sssd.git/src/providers/ldap, branch subdommem System Security Services Daemon [okos' clone] LDAP: Use domain-specific name where appropriate 2013-07-24T11:52:33+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-23T10:55:25+00:00 bfd59d1a2d0d45125e5164ef12c425690d519f61 The subdomain users user FQDN in their name attribute. However, handling of whether to use FQDN in the LDAP code was not really good. This patch introduces a utility function and converts code that was relying on user/group names matching to this utility function. This is a temporary fix until we can refactor the sysdb API in #2011. 
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.

This is a temporary fix until we can refactor the sysdb API in #2011.
SIGCHLD handler: do not call callback when pvt data where freed 2013-07-17T13:01:51+00:00 Pavel Březina pbrezina@redhat.com 2013-06-24T12:53:27+00:00 711bba7e2f72a816774effa389ad13bcc46e7843 https://fedorahosted.org/sssd/ticket/1992 
https://fedorahosted.org/sssd/ticket/1992
print hint about password complexity when new password is rejected 2013-07-17T11:13:28+00:00 Pavel Březina pbrezina@redhat.com 2013-07-15T11:44:31+00:00 6f6e4408cedaebbfcef61e5adb78ba75abe5839d https://fedorahosted.org/sssd/ticket/1827 
https://fedorahosted.org/sssd/ticket/1827
LDAP: When resolving a SID, search for groups first, then users 2013-07-17T11:13:10+00:00 Jakub Hrozek jhrozek@redhat.com 2013-07-12T15:57:01+00:00 1bb04648878b7b3e3897484e7cfc2d11725c8014 https://fedorahosted.org/sssd/ticket/1997 Most of the time, the SIDs are resolved as a call coming from the PAC responder during initgroups. In that case at least, it makes sense to search for group matching that SID first, then users. We may consider making this behaviour configurable ie for the server mode where typically the users should be queried first. 
https://fedorahosted.org/sssd/ticket/1997

Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.

We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
ldap: only update shadowLastChange when password change is successful 2013-07-01T13:14:36+00:00 Jim Collins github@collins-fam.com 2013-06-27T20:10:44+00:00 1e7275d3f075973f868c480dbfbe1219c1885585 https://fedorahosted.org/sssd/ticket/1999 ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange even when the PAM password change status reports failure. We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using. 
https://fedorahosted.org/sssd/ticket/1999

ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.

We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
AD: Move storing sdap_domain for subdomain to generic LDAP code 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T11:00:41+00:00 4e3ba17a3376b635cb0d9ae60a6d4e712ded01a0 Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.

Subtask of:
    https://fedorahosted.org/sssd/ticket/1962
LDAP: Add utility function sdap_copy_map 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-19T16:06:14+00:00 7ed4988618decf0a8efa0dedd722a84d748bf868 The AD subdomains will only use default options values. This patch introduces a new utility function sdap_copy_map() that copies the default options map. Subtask of: https://fedorahosted.org/sssd/ticket/1962 
The AD subdomains will only use default options values. This patch
introduces a new utility function sdap_copy_map() that copies the
default options map.

Subtask of:
https://fedorahosted.org/sssd/ticket/1962
Replace new_subdomain() with find_subdomain_by_name() 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-27T15:07:36+00:00 b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used. 
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-12T13:47:26+00:00 b56b06e199f15a8a840b36bc7cb8010e39ae761d Currently the decision if external or algorithmic mapping should be used in the LDAP or AD provider was based on the value of the ldap_id_mapping config option. Since now all information about ID mapping is handled by libsss_idmap the check for this options can be replace with a call which checks the state via libss_idmap. https://fedorahosted.org/sssd/ticket/1961 
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.

https://fedorahosted.org/sssd/ticket/1961
Add sdap_idmap_domain_has_algorithmic_mapping() 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-27T10:48:49+00:00 b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5 This patch implements a wrapper for sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping. Fixes https://fedorahosted.org/sssd/ticket/1960 
This patch implements a wrapper for
sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping.

Fixes https://fedorahosted.org/sssd/ticket/1960