sssd2.git/src/db, branch master System Security Services Daemon [okos' clone] sysdb: add sysdb_search_object_by_sid() 2013-05-02T17:33:56+00:00 Sumit Bose sbose@redhat.com 2013-04-19T15:44:06+00:00 1e72a17f6527d47968032fc928f489dad10705ea The patch add a new sysdb to find objects based on their SID. Currently only the basic attributes needed to map SIDs to POSIX IDs and names are requested, but this list can be extended for future use cases. 
The patch add a new sysdb to find objects based on their SID. Currently
only the basic attributes needed to map SIDs to POSIX IDs and names are
requested, but this list can be extended for future use cases.
Only try to relink ghost users if we're not enumerating 2013-04-29T18:34:19+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-29T12:37:27+00:00 36c50faf2674a3ebd8a6458f3c53fb72a68d1f28 https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user. 
https://fedorahosted.org/sssd/ticket/1893

When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.
Move SELinux processing to provider. 2013-03-19T16:50:53+00:00 Michal Zidek mzidek@redhat.com 2013-02-07T18:35:37+00:00 b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858 The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743 
The SELinux processing was distributed between provider and
pam responder which resulted in hard to maintain code. This
patch moves the logic to provider.

IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because
the provider also writes the content of selinux login
file to disk (which was done by responder before).

https://fedorahosted.org/sssd/ticket/1743
Fix initialization of multiple variables 2013-03-13T18:44:20+00:00 Ondrej Kos okos@redhat.com 2013-03-12T12:05:09+00:00 9f37bb2012faa136ef7c1f9fe93689ce2be85637 






Remove the alt_db_path parameter of sysdb_init
2013-03-05T16:41:56+00:00

Michal Zidek
mzidek@redhat.com

2013-03-05T15:23:14+00:00

2ba16c5a5c4b6d3cd2a44179186ec60eda828bcd

This parameter was never used.

https://fedorahosted.org/sssd/ticket/1765





This parameter was never used.

https://fedorahosted.org/sssd/ticket/1765







Use SSSD specific errors for offline auth
2013-03-04T22:40:25+00:00

Simo Sorce
simo@redhat.com

2012-11-21T21:52:33+00:00

ab967283b710dfa05d11ee5b30c7ac916486ceec

This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.





This prevents reportin false errors when internal functions return
a generic EINVAL or EACCES that should just be treated as internal
errors.







sysdb: try dealing with binary-content attributes
2013-02-26T16:16:58+00:00

Jan Engelhardt
jengelh@inai.de

2013-02-21T12:12:25+00:00

956309e24c32cd0886736bf065a27d5bdd200a77

https://fedorahosted.org/sssd/ticket/1818

I have here a LDAP user entry which has this attribute

	loginAllowedTimeMap::
	 AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA

In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)

Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.

The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.





https://fedorahosted.org/sssd/ticket/1818

I have here a LDAP user entry which has this attribute

	loginAllowedTimeMap::
	 AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA

In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)

Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.

The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.







Introduce IS_SUBDOMAIN() macro
2013-02-10T21:08:47+00:00

Simo Sorce
simo@redhat.com

2013-01-16T03:19:36+00:00

4f118e3e6a25762f40a43e6dbefb09f44adbef32

Fixes https://fedorahosted.org/sssd/ticket/1766





Fixes https://fedorahosted.org/sssd/ticket/1766







Change the way domains are linked.
2013-02-10T21:08:47+00:00

Simo Sorce
simo@redhat.com

2013-01-15T01:30:04+00:00

bba1a5fd62cffcae076d1351df5a83fbc4a6ec17

- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
  unused.
- Rework the way subdomains are refreshed.
  Now sysdb_update_subdomains() actually updates the current subdomains
  and marks as disabled the ones not found in the sysdb or add new ones
  found. It never removes them.
  Removal of missing domains from sysdb is deferred to the providers,
  which will perform it at refresh time, for the ipa provider that is
  done by ipa_subdomains_write_mappings() now.
  sysdb_update_subdomains() is then used to update the memory hierarchy
  of the subdomains.

- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()





- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
  unused.
- Rework the way subdomains are refreshed.
  Now sysdb_update_subdomains() actually updates the current subdomains
  and marks as disabled the ones not found in the sysdb or add new ones
  found. It never removes them.
  Removal of missing domains from sysdb is deferred to the providers,
  which will perform it at refresh time, for the ipa provider that is
  done by ipa_subdomains_write_mappings() now.
  sysdb_update_subdomains() is then used to update the memory hierarchy
  of the subdomains.

- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()







Remove sysdb_subdom completely
2013-02-10T21:08:47+00:00

Simo Sorce
simo@redhat.com

2013-01-14T21:47:51+00:00

95e94691178297f2b8225a83d43ae388cab04b45

struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.





struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.