| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1869
Currently the private data passed to the PAM request is a structure
allocated on the client context. But in the odd case where the back end
would be stopped or stuck until the idle timeout hits, the DP callback
would access data that were freed when the client timed out.
This patch introduces a new structure allocated on responder context,
whose only purpose is to live as long as the request is active.
|
|
|
|
|
|
|
|
| |
The paging control can cause issues on servers that put limits on how
many paging controls can be active at one time (on some servers, it is
limited to one per connection). We need to reduce our usage so that we
only activate the paging control when making a request that may return an
arbitrary number of results.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/967
Conflicts:
src/config/SSSDConfig.py
src/config/etc/sssd.api.d/sssd-ipa.conf
src/config/etc/sssd.api.d/sssd-ldap.conf
src/man/sssd-ldap.5.xml
src/providers/ipa/ipa_common.c
src/providers/ipa/ipa_common.h
src/providers/ldap/ldap_common.c
src/providers/ldap/sdap.h
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case a service is restarted while the DP is not ready yet, it gets
restarted again immediatelly, which means the DP might still not be
ready. The allowed number of restarts is then depleted quickly.
This patch changes the restart mechanism such that the first restart
happens immediatelly, the second is scheduled after 2 second, then 4
etc..
https://fedorahosted.org/sssd/ticket/1528
|
| |
|
|
|
|
|
| |
Provides compatible declarations for modern file management functions
such as futimens or opening with the O_CLOEXEC flag
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory
permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard
links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
This security issue was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
| |
|
|
|
|
|
| |
backport of
https://fedorahosted.org/sssd/changeset/20e53344fbdfa215ff7633630feb10458a0274b9
|
|
|
|
|
| |
backport of
https://fedorahosted.org/sssd/changeset/4134936f56911686e908dbd6bc9634767f399e3d
|
|
|
|
|
| |
backport of
https://fedorahosted.org/sssd/changeset/6a9bdb6289bb374d203861cef16f312185725cbc
|
|
|
|
|
| |
don't fetch all host groups if this option is false
https://fedorahosted.org/sssd/ticket/1078
|
|
|
|
| |
Also rename it to sysdb_attrs_get_el_ext()
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
|
|
|
|
|
|
| |
These two functions were almost identical. Better to maintain them
as a single function.
Conflicts:
src/responder/common/responder_common.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code will now attempt first to see if it has privilege to set
the value as specified, and if not it will fall back to the
previous behavior. So on systems with the CAP_SYS_RESOURCE
capability granted to SSSD, it will be able to ignore the
limits.conf hard limit.
https://fedorahosted.org/sssd/ticket/1197
Conflicts:
src/config/SSSDConfig.py
src/config/SSSDConfigTest.py
src/config/etc/sssd.api.conf
|
|
|
|
|
|
|
| |
This patch will increase the file descriptor limit to 8k or the
limits.conf maximum, whichever is lesser.
https://fedorahosted.org/sssd/ticket/1197
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1130
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1227
Conflicts:
src/providers/ipa/ipa_access.h
src/providers/ipa/ipa_init.c
|
|
|
|
| |
We want to consume this in the IPA provider.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Note we set MSG_NOSIGNAL to avoid
having to fiddle with signal masks
but also do not want to die in case
SIGPIPE gets raised and the application
does not handle it.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function alters the memory hierarchy of the be_req
to ensure memory safety during shutdown. It creates a
spy on the be_cli object so that it will free the be_req
if the client is freed.
It is generally allocated atop the private data context
for the appropriate back-end against which it is being
filed.
https://fedorahosted.org/sssd/ticket/1226
|
|
|
|
|
|
|
|
| |
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1214
|
|
|
|
|
| |
Allows to be more concise in tests and more defensive in resolve
callbacks
|
| |
|
|
|
|
|
| |
For older platforms, do not add the 'realm' line in
the update message
|
|
|
|
|
|
|
|
| |
In a heavy load environment, sometimes the failover service record
would be updated and free the URI value. We need to guarantee that
this URI string remains valid throughout the entire request.
https://fedorahosted.org/sssd/ticket/1139
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
The original return code when SSSD was not running was system_err, now
it is authinfo_unavail.
https://fedorahosted.org/sssd/ticket/1011
|
| |
|
|
|
|
| |
Glib fails if the NULL-terminator is included when a length is specified.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1100
|
|
|
|
|
| |
Glib fails if the NULL-terminator is included when a length is
specified.
|
| |
|
| |
|