sssd.git/src/providers/ipa, branch subdommem System Security Services Daemon [okos' clone] Fix possible dereference of a NULL pointer. 2013-07-23T16:18:03+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-07-23T14:04:02+00:00 bbb7ba8890908613b1b723746e091aed740af9f9 We check if function ipa_get_ad_id_ctx returns NULL, but function ipa_get_ad_id_ctx could never return NULL. This issue was found by scan-build. 
We check if function ipa_get_ad_id_ctx returns NULL,
but function ipa_get_ad_id_ctx could never return NULL.
This issue was found by scan-build.
KRB5: Do not send PAC in server mode 2013-07-23T12:18:03+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-19T05:36:28+00:00 48657b5de36a63b0c13ed5d53065871d59d8f10b The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case. 
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
Fix the default FQDN format 2013-07-19T15:49:43+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-19T15:28:26+00:00 d5e8c3a1290d68d07362a119e63121156ad448df Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake. 
Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN
format by accident to the one we only ever user internally. This commit
fixes the mistake.
IPA: warn if full_name_format is customized in server mode 2013-07-19T11:47:05+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-12T13:19:02+00:00 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic. 
https://fedorahosted.org/sssd/ticket/2009

If the IPA server mode is on and the SSSD is running on the IPA server,
then the server's extdom plugin calls getpwnam_r to read info about trusted
users from the AD server and return them to the clients that called the
extended operation.

The SSSD returns the subdomain users fully-qualified, ie "user@domain"
by default. The format of the fully qualified name is configurable.

However, the extdom plugin returns the user name without the domain
component.

With this patch, when ipa_server_mode is on, warn if the full_name_format
is set to a non-default value. That would prompt the admin to change the
format if he changed it to something exotic.
IPA: Look up AD users directly if IPA server mode is on 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T08:51:19+00:00 3d28e0e560b787b5c57ed7327d184310342a7e38 https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code. 
https://fedorahosted.org/sssd/ticket/1962

If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
IPA: Create and remove AD id_ctx for subdomains discovered in server mode 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T11:20:50+00:00 418e6ccd116eced7ccc75aca999a4c37c67289ba When IPA server mode is on, then this patch will create an ad_id_ctx for each subdomain discovered in IPA provider. The ID context is needed to perform direct lookups using the AD provider. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
When IPA server mode is on, then this patch will create an ad_id_ctx for
each subdomain discovered in IPA provider. The ID context is needed to
perform direct lookups using the AD provider.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962
IPA: Initialize server mode ctx if server mode is on 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T08:50:44+00:00 f8a4a5f6240156809e1b5ef03816f673281e3fa0 This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962
IPA: Add a server mode option 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-17T07:32:07+00:00 0249e8d37920f59fd70bdafa4f6706a05ae523c1 https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set. 
https://fedorahosted.org/sssd/ticket/1993

SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
Save mpg state for subdomains 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-27T19:49:26+00:00 09d7c105839bfc7447ea0f766413ed86675ca075 The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache. 
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
IPA: read ranges before subdomains 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-28T16:44:49+00:00 20ccfd63a17dc15dd24e6543424d86913d511c4b Since FreIPA will start to support external mapping for trusted domains as well the range type for the domain must be know before the domain object is created. The reason is that external mapping will not use magic private groups (mpg) while algorithmic mapping will use them. 
Since FreIPA will start to support external mapping for trusted domains
as well the range type for the domain must be know before the domain
object is created. The reason is that external mapping will not use
magic private groups (mpg) while algorithmic mapping will use them.