summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Display the last grace warning, toosssd-1-9Jakub Hrozek2013-05-022-3/+3
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* Only try to relink ghost users if we're not enumeratingJakub Hrozek2013-04-292-4/+17
| | | | | | | | https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user.
* Bump the version for the 1.9.6 releaseJakub Hrozek2013-04-291-1/+1
|
* Updating the translations for the 1.9.5 releasesssd-1_9_5Jakub Hrozek2013-04-2337-7844/+8842
|
* tests: Link the simple access tests with -ldlJakub Hrozek2013-04-221-0/+1
| | | | | | | | | | | | | | | | | | | | In SSSD, we use dlopen() and dlsym() in two files src/providers/data_provider_be.c and src/providers/proxy/proxy_init.c. Hence we should explicitly link with -ldl also in simple_access-tests. SSSD can be compiled with two crypto libraries nss or libcrypto. NSS has dependency nspr which depends on "libdl and libpthread" This is a reason why compilation of test did not fail even if -ldl was not explicitly added to simple_access_tests_LDADD. But libcrypto doesn't depend on libdl, so in this case compilation of tests will not be successful. Upstream nspr 4.9 has two ways have to obtain metainformation about libraries pkg-config and own script nspr-config. First one doesn't list "-ldl" "-lpthread" but second one lists both "-ldl" "-lpthread" That's also why the Ubuntu maintainer found this bug -- Fedora has got patched version of nspr, but Debian (Ubuntu) doesn't
* LDAP: do not invalidate pointer with realloc while processing ghost usersJakub Hrozek2013-04-191-3/+13
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
* Fix simple access group control in case-insensitive domainsJakub Hrozek2013-04-152-18/+11
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
* Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2013-04-152-35/+85
| | | | | | | | | | | | | | | | In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
* krb5: include backwards compatible declaration of krb5_trace_infoJakub Hrozek2013-04-152-2/+8
| | | | | | | krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
* sssd fails with readonly SELinux login filesMichal Zidek2013-04-121-1/+4
| | | | | | | Do not try to remove SELinux login file if SELinux support is not available. https://fedorahosted.org/sssd/ticket/1868
* Allocate PAM DP request data on responder contextJakub Hrozek2013-04-083-5/+54
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
* sssd-1.8.0: work around a bug in cov-build from CoverityKamil Dudka2013-03-261-0/+3
|
* Document what does access_provider=ad doJakub Hrozek2013-03-211-0/+14
| | | | https://fedorahosted.org/sssd/ticket/1841
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-2114-11/+228
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Resolve GIDs in the simple access providerJakub Hrozek2013-03-195-307/+1033
| | | | | | | | | | | | | | Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
* Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek2013-03-191-0/+2
| | | | | | | | | | | The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
* Add unit tests for simple access test by groupsJakub Hrozek2013-03-191-32/+253
| | | | | | | I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
* Provide a be_get_account_info_send functionJakub Hrozek2013-03-192-19/+149
| | | | | | | | | | | | | | In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
* krb5-utils-tests: remove invalid conditionPavel Březina2013-03-131-2/+0
| | | | | This condition is invalid because different_realm is not set, when EINVAL is returned. It can make the test fail sometimes.
* Debug message in sss_mc_create_file.Michal Zidek2013-03-071-0/+5
| | | | | | This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
* File descriptor leak in nss responder.Michal Zidek2013-03-071-18/+43
| | | | | | | | | File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
* Don't treat 0 as default for pam_pwd_expiration warningJakub Hrozek2013-03-011-1/+2
|
* if selinux is disabled, ignore that selogin dir is missingPavel Březina2013-03-011-3/+15
| | | | https://fedorahosted.org/sssd/ticket/1817
* autofs: fix invalid header 'number of entries' in packetPavel Březina2013-03-011-1/+5
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1739 Pointer to packet body may change while filling packet with autofs mount points. As a consequence, we sometimes wrote the number of entries into invalid body and we recieved an arbitrary number on the client side. If the number was 0, there were some skipped entries. If the number was greater than 0, everything worked correctly, because we iterate through the cached entries until we reach packet length - we don't compare to the number.
* sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina2013-02-271-3/+7
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
* Remove enumerate=true from man sssd-ldapJakub Hrozek2013-02-261-1/+0
| | | | https://fedorahosted.org/sssd/ticket/1737
* sysdb: try dealing with binary-content attributesJan Engelhardt2013-02-264-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* Fix the krb5 password expiration warningJakub Hrozek2013-02-211-1/+7
| | | | https://fedorahosted.org/sssd/ticket/1808
* subdomains: replace invalid characters with underscore in krb5 mapping file namePavel Březina2013-02-141-1/+25
| | | | | | | https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-106-8/+29
| | | | https://fedorahosted.org/sssd/ticket/1805
* Unchecked return value in files.cMichal Zidek2013-02-061-1/+9
| | | | | Found by coverity. https://fedorahosted.org/sssd/ticket/1791
* Don't use srcdir with testsJakub Hrozek2013-02-041-3/+3
| | | | Fixes build with automake 1.13 or newer.
* Fix minor grammar error in logStephen Gallagher2013-01-301-1/+1
|
* krb: recreate ccache if it was deletedPavel Březina2013-01-301-1/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
* Bump the version to 1.9.5, reset release in RPMs to 0Jakub Hrozek2013-01-282-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1787
* Updating the translations for the 1.9.4 releasesssd-1_9_4Jakub Hrozek2013-01-2838-4111/+16374
|
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-281-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* TOOLS: Compile on old platforms such as RHEL5Jakub Hrozek2013-01-282-37/+144
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* MAN: Clarify that saving users after enumerating large domain might be CPU ↵Jakub Hrozek2013-01-281-1/+9
| | | | | | intensive https://fedorahosted.org/sssd/ticket/1732
* SYSDB: Expire group if adding ghost users fails with EEXISTJakub Hrozek2013-01-231-2/+36
|
* SYSDB: make the sss_ldb_modify_permissive function publicJakub Hrozek2013-01-232-2/+11
|
* TOOLS: Use file descriptor to avoid races when creating a home directoryJakub Hrozek2013-01-234-354/+364
| | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-01-231-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2013-01-232-7/+7
| | | | | | | | SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
* sudo responder: change num_rules type from size_t to uint32_tPavel Březina2013-01-227-25/+25
| | | | | | | | https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
* Convert the value of pwd_exp_warning to secondsJakub Hrozek2013-01-221-5/+6
| | | | | | | | When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
* fix backend callbacks: remove callback properly from dlistPavel Březina2013-01-221-6/+18
| | | | | | | | https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
* TOOLS: invalidate parent groups in memory cache, tooJakub Hrozek2013-01-214-8/+71
| | | | https://fedorahosted.org/sssd/ticket/1775
* LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek2013-01-213-137/+173
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
* Invalidate user entry even if there are no groupsJakub Hrozek2013-01-162-11/+8
| | | | | | | | | Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
generated by cgit (git 2.34.1) at 2024-05-06 12:27:45 +0000