sssd.git/src/confdb, branch sssctl Unnamed repository; edit this file 'description' to name the repository. CONFDB: Remove the obsolete option magic_private_groups 2017-10-26T08:10:58+00:00 Jakub Hrozek jhrozek@redhat.com 2017-10-03T10:36:02+00:00 8fab9d6fa88824b20d3febe697147c407d31c160 Since this confdb definition was completely unused across the codebase, this patch just removes the definition. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Since this confdb definition was completely unused across the codebase,
this patch just removes the definition.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFIG: Add a new option auto_private_groups 2017-10-26T08:10:49+00:00 Jakub Hrozek jhrozek@redhat.com 2017-10-03T10:34:33+00:00 d72ac2c58360cd272277b5ddde67bbff53106a74 The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The auto_private_groups option is used to configure the domain->mpg flag
which was already set automatically for subdomains, but for some time was
not settable by the admin via the configuration file.

The new option name, instead of the old magic_private_groups, was chosen
purely because this name would hopefully be better understood by admins.

The option doesn't do anything yet, it is just added to all the places a
new option should be added to.

Related:
    https://pagure.io/SSSD/sssd/issue/1872

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Print a warning when enumeration is requested but disabled 2017-09-25T12:33:06+00:00 AmitKumar amitkuma@redhat.com 2017-07-24T14:45:13+00:00 c33fa33065b1211dba5ea2909bac62843a72e8b5 Add an explanatory message to be logged once, at the start-up, mentioning that in case enumeration is not enabled, getent passwd won't return all users by design. The debug level chosen to show the message is SSS_LOG_NOTICE. Resolves: https://pagure.io/SSSD/sssd/issue/2301 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Add an explanatory message to be logged once, at the start-up,
mentioning that in case enumeration is not enabled, getent passwd won't
return all users by design.
The debug level chosen to show the message is SSS_LOG_NOTICE.

Resolves:
https://pagure.io/SSSD/sssd/issue/2301

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SECRETS: Add a new option to control per-UID limits 2017-09-01T18:26:45+00:00 Jakub Hrozek jhrozek@redhat.com 2017-06-05T14:10:55+00:00 6b3bab516355fdf4cc81e6da9d87ec3818ab190f Adds a new option max_uid_secrets that allows to set a limit of secrets for this particular client so that the user cannot starve other users. Resolves: https://pagure.io/SSSD/sssd/issue/3363 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3363

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFDB: Do not crash with an invalid domain_type or case_sensitive value 2017-08-31T10:07:06+00:00 Jakub Hrozek jhrozek@redhat.com 2017-08-29T08:52:45+00:00 9787bc5890865be73a6caedaa22b3fae1e3aa671 If the domain_type parameter contained an invalid value, the error branch wouldn't have set the 'ret' parameter to an error condition, which might crash sssd. The same problem occured with CONFDB_DOMAIN_CASE_SENSITIVE Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
If the domain_type parameter contained an invalid value, the error
branch wouldn't have set the 'ret' parameter to an error condition,
which might crash sssd.

The same problem occured with CONFDB_DOMAIN_CASE_SENSITIVE

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CONFDB: Set a default value for subdomain_refresh_interval in case an invalid value is set 2017-08-30T19:07:15+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-08-29T17:08:53+00:00 b4195db089bc481161b37cd129d0876571f633b4 The code as it was seemed wrong as when an invalid value as set we neither error out nor set a default valid value there. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The code as it was seemed wrong as when an invalid value as set we
neither error out nor set a default valid value there.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DESKPROFILE: Introduce the new IPA session provider 2017-08-28T18:41:04+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-01T23:15:16+00:00 f982039c75ec064894deb676ae53ee57de868590 In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In order to provide FleetCommander[0] integration, a session provider
has been introduced for IPA. The design of this feature and more
technical details can be found at [1] and [2], which are the design
pages of both freeIPA and SSSD parts.

As there's no way to test freeIPA integration with our upstream tests,
no test has been provided yet.

Is also worth to mention that the name "deskprofile" has been chosen
instead of "fleetcmd" in order to match with the freeIPA plugin. It
means that, for consistence, all source files, directories created,
options added, functions prefixes and so on are following the choice
accordingly.

[0]: https://wiki.gnome.org/Projects/FleetCommander
[1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
[2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html

Resolves:
https://pagure.io/SSSD/sssd/issue/2995

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sudo: add a threshold option to reduce size of rules refresh filter 2017-08-18T06:52:25+00:00 Pavel Březina pbrezina@redhat.com 2017-07-11T10:41:57+00:00 a5f300adf19ec9c3087c62bd93a5175db799687a If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3478

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFIG: Add session_recording section 2017-07-27T08:32:21+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2016-12-20T08:16:47+00:00 555f43b491f40e0237b8677565a748b929092bee Add information on "session_recording" config section, having three options: "scope", "users", and "groups". The section is intended for disabling session recording ("scope = none", default), enabling session recording for all users ("scope = all"), and enabling it for some specific users and/or groups ("scope = some", "users = <users>", "groups = <groups>"). Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".

The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
DOMAIN: Add sss_domain_info_{get,set}_output_fqnames() 2017-06-21T09:28:15+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-20T12:22:48+00:00 fa2fc8a2908619031292eaf375eb1a510b8b2eba Let's avoid setting a domain's property directly from cr_domain code. In order to do so, let's introduce a setter, which may help us in the future whenever we decide to make sss_domain_info an opaque structure. For completeness, a getter has also been introduced and used in the usertools code. Related: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Let's avoid setting a domain's property directly from cr_domain code.

In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.

For completeness, a getter has also been introduced and used in the
usertools code.

Related:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>