan Zeleny2012-05-311-6/+8
|
generated by cgit (git 2.34.1) at 2024-11-11 16:18:20 +0000