sssd.git/src/responder/pac, branch token2

PAC: Skip SIDs that cannot be resolved to domain

2013-08-26T09:49:17+00:00

PAC: use SID instead of GID to search for groups

2013-08-26T09:44:42+00:00

With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.

PAC: do not fail if a single group cannot be added/removed

2013-08-26T09:44:42+00:00

When processing a list of groups we try to process as much as possible
only not stop on the first error.

PAC: read user DN instead of constructing it

2013-08-26T09:44:42+00:00

To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.

PAC: handle non-POSIX groups in cache

2013-08-26T09:44:42+00:00

Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.

PAC: do not create users with missing GID

2013-08-26T09:44:42+00:00

If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.

PAC: if user entry already exists keep it

2013-08-26T09:44:42+00:00

Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.

Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.

The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.

Fixes https://fedorahosted.org/sssd/ticket/1996

PAC: do not delete originalDN or cached password if present

2013-06-24T13:17:20+00:00

If the PAC responder recognizes some attribute changes between the
cached user entry and the PAC data it quite crudely just removes the
cached entry and recreates it. While in most cases all needed data can
be recovered from the PAC data there is a case where it is not possible.

E.g the IPA HBAC code use the OriginalDN attribute to improve
performance when evaluating access rules. This patch makes sure this
attribute is not lost when the PAC responder updates the object.

PAC: do not expect that sysdb_search_object_by_sid() return ENOENT

2013-06-19T18:16:48+00:00

sysdb_search_object_by_sid() does not return ENOENT if no related object
was found in the cache but EOK and an empty result list.

Fixes https://fedorahosted.org/sssd/ticket/1989

New utility function sss_get_domain_name

2013-06-06T22:14:13+00:00

Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.