sssd.git/src/providers/ad, branch saveldapsid System Security Services Daemon [okos' clone] AD: Set the bool value same as default value in opts 2013-07-19T11:51:17+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-16T17:07:09+00:00 35872dc24058c5e8028cb4082fd405a27835dcd1 https://fedorahosted.org/sssd/ticket/2023 When the option values are copied using dp_opt_copy_map, the .val member is used if it's not NULL. At the same time, the bool options are never NULL, unlike integers or strings that can have special NULL-like values such as NULL_STRING. This effectively means that when copying a bool option, the .val member is always used. But in the AD maps, some .val fields were set differently from the .def_val fields. The effect was that when the AD subdomain provider was initialized from IPA subdomain provider using only the defaults, some options (notably referral chasing) were set to a value that didn't make sense for the AD provider. This patch makes sure that for all boolean option, the .val is always the same as .def_val. 
https://fedorahosted.org/sssd/ticket/2023

When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.

But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.

This patch makes sure that for all boolean option, the .val is always
the same as .def_val.
IPA: Look up AD users directly if IPA server mode is on 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T08:51:19+00:00 3d28e0e560b787b5c57ed7327d184310342a7e38 https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code. 
https://fedorahosted.org/sssd/ticket/1962

If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
AD: Move storing sdap_domain for subdomain to generic LDAP code 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T11:00:41+00:00 4e3ba17a3376b635cb0d9ae60a6d4e712ded01a0 Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.

Subtask of:
    https://fedorahosted.org/sssd/ticket/1962
AD: initialize failover with custom realm, domain and failover service 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T08:49:05+00:00 59415636c92c6e9764ddc65a85ad61002310519d This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962 
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.

Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
AD: decouple ad_id_ctx initialization 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-17T16:32:53+00:00 ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9 The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962
Save mpg state for subdomains 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-27T19:49:26+00:00 09d7c105839bfc7447ea0f766413ed86675ca075 The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache. 
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
Replace new_subdomain() with find_subdomain_by_name() 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-27T15:07:36+00:00 b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used. 
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
Add now options ldap_min_id and ldap_max_id 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-12T10:17:08+00:00 eceefd520802efe356d413a13247c5f68d8e27c8 Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided. 
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
AD: Write out domain-realm mappings 2013-06-27T16:43:57+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-26T20:39:41+00:00 58dd26b1c5b60ee992dd5d1214bb168aebb42d54 This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains. 
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
AD: kinit with the local DC even when talking to a GC 2013-06-26T21:37:33+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-26T14:23:32+00:00 ba95f1c434b430f0db7fddbd865af10488ecab17 We tried to use the GC address even for kinit which gave us errors like: "Realm not local to KDC while getting initial credentials". This patch adds a new AD_GC service that is only used for ID lookups, any sort of Kerberos operations are done against the local servers. 
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".

This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.