sssd.git/src/providers/ipa, branch master Unnamed repository; edit this file 'description' to name the repository. IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifier 2017-04-24T08:21:24+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-21T10:39:44+00:00 ef019268d2d112ebff3577e551cd19478d73d93b There was an issue in a production deployment where the admin selected a GID outside the IDM range for a group that contained a user from the trusted domain. This resulted in not adding a SID for the IPA group, which in turn meant the group couldn't be resolved on the client. This patch just improves the DEBUG message so that it's clearer for the admins where the issue is. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.

This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
selinux: Do not fail if SELinux is not managed 2017-04-06T11:41:33+00:00 Michal Židek mzidek@redhat.com 2017-02-08T11:01:37+00:00 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.

Resolves:
https://fedorahosted.org/sssd/ticket/3297

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ipa_s2n_get_acct_info_send: provide correct req_input name 2017-04-03T14:07:45+00:00 Pavel Březina pbrezina@redhat.com 2017-04-03T10:09:44+00:00 b07bcd8b99590bd404733fa7ff1add37c55126bc To avoid crash. Resolves: https://pagure.io/SSSD/sssd/issue/3358 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
To avoid crash.

Resolves:
https://pagure.io/SSSD/sssd/issue/3358

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: enable AD user lookup by certificate 2017-03-29T13:09:51+00:00 Sumit Bose sbose@redhat.com 2017-03-24T14:41:37+00:00 82843754193b177275ce16f2901edac2060a3998 Without this the lookup by certificate for AD users on an IPA client will just error out. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Without this the lookup by certificate for AD users on an IPA client
will just error out.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: lookup AD users by certificates on IPA clients 2017-03-29T13:09:48+00:00 Sumit Bose sbose@redhat.com 2017-03-24T14:40:41+00:00 2cf7becc05996eb6d8a3352d3d7b97c75652e590 Get a list of users mapped to a certificate back from the IPA server, look them up and store them together with the certificate used for the search as mapped attribute to the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Get a list of users mapped to a certificate back from the IPA server,
look them up and store them together with the certificate used for the
search as mapped attribute to the cache.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: add mapped attributes to user from trusted domains 2017-03-29T13:09:44+00:00 Sumit Bose sbose@redhat.com 2017-03-22T13:13:05+00:00 415d93196533a6fcd90889c67396ef5af5bf791a Allow the usage of the mapped attribute for the lookup of AD users on IPA clients as already used for the normal LDAP lookup. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Allow the usage of the mapped attribute for the lookup of AD users on
IPA clients as already used for the normal LDAP lookup.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: Get ipaDomainsResolutionOrder from IPA ID View 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-24T16:46:04+00:00 fb81f337b68c85471c3f5140850dccf549a2d0ac ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.

This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.

There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA_SUBDOMAINS: Rename _refresh_view() to _refresh_view_name() 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-24T07:08:58+00:00 17ab121a6c69d74acf1d40f2bbcbe90d77bb6b8a This method got renamed in order to match better with what it does currently. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This method got renamed in order to match better with what it does
currently.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Get ipaDomainsResolutionOrder from ipaConfig 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-22T12:40:20+00:00 3cbf0e7b63e8e6888917e9215bbdc5674c2fa852 ipaDomainsResolutionOrder provides a list of domains that have to be looked up firstly during cache_req searches. This commit only fetches this list from the server and stores its value at sysdb so we can make use of it later on this patch series. There are no tests for newly introduced sysdb methods are those are basically only calling sysdb_update_domain_resolution_order(), sysdb_get_domain_resolution_order() and sysdb_get_use_domain_resolution_order() which are have tests written for. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.

This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.

There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SUBDOMAINS: Allow use_fully_qualified_names for subdomains 2017-03-29T12:00:17+00:00 Michal Židek mzidek@redhat.com 2017-03-23T12:14:56+00:00 a63d74f65db2db7389cd373cb37adcdaaa2d56ea Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.

Resolves:
https://pagure.io/SSSD/sssd/issue/3337

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>