| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
The regression was caused by changing default domain regex
for ldap provider in ticket #2717
Resolves:
https://fedorahosted.org/sssd/ticket/2772
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2485
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
After responders start, they add a lookup operation that discovers the
subdomains so that qualifying users works. After this operation is
finishes, we need to reset negcache to allow users to be added into the
newly discovered domains.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2468
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Allow to skip initialization of pipe file descriptor
if the responder context already has one.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds the NSS responder to the list of services known to work as a
non-root user and becomes the specified user after starting the NSS
responder.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds new command line options --uid and --gid to all SSSD servers,
making it possible to switch to another user ID if needed.
So far all code still runs as root.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Introduces a new method implemented only by the IFP responder. When this
method is received, the responder attempts to reconnect to the system
bus, if not connected already.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some DBus types returned from dbus_message_get_args() require memory
to be released when done. We automatically attach these to the talloc
struct sbus_request memory context in this function.
This accepts varargs similar to dbus_message_get_args(), which are
rather awkward. However instead of reworking them completely, future
generated marshalling code will replace most uses of these varargs.
If parsing the dbus message fails, then it responds to the DBus caller
with an appropriate error such as o.f.D.Error.InvalidArgs. In these
cases (ie: when it returns FALSE) the sbus_request is finished.
Migrated some, but not all, uses of dbus_message_get_args() to the
new function. Some instances have uncommon semantics such as terminating
the connection upon failure to parse a message.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most importantly, stop using per connection private data. This doesn't
scale when you have more than one thing exporting or exported on a
connection.
Remove struct sbus_interface and expand sbus_conn_add_interface()
function. Remove various struct sbus_interface args to connection
initialization functions and make callers use sbus_conn_add_interface()
directly. The old method was optimized for exporting one interface
on a connection. We'll have connections that export zero, one or more
interfaces.
To export an interface on a DBus server, call sbus_conn_add_interface()
from within the sbus_server_conn_init_fn. To export an interface on
a DBus client, call sbus_conn_add_interface() after sbus_new_connection()
returns.
As before struct sbus_interface represents an object exported via DBus.
However it is now talloc allocated. One can set instance data on the
struct sbus_interface. This instance data is passed to the various
handlers and used in their implementation.
However, we now have type safe interface exporting in the various
high level sss_process_init() sss_monitor_init() and so on.
Introspection support was not in use, and is now gone until we
implement it using the metadata (future patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct sbus_request represents a request from a dbus client
being handled by a dbus server implementation. The struct
contains the message, connection and method (and in the
future teh property) which is being requested.
In the future it will contain caller information as well.
sbus_request is a talloc memory context, and is a good place to
attach any allocations and memory specific to the request.
Each handler accepts an sbus_request. If a handler returns
EOK, it is assumed that the handler will finish the request.
Any of the sbus_request_*finish() methods can be used to
complete the request and send back a reply.
sbus_request_return_and_finish() uses the same argument
varargs syntax as dbus_message_append_args(), which isn't
a great syntax. Document it a bit, but don't try to redesign:
The marshalling work (will follow this patch set) will remove
the need to use varargs for most DBus implementation code.
This patch migrates the monitor and data provider dbus code
to use sbus_request, but does not try to rework the talloc
context's to use it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous commits added support for interface metadata and
handler vtables. This commit ports sbus_dbus_connection to
use them.
Port the internal uses of dbus to use the new scheme in a
very minimal way. Further cleanup is possible here.
This commit provides basic definitions of the internal
dbus interfaces. The interfaces aren't fully defined, as the
handlers will continue to unpack manually, and often overload
DBus methods with different arguments (which is rather
unorthodox, but not the end of the world).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an incorrect use of DBus, where we use a single interface
name with completely different sets of methods.
Easily fixed.
Once the vtable stuff is in use then this would be automatically
detected and fail to build.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG* macro invocations, which use literal
numbers for levels, to use bitmask macros instead:
grep -rl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e 'use strict;
use File::Slurp;
my @map=qw"
SSSDBG_FATAL_FAILURE
SSSDBG_CRIT_FAILURE
SSSDBG_OP_FAILURE
SSSDBG_MINOR_FAILURE
SSSDBG_CONF_SETTINGS
SSSDBG_FUNC_DATA
SSSDBG_TRACE_FUNC
SSSDBG_TRACE_LIBS
SSSDBG_TRACE_INTERNAL
SSSDBG_TRACE_ALL
";
my $text=read_file(\*STDIN);
my $repl;
$text=~s/
^
(
.*
\b
(DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM)
\s*
\(\s*
)(
[0-9]
)(
\s*,
)
(
\s*
)
(
.*
)
$
/
$repl = $1.$map[$3].$4.$5.$6,
length($repl) <= 80
? $repl
: $1.$map[$3].$4."\n".(" " x length($1)).$6
/xmge;
print $text;
' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| |
|
|
|
|
| |
I find it more readable to include headers from outside the sssd tree
with <foo.h>, not "foo.h". The latter should be used for in-tree headers
only.
|
| | |
|
| |
|
|
| |
Remove code duplication.
|
| |
|
|
|
|
|
| |
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|
| |
|
|
|
|
|
|
|
| |
There is a timed desctructor in the nss responder that, when the
entry timeout passes, removes the netgroup from the hash table while
the netgroup is freed. This patch adds a hash delete callback so that if the
netgroup is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To make sure that e.g. the short/NetBIOS domain name is available this
patch make sure that the responders send a get_domains request to their
backends at startup the collect the domain information or read it from
the cache if the backend is offline.
For completeness I added this to all responders even if they do not need
the information at the moment.
Fixes https://fedorahosted.org/sssd/ticket/1951
|
| |
|
|
|
| |
This allows the nss responder to use libsss_idmap to convert between
different SID representations.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1575
The hierarchy is now:
main_ctx -> responder_ctx -> specific_ctx
where specific_ctx is one of sudo, pam, etc.
|
| | |
|
| |
|
|
|
|
|
| |
The monitor sends calls different sbus methods to different responders.
Instead of including headers of the particular responders directly in
monitor, which breaks layering a little, create a common header file
that will be included from src/responder/common/
|
| |
|
|
|
| |
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
| |
|
|
|
| |
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1495
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
https://fedorahosted.org/sssd/ticket/1087
|
| | |
|
| |
|
|
|
|
|
| |
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
| |
|
|
|
|
|
|
|
|
|
| |
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1318
|
| |
|
|
|
|
|
| |
This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.
https://fedorahosted.org/sssd/ticket/1289
|
| |
|
|
|
|
|
|
| |
This option is similar to override_homedir, except that it will
take effect only for users that do not have an explicit home
directory specified in LDAP.
https://fedorahosted.org/sssd/ticket/1250
|
| |
|
|
| |
Now it checks for subdomains as well as for the domain itself
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The function that handled pending requests on reconnect was checking an
orphaned global variable that was never used, redenring the whole function
uselsess.
This fixes a very nasty bug that was causing requests for which we never
received an answer for (for example because the backend failed and was
restarted) to be never removed and therefore causing a black hole effect for
any other request of the same type.
Fixes: https://fedorahosted.org/sssd/ticket/1229
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This code will now attempt first to see if it has privilege to set
the value as specified, and if not it will fall back to the
previous behavior. So on systems with the CAP_SYS_RESOURCE
capability granted to SSSD, it will be able to ignore the
limits.conf hard limit.
https://fedorahosted.org/sssd/ticket/1197
|
| |
|
|
|
|
|
| |
This patch will increase the file descriptor limit to 8k or the
limits.conf maximum, whichever is lesser.
https://fedorahosted.org/sssd/ticket/1197
|
