sssd.git/src, branch sid2 System Security Services Daemon [okos' clone] sudo: do not strdup usn on ENOENT 2013-08-26T09:53:49+00:00 Pavel Březina pbrezina@redhat.com 2013-08-22T11:58:27+00:00 2211abf772cb8b28356e57b8c64a4328c9b2c3dc If USN attribute is not present, we call strdup on uninitialized variable. This may cause segfault, or if we are lucky and usn is NULL it will return ENOMEM. 
If USN attribute is not present, we call strdup on uninitialized
variable. This may cause segfault, or if we are lucky and
usn is NULL it will return ENOMEM.
sudo: do not fail to store the rule if we can't read usn 2013-08-26T09:50:23+00:00 Pavel Březina pbrezina@redhat.com 2013-08-22T12:04:38+00:00 9b43a2a6462b07075d403dbd5de487cbe7ada92c Resolves: https://fedorahosted.org/sssd/ticket/2052 
Resolves:
https://fedorahosted.org/sssd/ticket/2052
PAC: Skip SIDs that cannot be resolved to domain 2013-08-26T09:49:17+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-25T13:22:36+00:00 59a95122d6bf4e271e79443cfc8caab5831c2ae3 






PAC: use SID instead of GID to search for groups
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T16:29:48+00:00

05cf2b70adde257df3657f449635c917b0e96a52

With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.





With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.







PAC: do not fail if a single group cannot be added/removed
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T14:56:06+00:00

76916fe11832bcd84e033c0cc2329def278d642d

When processing a list of groups we try to process as much as possible
only not stop on the first error.





When processing a list of groups we try to process as much as possible
only not stop on the first error.







PAC: read user DN instead of constructing it
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T12:09:42+00:00

5aab4d1092681508cdf32777efdb2a7e5e6e3f0a

To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.





To avoid issues with case-sensitivity it is more reliable to search the
user entry in the cache and use the returned DN instead of constructing
it.







PAC: handle non-POSIX groups in cache
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-08T10:35:12+00:00

e5aa9ba0df9f30e32a86453727beabed8a9e4e27

Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.





Since the DN of the group is used to remove a membership it is not
necessary to check if the GID is valid.







PAC: do not create users with missing GID
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-06T09:10:10+00:00

5c28b1bdb9f180590bdfec947bd2df52351912a8

If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.





If the user entry does not exist in the cache and a primary GID cannot
be found it does not make sense to create a user entry.







PAC: if user entry already exists keep it
2013-08-26T09:44:42+00:00

Sumit Bose
sbose@redhat.com

2013-08-01T10:40:24+00:00

1e9930690691360d8963eecea4918b36b6d51013

Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.

Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.

The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.

Fixes https://fedorahosted.org/sssd/ticket/1996





Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.

Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.

The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.

Fixes https://fedorahosted.org/sssd/ticket/1996







DP: Notify propperly when removing PAC responder
2013-08-24T16:19:20+00:00

Ondrej Kos
okos@redhat.com

2013-08-05T14:34:33+00:00

f88f09876e2018bd08e19d84ad1ab66f72cac8fd

Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.





Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.