sssd.git/src/config/SSSDConfig, branch sssctl Unnamed repository; edit this file 'description' to name the repository. CONFIG: Add a new option auto_private_groups 2017-10-26T08:10:49+00:00 Jakub Hrozek jhrozek@redhat.com 2017-10-03T10:34:33+00:00 d72ac2c58360cd272277b5ddde67bbff53106a74 The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The auto_private_groups option is used to configure the domain->mpg flag
which was already set automatically for subdomains, but for some time was
not settable by the admin via the configuration file.

The new option name, instead of the old magic_private_groups, was chosen
purely because this name would hopefully be better understood by admins.

The option doesn't do anything yet, it is just added to all the places a
new option should be added to.

Related:
    https://pagure.io/SSSD/sssd/issue/1872

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Add support for rhost access control 2017-10-19T14:05:06+00:00 Alexey Kamenskiy alexey.kamenskiy@chinanetcloud.com 2017-10-18T10:28:07+00:00 f34a8330c1615511795847b0a1454249d782db2a This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch implements verification of pam_rhost against
rules stored in LDAP entry of a user.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
python: Changing class declaration from old to new-style type 2017-10-04T06:59:14+00:00 amitkuma amitkuma@redhat.com 2017-09-18T16:51:06+00:00 b07852825eeb63a78e1b3863e42b3f328430da18 Resolves: https://pagure.io/SSSD/sssd/issue/3517 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://pagure.io/SSSD/sssd/issue/3517

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SECRETS: Add a new option to control per-UID limits 2017-09-01T18:26:45+00:00 Jakub Hrozek jhrozek@redhat.com 2017-06-05T14:10:55+00:00 6b3bab516355fdf4cc81e6da9d87ec3818ab190f Adds a new option max_uid_secrets that allows to set a limit of secrets for this particular client so that the user cannot starve other users. Resolves: https://pagure.io/SSSD/sssd/issue/3363 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3363

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
DESKPROFILE: Add ipa_deskprofile_request_interval 2017-08-28T18:42:27+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-08-17T17:49:22+00:00 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This option has been added to avoid contacting the Data Provider when no
rules were found in the previous request.

By adding this configurable option we avoid contacting the Data Provider
too often in the case described above and also when the server doesn't
support Desktop Profile's integration.

Resolves: https://pagure.io/SSSD/sssd/issue/3482

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DESKPROFILE: Introduce the new IPA session provider 2017-08-28T18:41:04+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-01T23:15:16+00:00 f982039c75ec064894deb676ae53ee57de868590 In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In order to provide FleetCommander[0] integration, a session provider
has been introduced for IPA. The design of this feature and more
technical details can be found at [1] and [2], which are the design
pages of both freeIPA and SSSD parts.

As there's no way to test freeIPA integration with our upstream tests,
no test has been provided yet.

Is also worth to mention that the name "deskprofile" has been chosen
instead of "fleetcmd" in order to match with the freeIPA plugin. It
means that, for consistence, all source files, directories created,
options added, functions prefixes and so on are following the choice
accordingly.

[0]: https://wiki.gnome.org/Projects/FleetCommander
[1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
[2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html

Resolves:
https://pagure.io/SSSD/sssd/issue/2995

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sudo: add a threshold option to reduce size of rules refresh filter 2017-08-18T06:52:25+00:00 Pavel Březina pbrezina@redhat.com 2017-07-11T10:41:57+00:00 a5f300adf19ec9c3087c62bd93a5175db799687a If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3478

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Fix minor typos 2017-08-16T12:39:31+00:00 Yuri Chornoivan yurchor@ukr.net 2017-07-31T12:52:51+00:00 1afc796952755f9cc96ea0b93989cd93214103a2 Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3456

Reviewed-by: Michal Židek <mzidek@redhat.com>
Fix minor typos 2017-07-26T15:46:11+00:00 Yuri Chornoivan yurchor@ukr.net 2017-07-26T13:45:35+00:00 77e5c3fc26085f18277a70ffbd6351a8130963e7 Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3456

Reviewed-by: Michal Židek <mzidek@redhat.com>
SSSDConfig: Fix saving of debug_level 2017-05-29T10:09:33+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-05-25T08:33:08+00:00 fca26b76f23ee4457d6796b19892ed97362b6c8d SSSDConfig internally handle debug_level as an integer. But in case of bitmask version of debug_level (>=16) it stored value as a decimal which is confusing e.g. debug_level = 8176 vs. debug_level = 0x1ff0 Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
SSSDConfig internally handle debug_level as an integer.
But in case of bitmask version of debug_level (>=16)
it stored value as a decimal which is confusing
e.g.
    debug_level = 8176
vs.
    debug_level = 0x1ff0

Resolves:
https://pagure.io/SSSD/sssd/issue/3410

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>