sssd2.git/src/external, branch master System Security Services Daemon [okos' clone] DNS sites support - add AD SRV plugin 2013-05-02T14:48:12+00:00 Pavel Březina pbrezina@redhat.com 2013-04-16T13:41:33+00:00 a679f0167b646cffdae86546ed77e105576991b0 https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
DB: Switch to new libini_config API 2013-04-25T22:26:26+00:00 Ondrej Kos okos@redhat.com 2013-03-28T14:35:03+00:00 7de6e3534fd61c7619ed34a6b1afe7230b5e6504 https://fedorahosted.org/sssd/ticket/1786 Since we need to support the old interface as well, the configure scritp is modified and correct ini interface is chosen. 
https://fedorahosted.org/sssd/ticket/1786

Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
Allow usage of enterprise principals 2013-04-22T13:33:40+00:00 Sumit Bose sbose@redhat.com 2013-03-25T16:41:19+00:00 edaa983d094c239c3e1ba667bcd20ed3934be3b8 Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842 
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.

If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.

To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.

Fixes https://fedorahosted.org/sssd/ticket/1842
Provide libnl3 support 2013-03-27T19:15:52+00:00 Ondrej Kos okos@redhat.com 2013-02-18T13:43:19+00:00 539b1be3507abdf8ac235b06eeed5011b0b5cde2 https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error. 
https://fedorahosted.org/sssd/ticket/812

Update the monitor code to be using the new libnl3 API.

Changed configure option
--with-libnl

By default, it tries to build with libnl3, if not found, then with
libnl1, if this isn't found either, build proceeds without libnl, just
with warning.

Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given
version, if not found, configure ends with error.
Move signal.m4 from src/util to external 2013-03-21T16:41:56+00:00 Jakub Hrozek jhrozek@redhat.com 2013-03-18T13:49:27+00:00 6b0a7c72bb841d6885a620c68bd51d55109b66c7 






Making the ldb check configurable
2013-03-20T11:28:55+00:00

Lukas Slebodnik
lslebodn@redhat.com

2013-03-13T10:09:11+00:00

ec26d836b1b2a41ec2692976a539da51f261412b

It is possible to enable/disable checking in LDB memberof plugin
whether it was built against the same version of LDB that is present
on the system. This feature is turned off by default
and enabled in Fedora/RHEL spec file.

https://fedorahosted.org/sssd/ticket/1813





It is possible to enable/disable checking in LDB memberof plugin
whether it was built against the same version of LDB that is present
on the system. This feature is turned off by default
and enabled in Fedora/RHEL spec file.

https://fedorahosted.org/sssd/ticket/1813







Detect the presence of libcmocka during configure
2013-03-08T21:19:26+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-02-12T13:47:35+00:00

a5077712fc8c24e8cad08207b7b5a6603bde6a7c












Add support for krb5 1.11's responder callback.
2013-03-08T20:58:03+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-03-08T17:06:10+00:00

b40583c6d52b72e41bf01106534535e54b4fba4f

krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.

This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).





krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.

This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).







krb5: include backwards compatible declaration of krb5_trace_info
2013-02-11T14:42:17+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-02-04T16:30:48+00:00

4e78fab6a1b2e9653a7959cbdb7d54bb750041d0

krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".

Do the same in the SSSD to allow compiling with both 1.10 and 1.11.





krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".

Do the same in the SSSD to allow compiling with both 1.10 and 1.11.







BUILD: Temporary workaround for Kerberos build
2012-11-20T08:02:50+00:00

Stephen Gallagher
sgallagh@redhat.com

2012-11-19T15:41:06+00:00

ff4e9f4d59368004b3917a86dc82c24deb47d905

This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.





This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.