summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
...
* nss: make fill_orig() multi-value awareSumit Bose2015-01-201-20/+68
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-151-24/+1
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: use new cache interfacePavel Březina2015-01-091-320/+45
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: enable views in cache requestPavel Březina2015-01-091-3/+9
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: new interface for cache requestPavel Březina2015-01-092-0/+626
| | | | | | | | | | | | | | | | Many areas of responders performs an expiration check and refresh of cached objects during single or multiple domain search. This code is duplicated on many areas of the code with small or none modifications. This interface aims to reduce code duplication between responders, by providing one universal API for requesting cached objects. This API will take care of cache lookup, expiration check, cache refresh, out of band cache request, negative cache in both single and multi domain searches. Reviewed-by: Michal Židek <mzidek@redhat.com>
* SYSDB: sysdb_search_object_by_sid returns ENOENTPavel Reichl2014-12-172-25/+27
| | | | | | | | | | | | sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NSS: nss_cmd_getbysid_search return ENOENTPavel Reichl2014-12-171-8/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_arrayJakub Hrozek2014-12-131-0/+3
| | | | | | | | | This patch makes it more discoverable for the admin to find typos in the various user lists. Typically, the user lists are used to add access to some feature and printing a syslog message would make sure the admin sees the mistake. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Domain names are case-insensitiveJakub Hrozek2014-12-131-2/+2
| | | | | | | | The pam_public_domains option and matching the domain requested by a trusted process was done in a case-sensitive manner which is different from how we match domain names in SSSD normally. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IFP: Return group names with the right caseJakub Hrozek2014-12-081-4/+14
| | | | | | The IFP code wasn't honoring the case settings of the domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-031-4/+4
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Fix: always check return value of unlink()Pavel Reichl2014-11-281-2/+12
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: Move is_uid_trusted from pam_ctx to preqJakub Hrozek2014-11-252-12/+13
| | | | | | Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Check for trusted domain before sending the request to BEJakub Hrozek2014-11-251-41/+26
| | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Make pam_forwarder_parse_data staticJakub Hrozek2014-11-241-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* NSS: Fix warning enumerated type mixed with another typeLukas Slebodnik2014-11-102-4/+4
| | | | | | | | | | src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with another type "enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very strict in this. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add ssh pubkey to origbyname requestSumit Bose2014-11-051-0/+2
| | | | | | | | | Since the IPA clients expects that the extdom plugin delivers the default view data for a given user this patch adds the public SSH key to the list of returned attributes of the getorigbyname request so that it can be send back to the clients. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Views: apply user SSH public key overrideSumit Bose2014-11-051-29/+94
| | | | | | | | | | | | | With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_add_overrides_to_object: add new parameter and multi-value supportSumit Bose2014-11-051-1/+1
| | | | | | | | | | With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: return user_attributes in origbyname requestSumit Bose2014-11-051-30/+90
| | | | | | | | | | | | | To allow IPA clients to offer special attributes of AD users form trusted domain the extdom plugin on the IPA server must send them to the clients. The extdom plugin already uses sss_nss_getorigbyname() to get attributes like the SID and the user principal name. This patch adds the attributes given by the NSS/IFP user_attributes option to the list of attributes returned by sss_nss_getorigbyname(). Fixes https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: parse user_attributes optionSumit Bose2014-11-052-0/+22
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add parse_attr_list_ex() helper functionSumit Bose2014-11-054-116/+157
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: disable midpoint refresh for netgroupsPavel Reichl2014-11-041-14/+43
| | | | | | | | | | Disable midpoint refresh for netgroups if periodical refresh of expired netgroups is enabled (refresh_expired_interval) Resolves: https://fedorahosted.org/sssd/ticket/2102 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: Fix typo in debug messageSumit Bose2014-10-301-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* nss: preserve service name in getsrv callMichal Zidek2014-10-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | About case_sensitive=preserving and services. The name of the service can be preserved in result of 'getent service'. However we should still lowercase the protocol and service aliases because they serve as keys in some queries to sysdb. The lowercasing is done by the provider already. If we did not do that, we would lose case insesnsitivity. With this patch the responder preserves the case of service name and protocol, to match the case that is stored in the sysdb (however the protocol is already lowercased by provider, so it was done only for consistent use of the case_sensitive=preserve option in the responders and only the case of name is the same as in ldap). Fixes: https://fedorahosted.org/sssd/ticket/2460 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Set default value for umaskPavel Reichl2014-10-298-0/+18
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Don't hard-code umask value in utility functionPavel Reichl2014-10-291-4/+4
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: refactor create_pipe_fd()Pavel Reichl2014-10-272-10/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2470 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: group enumeration fixSumit Bose2014-10-271-0/+3
| | | | | | | | | | The view/override patches introduced and issue with group enumeration where all groups are returned with the same name. This patch should fix it. Fixes: https://fedorahosted.org/sssd/ticket/2475 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NSS: Possibility to use any shells in 'allowed_shells'Denis Kutin2014-10-221-6/+13
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSH: Run the ssh responder as the SSSD userJakub Hrozek2014-10-221-1/+2
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SUDO: Run the sudo responder as the SSSD userJakub Hrozek2014-10-221-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAC: Run the pac responder as the SSSD userJakub Hrozek2014-10-221-1/+2
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* AUTOFS: Run the autofs responder as the SSSD userJakub Hrozek2014-10-221-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Run pam responder as nonrootMichal Zidek2014-10-221-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Create pipe file descriptors before privileges are droppedMichal Zidek2014-10-221-4/+26
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responders: Do not initialize pipe fd if already presentMichal Zidek2014-10-229-14/+24
| | | | | | | | Allow to skip initialization of pipe file descriptor if the responder context already has one. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responder_common: Create fd for pipe in helperMichal Zidek2014-10-222-72/+65
| | | | | | | | Move creating of file descriptor for pipes into helper function and make this function public. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* NSS: Run as a user specified by monitorJakub Hrozek2014-10-221-1/+2
| | | | | | | | | Adds the NSS responder to the list of services known to work as a non-root user and becomes the specified user after starting the NSS responder. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* UTIL: Add a function to convert id_t from a number or a nameJakub Hrozek2014-10-222-12/+7
| | | | | | | | | | | | We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Add the options to specify a UID and GID to run asJakub Hrozek2014-10-207-7/+31
| | | | | | | | | Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: support viewsPavel Březina2014-10-201-3/+11
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IFP: support viewsPavel Březina2014-10-201-21/+46
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* nss: make enumeration requests aware of viewsSumit Bose2014-10-201-6/+8
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* pam: make pam responder aware if viewsSumit Bose2014-10-201-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sid2name: return name without views appliedSumit Bose2014-10-201-2/+22
| | | | | | | Make sure that the original name of an object without any overrides applied is returned by sid2name requests. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: add view support for getgr* requestsSumit Bose2014-10-201-13/+50
| | | | | | | | Make group lookups view and override aware. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: add view support to initgroups requestSumit Bose2014-10-201-14/+37
| | | | | | | | Make sysdb request view and override aware. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: add view support for getpwnam/getpwuid requestsSumit Bose2014-10-201-16/+62
| | | | | | | | | For user lookups view and override aware calls to search the cache and read attribute values are used. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss: add SSS_NSS_GETORIGBYNAME requestSumit Bose2014-10-141-2/+89
| | | | | | | | | | | | | | | This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 16:06:35 +0000