summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
* PAC: Skip SIDs that cannot be resolved to domainJakub Hrozek2013-08-261-2/+4
|
* PAC: use SID instead of GID to search for groupsSumit Bose2013-08-261-48/+41
| | | | | | | With the support of POSIX IDs managed on the AD side we may find non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in the PAC. Since in this case all cached groups have a SDI attribute it is more reliable to search the groups by SID instead of GID.
* PAC: do not fail if a single group cannot be added/removedSumit Bose2013-08-261-18/+31
| | | | | When processing a list of groups we try to process as much as possible only not stop on the first error.
* PAC: read user DN instead of constructing itSumit Bose2013-08-261-5/+17
| | | | | | To avoid issues with case-sensitivity it is more reliable to search the user entry in the cache and use the returned DN instead of constructing it.
* PAC: handle non-POSIX groups in cacheSumit Bose2013-08-262-11/+9
| | | | | Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.
* PAC: do not create users with missing GIDSumit Bose2013-08-261-0/+14
| | | | | If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry.
* PAC: if user entry already exists keep itSumit Bose2013-08-263-86/+10
| | | | | | | | | | | | | | | | | Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996
* pam: Bad debug message format and parameter.Michal Zidek2013-08-221-1/+2
|
* mmap_cache: Use sss_atomic_write_s instead of write.Michal Zidek2013-08-221-2/+11
| | | | | | | | Use sss_atomic_write_s() instead of write() in sss_mc_save_corrupted(). Also unlink() the file if no data were written. It is better to use sss_atomic_write_s instead of write
* mmap_cache: Store corrupted mmap cache before resetMichal Zidek2013-08-191-0/+66
| | | | | This patch adds function to store corrupted mmap cache file to disk for further analysis.
* mmap_cache: Use better checks for corrupted mc in responderMichal Zidek2013-08-191-3/+53
| | | | | We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder.
* mmap_cache: Off by one error.Michal Zidek2013-08-191-6/+6
| | | | | Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS.
* fill_initgr: add original primary GID if availableSumit Bose2013-08-191-0/+27
| | | | | | | | | | | | | In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027
* mmap_cache: Check if slot and name_ptr are not invalid.Michal Zidek2013-08-112-2/+54
| | | | | | | This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
* PAM: Set negcache if user is not found after provider checkJakub Hrozek2013-08-081-0/+10
|
* PAM: Check negcache when searching for fully qualified users, tooJakub Hrozek2013-08-081-0/+8
|
* NSS: Clear cached netgroups if a request comes in from the sss_cacheLukas Slebodnik2013-08-083-0/+54
| | | | | | | In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759
* NSS: allow removing entries from netgroup hash tableLukas Slebodnik2013-08-083-1/+32
| | | | | | | | | There is a timed desctructor in the nss responder that, when the entry timeout passes, removes the netgroup from the hash table while the netgroup is freed. This patch adds a hash delete callback so that if the netgroup is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
* SSH: Ensure that cmd_ctx->name will not be NULL.Lukas Slebodnik2013-08-051-4/+6
| | | | | | | | If cmd_ctx->name was not initialized by sss_parse_name then copy of name will be used. https://fedorahosted.org/sssd/ticket/1970 Coverity ID: 11647
* Fix netgroup lookup when using fully qualified namePavel Březina2013-07-311-2/+2
|
* Netgroups should ignore the 'use_fully_qualified_names' settingStephen Gallagher2013-07-291-8/+6
| | | | | | | | | | | Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013
* Remove unused memory contextLukas Slebodnik2013-07-291-6/+6
|
* SUDO: realloc with sizeof(uint32_t) when adding uint32_tJakub Hrozek2013-07-221-1/+1
|
* Do not try to set password when authtok_length is zeroOndrej Kos2013-07-181-2/+6
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1814 When the authtok_length is zero, it shouldn't call sss_authtok_set_password, because it tries to determine lenght of passed string by itself and would read parts of DBus message behind boundaries of authtok.
* remove unused variablePavel Březina2013-07-161-4/+0
|
* Remove unused function parameterLukas Slebodnik2013-07-161-3/+1
|
* Missing space in debug messageMichal Zidek2013-07-151-2/+2
|
* Do not call sss_cmd_done in function check_cache.Lukas Slebodnik2013-06-271-6/+0
| | | | | | | | Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980
* Handle too many results from getnetgr.Lukas Slebodnik2013-06-271-1/+13
|
* SSH: Update known_hosts file after unsuccessful requests as well.Jan Cholasta2013-06-271-20/+36
| | | | https://fedorahosted.org/sssd/ticket/1949
* sudo responder: use different callback for oob refreshPavel Březina2013-06-271-6/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().
* PAC: do not delete originalDN or cached password if presentSumit Bose2013-06-241-1/+26
| | | | | | | | | | | If the PAC responder recognizes some attribute changes between the cached user entry and the PAC data it quite crudely just removes the cached entry and recreates it. While in most cases all needed data can be recovered from the PAC data there is a case where it is not possible. E.g the IPA HBAC code use the OriginalDN attribute to improve performance when evaluating access rules. This patch makes sure this attribute is not lost when the PAC responder updates the object.
* PAC: do not expect that sysdb_search_object_by_sid() return ENOENTSumit Bose2013-06-191-8/+8
| | | | | | | sysdb_search_object_by_sid() does not return ENOENT if no related object was found in the cache but EOK and an empty result list. Fixes https://fedorahosted.org/sssd/ticket/1989
* New utility function sss_get_domain_nameJakub Hrozek2013-06-072-19/+10
| | | | | Instead of copying a block of code that checks whether domain is a subdomain and uses only name of FQDN as appropriate, wrap the logic into a function.
* Enhance PAC responder for AD usersSumit Bose2013-06-063-927/+659
| | | | | | | | | | | This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558
* Lookup domains at startupSumit Bose2013-06-048-0/+89
| | | | | | | | | | | | To make sure that e.g. the short/NetBIOS domain name is available this patch make sure that the responders send a get_domains request to their backends at startup the collect the domain information or read it from the cache if the backend is offline. For completeness I added this to all responders even if they do not need the information at the moment. Fixes https://fedorahosted.org/sssd/ticket/1951
* Remove branching to improve readabilityJakub Hrozek2013-05-301-23/+11
|
* Allow flat name in the FQname formatJakub Hrozek2013-05-301-3/+3
| | | | | | | https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.
* Add utility functions for formatting fully-qualified namesJakub Hrozek2013-05-303-34/+22
| | | | | | Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
* Fixing critical format string issues.Lukas Slebodnik2013-05-207-14/+25
| | | | | | --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
* sudo responder: search rules for subdomains in parent domain subtreePavel Březina2013-05-101-0/+5
| | | | | | | | https://fedorahosted.org/sssd/ticket/1912 SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains users are in cn=sub.domain,cn=sysdb. When we search for rules for subdomain users we have to switch domain context to parent.
* Add missing \n to debug stringSumit Bose2013-05-101-1/+1
|
* SSH: Do not skip domains with use_fully_qualified_names in host key requestsJan Cholasta2013-05-071-6/+0
|
* SSH: Use separate field for domain name in client requestsJan Cholasta2013-05-071-27/+64
| | | | | Instead of appending @domain to names when the --domain option of sss_ssh_* is used, put domain name in a separate field in client requests.
* SSH: Fix parsing of names from client requestsJan Cholasta2013-05-073-3/+30
| | | | | | Try to parse names in the form user@domain first, as that's what sss_ssh_* send in requests when the --domain option is used. Do not parse host names using domain-specific regular expression.
* Add SID related calls to the NSS responderSumit Bose2013-05-032-3/+795
| | | | | | | | | | The patch adds 4 new calls to the NSS responder: - SSS_NSS_GETSIDBYNAME - SSS_NSS_GETSIDBYID - SSS_NSS_GETNAMEBYSID - SSS_NSS_GETIDBYSID to either return the SIDs of the requested object or map the SID to the name or the POSIX ID of the related object.
* Add sss_ncache_set_sid() and sss_ncache_check_sid()Sumit Bose2013-05-022-0/+31
| | | | | Two new calls are added to allow to add SID based lookups to the negative cache.
* Add responder_get_domain_by_id()Sumit Bose2013-05-022-0/+52
| | | | | | | | | | | This new call is similar to responder_get_domain() but uses the domain SID as search parameter. Since the length of the stored domain SID is used in the comparison, SIDs of users and groups and be used directly without stripping the RID component. The functionality is not merged into responder_get_domain() to allow to calculate the timeout correctly and return a specific error code if the entry is expired.
* Add idmap context to nss contextSumit Bose2013-05-022-0/+22
| | | | | This allows the nss responder to use libsss_idmap to convert between different SID representations.
* Add two new request types to the data-provider interfaceSumit Bose2013-05-022-1/+9
| | | | | | | The patch adds two new request types for SID related requests. The first one is used if a SID is given and the corresponding object should be found. The second one can be used if the SID for an object is requested but it is not clear if the object is a user or a group.
generated by cgit (git 2.34.1) at 2026-04-05 00:10:41 +0000