sssd.git/src/providers, branch openssl Unnamed repository; edit this file 'description' to name the repository. LDAP: Removing of member link from group 2016-10-14T18:40:45+00:00 Sumit Bose sbose@redhat.com 2016-09-12T13:18:07+00:00 e0903f41922721edf292a9f7e6605a4519db53a1 Resolves: https://fedorahosted.org/sssd/ticket/2940 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2940

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: Initialize a boolean control value 2016-10-04T19:56:31+00:00 Jakub Hrozek jhrozek@redhat.com 2016-10-04T08:45:43+00:00 7b07f50dfdfa1e94c82d86a957ee7c9852d7a322 without this patch, valgrind was reporting: ==30955== Conditional jump or move depends on uninitialised value(s) ==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111) ==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222) ==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872) ==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689) ==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797) ==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579) ==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353) ==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197) ==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145) ==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341) ==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911) ==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114) ==30955== Resolves: https://fedorahosted.org/sssd/ticket/3213 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
without this patch, valgrind was reporting:
==30955== Conditional jump or move depends on uninitialised value(s)
==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111)
==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222)
==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872)
==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689)
==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797)
==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579)
==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353)
==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197)
==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145)
==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341)
==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911)
==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114)
==30955==

Resolves:
https://fedorahosted.org/sssd/ticket/3213

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
KRB5: Fixing FQ name of user in krb5_setup() 2016-09-22T20:12:03+00:00 Petr Čech pcech@redhat.com 2016-09-14T13:00:06+00:00 b34ffbf33729c557c3d1aebf4707ad0ffe4f1904 This patch fixes creation of FQ username if krb5_map_user option ise used. Resolves: https://fedorahosted.org/sssd/ticket/3188 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch fixes creation of FQ username if krb5_map_user option
ise used.

Resolves:
https://fedorahosted.org/sssd/ticket/3188

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
failover: proceed normally when no new server is found 2016-09-22T07:25:18+00:00 Pavel Březina pbrezina@redhat.com 2016-08-24T12:21:12+00:00 03cb5ac6aa4c60d2c64c6fdc2daae656bf5493f4 Multiple failover requests come in same time, the first one will result in collapsing the meta server but multiple resolution of SRV records are triggered. The first one finishes normally but the others won't find any new server thus ends with an error. This patch makes failover to proceed normally even in such case. Resolves: https://fedorahosted.org/sssd/ticket/3131 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Multiple failover requests come in same time, the first one will
result in collapsing the meta server but multiple resolution of
SRV records are triggered. The first one finishes normally but the
others won't find any new server thus ends with an error.

This patch makes failover to proceed normally even in such case.

Resolves:
https://fedorahosted.org/sssd/ticket/3131

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Remove double semicolon at the end of line 2016-09-21T13:10:11+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-17T19:05:36+00:00 b9941359b3181c42f415530d5ccad0f4664d85fa Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Return partial results from adminlimit exceeded 2016-09-14T09:11:38+00:00 Jakub Hrozek jhrozek@redhat.com 2016-09-12T15:36:09+00:00 3319d964721396c07daba383ded6aaaf33ed6e3b Resolves: https://fedorahosted.org/sssd/ticket/3185 Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to the next server on any error on the connection, which in case there is only one server sends SSSD offline. It's more graceful to try to process the results, same as we already do with sizelimit exceeded. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
    https://fedorahosted.org/sssd/ticket/3185

Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
the next server on any error on the connection, which in case there is
only one server sends SSSD offline.

It's more graceful to try to process the results, same as we already do
with sizelimit exceeded.

Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PROXY: Adding proxy_max_children option 2016-09-13T14:22:26+00:00 Petr Cech pcech@redhat.com 2016-08-24T12:41:09+00:00 aef0171e0bdc9a683958d69c7ee984fb10cd5de7 The new option 'proxy_max_children' is applicable in domain section. Default value is 10. Resolves: https://fedorahosted.org/sssd/ticket/3153 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.

Resolves:
https://fedorahosted.org/sssd/ticket/3153

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SDAP: Fix settig paging attribute in sdap_get_generic_ext_send 2016-09-13T14:02:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-30T14:39:49+00:00 6c335dee38da943796710b5e336472a10cf641f2 We should set pagging flag in state and not in local variable which is not read anywhere in the function. Found by clang static analyzer. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.

Found by clang static analyzer.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
KRB5: Return ERR_NETWORK_IO on clock skew 2016-09-13T13:26:46+00:00 Jakub Hrozek jhrozek@redhat.com 2016-09-06T10:27:51+00:00 d3348f49260998880bb7cd3b2fb72d562b1b7a64 Adds two more return codes to the list of codes we translate to ERR_NETWORK_IO. Resolves: https://fedorahosted.org/sssd/ticket/3174 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> 
Adds two more return codes to the list of codes we translate to
ERR_NETWORK_IO.

Resolves:
https://fedorahosted.org/sssd/ticket/3174

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
KRB5: Send the output username, not internal fqname to krb5_child 2016-09-08T21:04:30+00:00 Jakub Hrozek jhrozek@redhat.com 2016-09-07T10:07:36+00:00 fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42 krb5_child calls krb5_kuserok() during the access phase which checks if a particular user is allowed to authenticate as a particular principal. We used to pass the internal fqname to krb5_kuserok() which broke the functionality and all users were denied access. This patch changes that to send the 'output' username to krb5_child, because that's the username the system receives through getpwnam() or getpwuid() anyway. The patch also adds a new structure member fo the krb5child_req structure to avoid reusing the pd->user variable but have an explicit one that serves as the input for the child process. Resolves: https://fedorahosted.org/sssd/ticket/3172 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.

This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.

Resolves:
https://fedorahosted.org/sssd/ticket/3172

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>