summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* HBAC: remove misleading comment about deny rulesPavel Reichl2015-10-081-4/+0
| | | | | | | | | HBAC deny rules are no longer supported. This comment should have been removed as part of 'Remove HBAC DENY rules from SSSD' https://fedorahosted.org/sssd/ticket/912 Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: Consolidate connection list construction on ad_common.cJakub Hrozek2015-10-073-17/+37
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Provide common connection list construction functionsJakub Hrozek2015-10-074-29/+40
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>
* DYNDNS: improve nsupdate_msg_add_fwd()Pavel Reichl2015-10-051-17/+39
| | | | | | | | | | | | | | | | | | | | | Update nsupdate_msg_add_fwd() to group commands by address family processed IP address belongs to. It's better to group removing old A addresses and adding new A addresses in a single transaction. Same goes for AAAA addresses. Separate transaction for A and AAAA addresses updates are important because server might block updates for one of these families and thus the update even for the non-blocked address family would unnecessarily fail. For more details please see: https://fedorahosted.org/sssd/wiki/DesignDocs/DDNSMessagesUpdate Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: use realm and server commands only as fallbackPavel Reichl2015-10-055-40/+35
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PROXY: fix minor memory leakPavel Reichl2015-10-021-2/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: fix minor memory leakPavel Reichl2015-10-022-2/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: fix minor memory leakPavel Reichl2015-10-021-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: fix minor memory leakPavel Reichl2015-10-021-2/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Relax POSIX checkPavel Reichl2015-10-021-4/+6
| | | | | | | | | | | Relax the check on UID or GID just to check if at least one of them is present but do not require them to be positive numbers. Add requirement on objectclass attributes to be user or group to make check more reliable. Resolves: https://fedorahosted.org/sssd/ticket/2800
* HBAC: Better libhbac debuggingPetr Cech2015-10-014-2/+243
| | | | | | | | | | | | | Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: add debug messages for netlogon get infoPavel Reichl2015-09-301-1/+4
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* AD: inicialize root_domain_attrs fieldPavel Reichl2015-09-301-1/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2805 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Retry fetching keytab if IPA user lookup failsJakub Hrozek2015-09-232-14/+185
| | | | | | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com>
* FO: Also reset the server common data in addition to SRVJakub Hrozek2015-09-231-1/+3
| | | | | | | | | | | In a server that is expanded from a SRV query was reset, only it's 'meta-server' status was set to neutral, but the server->common structure still retained its not_working status. This patch also resets the status of the common structure so that both the SRV query and resolving the server are retried next time. Reviewed-by: Sumit Bose <sbose@redhat.com>
* FO: Add an API to reset all servers in a single serviceJakub Hrozek2015-09-234-10/+42
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Previously, we had a function that allowed the caller to reset the status of all services in the global fail over context. This patch adds a new function that allows the caller to reset a single service instead. The main user would be IPA subdomain provider that might need to reset the status of an AD trusted domain on demand. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Change ipa_server_trust_add_send request to be reusable from ID codeJakub Hrozek2015-09-232-58/+75
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com>
* DYNDNS: Return right error code in case of failureLukas Slebodnik2015-09-231-0/+1
| | | | | | | | The variable will be zero if getifaddrs succeeds and therefore wrong error code will be returned in case of insufficient memory (talloc_zero failed) Reviewed-by: Pavel Reichl <preichl@redhat.com>
* DDNS: execute nsupdate for single update of PTR recPavel Reichl2015-09-223-72/+190
| | | | | | | | | | | nsupdate fails definitely if any of update request fails when GSSAPI is used. As tmp solution nsupdate is executed for each update. Resolves: https://fedorahosted.org/sssd/ticket/2783 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA PROVIDER: Resolve nested netgroup membershipPetr Cech2015-09-221-10/+19
| | | | | | | | | | | | Informations about usergroup membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. This patch add appropriate memberOf attributes for searching in. Ticket: https://fedorahosted.org/sssd/ticket/2275 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Filter out multiple entries when searching overlapping domainsJakub Hrozek2015-09-224-20/+116
| | | | | | | | | | In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Move sdap_create_search_base from ldap to sdap codeJakub Hrozek2015-09-224-70/+68
| | | | | | | | The function shouldn't be placed in the LDAP tree, but in the SDAP tree to make it usable from tests without linking to libraries that are normally linked from LDAP provider (such as confdb) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domainsJakub Hrozek2015-09-222-13/+0
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2723 In case there are overlapping sdap domains, a search for a single user might match and return multiple entries. For instance, with AD domains represented by search bases: DC=win,DC=trust,DC=test DC=child,DC=win,DC=trust,DC=test A search for user from win.trust.test would be based at: DC=win,DC=trust,DC=test but would match both search bases and return both users. Instead of performing complex filtering, just save both users. The responder would select the entry that matches the user's search. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Do not allow the AD lookup code to set backend as offline in server modeJakub Hrozek2015-09-211-1/+7
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 In server mode, we should not allow the AD lookups to set the backend offline. Rather just let them report an error and deal with the error separately. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Set ignore_mark_offline=false when resolving AD root domainJakub Hrozek2015-09-211-23/+33
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 Avoid going offline in cases where SSSD is connected to a child domain but the root domain is not accessible. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Do not mark the whole back end as offline if subdomain lookup failsJakub Hrozek2015-09-211-14/+67
| | | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 Rather mark the domain as inactive. It will be marked as active later, in the meantime the main domain can continue to work online and subdomain requests will be answered from cache. The lookup request itself just returns a special error code and lets the caller handle the error code as appropriate (normally by disabling the subdomain temporarily). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Offline operation with disabled domainJakub Hrozek2015-09-211-1/+11
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 If a subdomain is in the disabled state, switch krb5_child operation into offline mode. Similarly, instead of marking the whole back end as offline, mark just the domain as offline -- depending on the domain type, this would mark the whole back end or just inactivate subdomain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Only ignore errors from SDAP lookups if there's another connection to ↵Jakub Hrozek2015-09-211-0/+1
| | | | | | | | | | | | | | | | | fallback to Required for: https://fedorahosted.org/sssd/ticket/2637 The AD lookup code honors the ignore_mark_offline flag in the sense that if it's set, the sdap return code is not reported to the upper layer, but EOK is returned as request status and the sdap return code is returned separately. This patch modifies the behaviour further to only apply if there is another connection to fall back to. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Do not set is_offline if ignore_mark_offline is setJakub Hrozek2015-09-211-1/+1
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 The caller of the sdap_id_op requests can set the ignore_mark_offline flag to avoid the sdap_id_op from marking the whole back end as offline. However, there was a small bug - the is_offline internal sdap_id_op flag was still being set. As a consequence, the error code from the connection was ignored and EAGAIN was always returned. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Provide a way to mark subdomain as disabled and auto-enable it later ↵Jakub Hrozek2015-09-212-9/+94
| | | | | | | | | | | | | | | | with offline_timeout https://fedorahosted.org/sssd/ticket/2637 Adds a new Data Provider function be_mark_dom_offline() that is a replacement for be_mark_offline(). When called, the function would either set the whole back end offline, just like be_mark_offline or just set the subdomain status to inactive. When a subdomain is inactive, there is a singleton timed task that would re-set the subdomin after offline_timeout seconds. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Convert domain->disabled into tri-state with domain statesJakub Hrozek2015-09-212-2/+2
| | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Sanitize group dn before using in filterLukas Slebodnik2015-09-181-2/+16
| | | | | | | | | | Each string should be sanitized(rfc4515) before using ldbsearch. A group dn was not sanitized in the function cleanup_groups. Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Partially revert "LDAP: sanitize group name when used in filter"Lukas Slebodnik2015-09-181-83/+5
| | | | | | | This reverts commit e2e334b2f51118cb14c7391c4e4e44ff247ef638. + temporary disable unit test Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Revert "LDAP: end on ENOMEM"Lukas Slebodnik2015-09-181-1/+0
| | | | | | | This reverts commit f31a57321fc0a2390bb0d6030053c49787e5e587. It blocked reverting commit e2e334b2f51118cb14c7391c4e4e44ff247ef638. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DATA_PROVIDER: BE_REQ as string in log messagePetr Cech2015-09-144-17/+112
| | | | | | | | | | | | | | | | | Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: use SDAP_SASL_AUTHID as samAccountNameSumit Bose2015-09-141-3/+4
| | | | | | | | | | | | | | | The samAccountName for AD hosts is the hosts NetBIOS name with a trailing $. Since there is a size limit on NetBIOS names long DNS names must be truncated to find a matching entry in the AD LDAP tree. The NetBIOS name is already needed during kinit/SASL bind where the SDAP_SASL_AUTHID config option is used. Since the GPO lookup code is only reached after the SASL bind was successful we can safely assume that the name is correct and use it for the GPO lookup. Resolves https://fedorahosted.org/sssd/ticket/2692 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Remove unused functionJakub Hrozek2015-09-113-9/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: fix memory leakPavel Reichl2015-09-071-3/+3
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2777 Reviewed-by: Michal Židek <mzidek@redhat.com>
* cleanup task: Expire all memberof targets when removing userMichal Židek2015-09-031-1/+52
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2676 When user is removed from cache during cleanup task, mark all his memberof targets as expired to refresh member/ghost attributes on next request. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Use sss_unique_file and close fd on failureJakub Hrozek2015-09-011-16/+14
| | | | | | | | The GPO child didn't remove temporary file on failure and didn't close the fd on failure (the latter was not much of a problem for a short-lived child process). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: send less logs to syslogPavel Reichl2015-09-011-0/+42
| | | | | | | | | Create new callback that handles logging messages in cyrus sasl library. Resolves: https://fedorahosted.org/sssd/ticket/2561 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: end on ENOMEMPavel Reichl2015-08-311-0/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-316-19/+19
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-311-25/+2
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sdap_async: Use specific errmsg when availableMichal Židek2015-08-191-2/+8
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2762 Use specific errmsg when ldap returns LDAP_CONSTRAINT_VIOLATION code if that specific message is available. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Use sss_unique_filename in ldap_childJakub Hrozek2015-08-171-22/+3
| | | | | | Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique_file when creating kdcinfo filesJakub Hrozek2015-08-171-7/+9
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique file in krb5_childJakub Hrozek2015-08-171-16/+11
| | | | | | | | In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: minor improvements in ldap id cleanupPavel Reichl2015-08-172-4/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: sanitize group name when used in filterPavel Reichl2015-08-171-5/+83
| | | | | | | | | | | cleanup_groups() uses DN of group in filter for ldbsearch. But the name might contain characters with special meaning for filtering like - "*()\/" Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-29 02:19:23 +0000