sssd.git/src/confdb, branch sudo Unnamed repository; edit this file 'description' to name the repository. Print a warning when enumeration is requested but disabled 2017-09-25T12:33:06+00:00 AmitKumar amitkuma@redhat.com 2017-07-24T14:45:13+00:00 c33fa33065b1211dba5ea2909bac62843a72e8b5 Add an explanatory message to be logged once, at the start-up, mentioning that in case enumeration is not enabled, getent passwd won't return all users by design. The debug level chosen to show the message is SSS_LOG_NOTICE. Resolves: https://pagure.io/SSSD/sssd/issue/2301 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Add an explanatory message to be logged once, at the start-up,
mentioning that in case enumeration is not enabled, getent passwd won't
return all users by design.
The debug level chosen to show the message is SSS_LOG_NOTICE.

Resolves:
https://pagure.io/SSSD/sssd/issue/2301

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SECRETS: Add a new option to control per-UID limits 2017-09-01T18:26:45+00:00 Jakub Hrozek jhrozek@redhat.com 2017-06-05T14:10:55+00:00 6b3bab516355fdf4cc81e6da9d87ec3818ab190f Adds a new option max_uid_secrets that allows to set a limit of secrets for this particular client so that the user cannot starve other users. Resolves: https://pagure.io/SSSD/sssd/issue/3363 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3363

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFDB: Do not crash with an invalid domain_type or case_sensitive value 2017-08-31T10:07:06+00:00 Jakub Hrozek jhrozek@redhat.com 2017-08-29T08:52:45+00:00 9787bc5890865be73a6caedaa22b3fae1e3aa671 If the domain_type parameter contained an invalid value, the error branch wouldn't have set the 'ret' parameter to an error condition, which might crash sssd. The same problem occured with CONFDB_DOMAIN_CASE_SENSITIVE Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
If the domain_type parameter contained an invalid value, the error
branch wouldn't have set the 'ret' parameter to an error condition,
which might crash sssd.

The same problem occured with CONFDB_DOMAIN_CASE_SENSITIVE

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CONFDB: Set a default value for subdomain_refresh_interval in case an invalid value is set 2017-08-30T19:07:15+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-08-29T17:08:53+00:00 b4195db089bc481161b37cd129d0876571f633b4 The code as it was seemed wrong as when an invalid value as set we neither error out nor set a default valid value there. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The code as it was seemed wrong as when an invalid value as set we
neither error out nor set a default valid value there.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DESKPROFILE: Introduce the new IPA session provider 2017-08-28T18:41:04+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-01T23:15:16+00:00 f982039c75ec064894deb676ae53ee57de868590 In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In order to provide FleetCommander[0] integration, a session provider
has been introduced for IPA. The design of this feature and more
technical details can be found at [1] and [2], which are the design
pages of both freeIPA and SSSD parts.

As there's no way to test freeIPA integration with our upstream tests,
no test has been provided yet.

Is also worth to mention that the name "deskprofile" has been chosen
instead of "fleetcmd" in order to match with the freeIPA plugin. It
means that, for consistence, all source files, directories created,
options added, functions prefixes and so on are following the choice
accordingly.

[0]: https://wiki.gnome.org/Projects/FleetCommander
[1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
[2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html

Resolves:
https://pagure.io/SSSD/sssd/issue/2995

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sudo: add a threshold option to reduce size of rules refresh filter 2017-08-18T06:52:25+00:00 Pavel Březina pbrezina@redhat.com 2017-07-11T10:41:57+00:00 a5f300adf19ec9c3087c62bd93a5175db799687a If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3478

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFIG: Add session_recording section 2017-07-27T08:32:21+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2016-12-20T08:16:47+00:00 555f43b491f40e0237b8677565a748b929092bee Add information on "session_recording" config section, having three options: "scope", "users", and "groups". The section is intended for disabling session recording ("scope = none", default), enabling session recording for all users ("scope = all"), and enabling it for some specific users and/or groups ("scope = some", "users = <users>", "groups = <groups>"). Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".

The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
DOMAIN: Add sss_domain_info_{get,set}_output_fqnames() 2017-06-21T09:28:15+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-20T12:22:48+00:00 fa2fc8a2908619031292eaf375eb1a510b8b2eba Let's avoid setting a domain's property directly from cr_domain code. In order to do so, let's introduce a setter, which may help us in the future whenever we decide to make sss_domain_info an opaque structure. For completeness, a getter has also been introduced and used in the usertools code. Related: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Let's avoid setting a domain's property directly from cr_domain code.

In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.

For completeness, a getter has also been introduced and used in the
usertools code.

Related:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RESPONDER: Use fqnames as output when needed 2017-06-21T09:28:08+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-19T07:05:00+00:00 86526891366c4bc3e1ee861143b736d2670a6ba8 As some regressions have been caused by not handling properly naming conflicts when using shortnames, last explicitly use fully qualified names as output in the following situations: - domain resolution order is set; - a trusted domain has been using `use_fully_qualified_name = false` In both cases we want to ensure that even handling shortnames as input, the output will always be fully qualified. As part of this patch, our tests ended up being modified to reflect the changes done. In other words, the tests related to shortnames now return expect as return a fully qualified name for trusted domains. Resolves: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`

In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.

As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.

Resolves:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RESPONDER_COMMON: update certmaps in responders 2017-06-01T14:17:28+00:00 Sumit Bose sbose@redhat.com 2017-05-02T13:25:10+00:00 749963195393efa3a4f9b168dd02fbcc68976ba3 Make certificate mapping data available to the responders. Related to https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Make certificate mapping data available to the responders.

Related to https://pagure.io/SSSD/sssd/issue/3395

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>