sssd.git/src/providers/ad, branch token System Security Services Daemon [okos' clone] krb5: Fetch ccname template from krb5.conf 2013-08-28T09:00:03+00:00 Stephen Gallagher sgallagh@redhat.com 2013-08-27T17:36:41+00:00 dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9a In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036 
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.

If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.

Related:
https://fedorahosted.org/sssd/ticket/2036
AD: Use the correct include guard 2013-08-19T09:13:01+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-16T23:08:59+00:00 93192ebe1deb221e081b452ee7fadc4fea931f13 






AD: Cast SASL callbacks to propper type
2013-08-09T16:06:29+00:00

Ondrej Kos
okos@redhat.com

2013-08-07T13:18:31+00:00

483728c1f9719e419830cce93b7e411370a5364b

The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.





The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.







sssd_ad: Add hackish workaround for sasl ad_compat
2013-08-06T19:43:47+00:00

Simo Sorce
simo@redhat.com

2013-08-02T13:26:10+00:00

fb945a2cacc5506a2acb50349670f22078f1d4f5

This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.

Resolves:
https://fedorahosted.org/sssd/ticket/2040





This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.

Resolves:
https://fedorahosted.org/sssd/ticket/2040







KRB5: Do not send PAC in server mode
2013-07-23T12:18:03+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-07-19T05:36:28+00:00

48657b5de36a63b0c13ed5d53065871d59d8f10b

The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.





The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.







AD: Set the bool value same as default value in opts
2013-07-19T11:51:17+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-07-16T17:07:09+00:00

35872dc24058c5e8028cb4082fd405a27835dcd1

https://fedorahosted.org/sssd/ticket/2023

When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.

But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.

This patch makes sure that for all boolean option, the .val is always
the same as .def_val.





https://fedorahosted.org/sssd/ticket/2023

When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.

But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.

This patch makes sure that for all boolean option, the .val is always
the same as .def_val.







IPA: Look up AD users directly if IPA server mode is on
2013-06-28T20:22:20+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-06-19T08:51:19+00:00

3d28e0e560b787b5c57ed7327d184310342a7e38

https://fedorahosted.org/sssd/ticket/1962

If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.





https://fedorahosted.org/sssd/ticket/1962

If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.







AD: Move storing sdap_domain for subdomain to generic LDAP code
2013-06-28T20:22:20+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-06-19T11:00:41+00:00

4e3ba17a3376b635cb0d9ae60a6d4e712ded01a0

Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.

Subtask of:
    https://fedorahosted.org/sssd/ticket/1962





Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.

Subtask of:
    https://fedorahosted.org/sssd/ticket/1962







AD: initialize failover with custom realm, domain and failover service
2013-06-28T20:22:20+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-06-19T08:49:05+00:00

59415636c92c6e9764ddc65a85ad61002310519d

This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.

Subtaks of:
https://fedorahosted.org/sssd/ticket/1962





This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.

Subtaks of:
https://fedorahosted.org/sssd/ticket/1962







AD: decouple ad_id_ctx initialization
2013-06-28T20:22:20+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-06-17T16:32:53+00:00

ebc6ab564dc2a0a2b08c42d727fc403dde4a2dc9

The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962





The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962