summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* intg: Fix RFC2307bis group member creationsssd-1-13Nikolai Kondrashov2015-10-091-14/+7
| | | | | | | | Fix creation of mixed user/group "member" attribute for RFC2307bis group entries in ldap_ent.py. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit c65de71bc38753320b9fd6f6fe1386244a2ff54a)
* intg: Reduce sssd.conf duplication in test_ldap.pyNikolai Kondrashov2015-10-091-95/+45
| | | | | | | | Use a function to generate basic sssd.conf in test_ldap.py to reduce code duplication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 472800eda2ef4dfa3a738806d7adbc52be3fbe9c)
* intg: Split LDAP test fixtures for flexibilityNikolai Kondrashov2015-10-091-30/+83
| | | | | | | | Split ldap_test.py fixtures into several functions to allow for partial fixtures and direct use within tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 19c2d951059498703c28aea2ce2d9c3db71a8820)
* intg: Add support for specifying all user attrsNikolai Kondrashov2015-10-091-12/+39
| | | | | | | | Support passing all user attributes to ldap_ent.py's user-creation functions, in integration tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit c423ad75a56b199083463a2714c8fbfd6e8edcc8)
* intg: Get base DN from LDAP connection objectNikolai Kondrashov2015-10-092-5/+5
| | | | | | | | | Don't use the global LDAP_BASE_DN in integration tests and fixtures, but instead take it from the LDAP connection object (ldap_conn) passed to them explicitly. This makes the tests and fixtures a bit more modular. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit a190e39ea4f2c084091be1cd37a3c6e3b603540e)
* tests: Fix compilation warningJakub Hrozek2015-10-091-8/+8
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 6c2e507bd1571f9c7e26c5c9d60753b29fb75578)
* sss_override: steal msgs string to objsPavel Březina2015-10-081-0/+9
| | | | | | | | | | | Since msgs is attached to tmp_ctx then all the strings are freed with tmp_ctx. Now steal the strings to objs. Resolves: https://fedorahosted.org/sssd/ticket/2826 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 3119225929463aecfbb1a7fc953263736955271e)
* sss_override: explicitly set ret = EOKPavel Březina2015-10-081-0/+2
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 220a4cbb7fcf30d954b2b4fecd62887373aa8764)
* sss_override: fix comment describing formatPavel Březina2015-10-081-1/+1
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 1bf0ada00f59c153fe00853394508021d0ff9b24)
* nss: fix UPN lookups for sub-domain usersSumit Bose2015-10-082-3/+11
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 8ded8b2f4a57d1833fd230307218d8b07a571785)
* fix upn cache_req for sub-domain usersSumit Bose2015-10-081-2/+7
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 374268c5eda35e8bbc2fef30752299199439cffe)
* fix ldb_search usageSumit Bose2015-10-081-8/+1
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 391b81f2a78a812a87530e0c50c70d59150f49eb)
* cache_req: remove raw_name and do not touch orig_namePavel Březina2015-10-081-23/+29
| | | | | | | | Parsed name or UPN is now stored in input->name instead of touching orig_name and storing the original name in raw_name. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 2fce47f2dadd10d2a2c8bf9f03ab7094bc6c6b3a)
* cache_req tests: reduce code duplicationPavel Březina2015-10-081-1230/+394
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 3688374991afb34bbaf2b7843683fc13dd77879d)
* cache_req: add support for UPNPavel Březina2015-10-089-42/+674
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 28ebfa4373d1e7ce45b5d70a3619df1c074a661e)
* cache_req: provide extra flag for oob requestPavel Březina2015-10-081-5/+6
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit d8125f0e0d38c6939887a0849a44859d6c498c57)
* AD: Consolidate connection list construction on ad_common.cJakub Hrozek2015-10-074-17/+71
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit afb21fd06690a0bec288a7970abf74ed2ea7dfdc)
* AD: Provide common connection list construction functionsJakub Hrozek2015-10-075-34/+80
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 309aa83d16b5919f727af04850bcd0799ba0962f)
* sbus codegen tests: free ctxPavel Březina2015-10-051-0/+2
| | | | | | | | | | | Memory context was not freed therefore we got stuck in tevent loop that mocks D-Bus. Resolves: https://fedorahosted.org/sssd/ticket/2759 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit e51143e3e67c70b86dd9a67cb7e802dd96f989e1)
* SDAP: Relax POSIX checkPavel Reichl2015-10-021-4/+6
| | | | | | | | | | | | | | Relax the check on UID or GID just to check if at least one of them is present but do not require them to be positive numbers. Add requirement on objectclass attributes to be user or group to make check more reliable. Resolves: https://fedorahosted.org/sssd/ticket/2800 (cherry picked from commit 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea) Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sss tools: improve option handlingPavel Březina2015-10-022-20/+30
| | | | | | | | | | | | | The crash describe by ticket #2802 is caused by providing NULL options in popt and yet trying to iterate over them. Instead of simply testing for NULL this patch creates a new option table table merges several option tables together, thus improving and simplifying usage string. Resolves: https://fedorahosted.org/sssd/ticket/2802 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit bda8039465a0084fb380e878c8f9ea3e900505ea)
* PAM: only allow missing user name for certificate authenticationSumit Bose2015-10-022-3/+47
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 2e76b32e74abedb23665808bacc73cafd1097c37)
* confdb: warn if memcache_timeout > than entry_cachePavel Reichl2015-09-301-0/+25
| | | | | | | | | | Only group and user records are cached in memory cache so only timeouts for those are checked. Resolves: https://fedorahosted.org/sssd/ticket/2176 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: add debug messages for netlogon get infoPavel Reichl2015-09-301-1/+4
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* Updating translations for the 1.13.1 releasesssd-1_13_1Jakub Hrozek2015-09-3016-8043/+13684
|
* AD: inicialize root_domain_attrs fieldPavel Reichl2015-09-301-1/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2805 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test_pam_srv: Run cert test only with NSSLukas Slebodnik2015-09-301-0/+3
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* sysdb-tests: Use valid base64 encoded certificate for searchLukas Slebodnik2015-09-301-1/+1
| | | | | | | sh$ printf "ABC" | base64 -d base64: invalid input Reviewed-by: Michal Židek <mzidek@redhat.com>
* IFP: Suppress warning from static analyzerLukas Slebodnik2015-09-263-6/+6
| | | | | | | It seems that clang expected that errno can change to 0 in case of error. It might be a bug in static analyzer. But the workaround does not change the logic and the errno is read just once.
* CONFIGURE: Remove bashismLukas Slebodnik2015-09-262-2/+2
| | | | | | | | | | | | | | There were errors in configure script when /bin/sh was not bash ./configure: 15889: test: xfedora: unexpected operator ./configure: 19981: test: xyes: unexpected operator ./configure: 23103: test: x1: unexpected operator The equality operator "==" works in bash but it's not a standard. The man page test(1) also does not mention it. There is only short version "=" STRING1 = STRING2 the strings are equal
* IPA: Retry fetching keytab if IPA user lookup failsJakub Hrozek2015-09-232-14/+185
| | | | | | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com>
* FO: Also reset the server common data in addition to SRVJakub Hrozek2015-09-232-50/+142
| | | | | | | | | | | In a server that is expanded from a SRV query was reset, only it's 'meta-server' status was set to neutral, but the server->common structure still retained its not_working status. This patch also resets the status of the common structure so that both the SRV query and resolving the server are retried next time. Reviewed-by: Sumit Bose <sbose@redhat.com>
* FO: Add an API to reset all servers in a single serviceJakub Hrozek2015-09-234-10/+42
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Previously, we had a function that allowed the caller to reset the status of all services in the global fail over context. This patch adds a new function that allows the caller to reset a single service instead. The main user would be IPA subdomain provider that might need to reset the status of an AD trusted domain on demand. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Change ipa_server_trust_add_send request to be reusable from ID codeJakub Hrozek2015-09-232-58/+75
| | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Expose a request ipa_server_trusted_dom_setup_send that sets up a trusted domain. The setup might include actions like retrieving a keytab for one-way trusts. Creating the AD ID context for the trused domain is now done in the caller of this new request. Reviewed-by: Sumit Bose <sbose@redhat.com>
* tests: Set p11_child_timeout to 30 in testsMichal Židek2015-09-231-4/+31
| | | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Add way to set pam specific options in pam_test_setup adn use it to set the p11_child_timeout value to 30. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Make p11_child timeout configurableMichal Židek2015-09-235-25/+53
| | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Fix memory leak in sssdpac_verify()Thomas Oulevey2015-09-231-0/+3
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2803 Reviewed-by: Sumit Bose <sbose@redhat.com>
* DYNDNS: Return right error code in case of failureLukas Slebodnik2015-09-231-0/+1
| | | | | | | | The variable will be zero if getifaddrs succeeds and therefore wrong error code will be returned in case of insufficient memory (talloc_zero failed) Reviewed-by: Pavel Reichl <preichl@redhat.com>
* DDNS: execute nsupdate for single update of PTR recPavel Reichl2015-09-224-72/+219
| | | | | | | | | | | nsupdate fails definitely if any of update request fails when GSSAPI is used. As tmp solution nsupdate is executed for each update. Resolves: https://fedorahosted.org/sssd/ticket/2783 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA PROVIDER: Resolve nested netgroup membershipPetr Cech2015-09-221-10/+19
| | | | | | | | | | | | Informations about usergroup membership are stored in memberOf attribute. And informations about hostgroup membership are stored in originalMemberOf. This patch add appropriate memberOf attributes for searching in. Ticket: https://fedorahosted.org/sssd/ticket/2275 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Filter out multiple entries when searching overlapping domainsJakub Hrozek2015-09-225-20/+302
| | | | | | | | | | In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Move sdap_create_search_base from ldap to sdap codeJakub Hrozek2015-09-224-70/+68
| | | | | | | | The function shouldn't be placed in the LDAP tree, but in the SDAP tree to make it usable from tests without linking to libraries that are normally linked from LDAP provider (such as confdb) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: Move named_domain from test_utils to common test codeJakub Hrozek2015-09-224-34/+26
| | | | | | This handy function should be reused by other parts of the code. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domainsJakub Hrozek2015-09-222-13/+0
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2723 In case there are overlapping sdap domains, a search for a single user might match and return multiple entries. For instance, with AD domains represented by search bases: DC=win,DC=trust,DC=test DC=child,DC=win,DC=trust,DC=test A search for user from win.trust.test would be based at: DC=win,DC=trust,DC=test but would match both search bases and return both users. Instead of performing complex filtering, just save both users. The responder would select the entry that matches the user's search. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_override: remove -d from manpagePavel Březina2015-09-211-1/+1
| | | | | | Short version of --debug is not acepted. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Do not allow the AD lookup code to set backend as offline in server modeJakub Hrozek2015-09-211-1/+7
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 In server mode, we should not allow the AD lookups to set the backend offline. Rather just let them report an error and deal with the error separately. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Set ignore_mark_offline=false when resolving AD root domainJakub Hrozek2015-09-211-23/+33
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 Avoid going offline in cases where SSSD is connected to a child domain but the root domain is not accessible. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Do not mark the whole back end as offline if subdomain lookup failsJakub Hrozek2015-09-211-14/+67
| | | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 Rather mark the domain as inactive. It will be marked as active later, in the meantime the main domain can continue to work online and subdomain requests will be answered from cache. The lookup request itself just returns a special error code and lets the caller handle the error code as appropriate (normally by disabling the subdomain temporarily). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Offline operation with disabled domainJakub Hrozek2015-09-211-1/+11
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2637 If a subdomain is in the disabled state, switch krb5_child operation into offline mode. Similarly, instead of marking the whole back end as offline, mark just the domain as offline -- depending on the domain type, this would mark the whole back end or just inactivate subdomain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Only ignore errors from SDAP lookups if there's another connection to ↵Jakub Hrozek2015-09-211-0/+1
| | | | | | | | | | | | | | | | | fallback to Required for: https://fedorahosted.org/sssd/ticket/2637 The AD lookup code honors the ignore_mark_offline flag in the sense that if it's set, the sdap return code is not reported to the upper layer, but EOK is returned as request status and the sdap return code is returned separately. This patch modifies the behaviour further to only apply if there is another connection to fall back to. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-29 01:40:52 +0000