sssd.git/src/responder/common/cache_req/plugins, branch master Unnamed repository; edit this file 'description' to name the repository. CACHE_REQ: Domain type selection in cache_req 2017-03-30T12:09:22+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-24T09:39:12+00:00 cee85e8fb9534ec997e5388fce59f392cf029573 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
    https://pagure.io/SSSD/sssd/issue/3310

Adds a new enumeration cache_req_dom_type. It is a tri-state that
allows the caller to select which domains can be contacted - either only
POSIX, only application domains or any type.

Not all plugins of cache_req have the new parameter added -- only those
that are usable/useful in a non-POSIX environment. For example, it makes
no sense to allow the selection for calls by ID because those are
inherently POSIX-specific. Also, services or netgroups are supported
only coming from POSIX domains.

At the moment, the patch should not change any behaviour as all calls
default to contacting POSIX domains only.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Descend into subdomains on lookups 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-01T08:34:57+00:00 dcc52d9c6411528bab815351d1e6145d211a4765 Let's make all plugins, but the "host_by_name", to descend into the subdomains on lookups. This patch basically prepares the field for the coming up patches that will allow group/user resolution in all domains (or a subset of the domains) to be possible by only using the short names without the domain component. The "host_by_name" plugin was not changed as it's a specific IPA plugin and won't find anything on its subdomains. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> 
Let's make all plugins, but the "host_by_name", to descend into the
subdomains on lookups.

This patch basically prepares the field for the coming up patches that
will allow group/user resolution in all domains (or a subset of the
domains) to be possible by only using the short names without the domain
component.

The "host_by_name" plugin was not changed as it's a specific IPA plugin
and won't find anything on its subdomains.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
cache_req: allow multiple matches for searches by certificate 2017-03-10T21:19:58+00:00 Sumit Bose sbose@redhat.com 2017-02-16T12:30:18+00:00 2b80496ceedc498f7e13ebaf3e1eaa9d894b8cb9 Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CACHE_REQ: Only search the given domain when looking up entries by UPN 2017-03-03T16:36:09+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-03T12:47:52+00:00 538321890c4d5f08c8702cfc2c00e57cbd13d334 We were searching UPNs in the whole sysdb, which made cache_req think the result came in from the domain it was searching. The bug manifested when a user from a trusted domain was looked by UPN, then cache_req searched the main domain, the result from subdomain was considered as coming from the main domain and as a result, the getpwnam() output was not qualified. That is a problem, because PAM applications often sanitize the user with getpwnam, so effectively a login with UPN was shortened to just a shortname and failed. Reviewed-by: Sumit Bose <sbose@redhat.com> 
We were searching UPNs in the whole sysdb, which made cache_req think the
result came in from the domain it was searching.

The bug manifested when a user from a trusted domain was looked by UPN,
then cache_req searched the main domain, the result from subdomain was
considered as coming from the main domain and as a result, the getpwnam()
output was not qualified. That is a problem, because PAM applications
often sanitize the user with getpwnam, so effectively a login with UPN
was shortened to just a shortname and failed.

Reviewed-by: Sumit Bose <sbose@redhat.com>
SYSDB: When searching for UPNs, search either the whole DB or only the given domain 2017-03-03T16:36:03+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-02T16:54:46+00:00 afadeb1a530ff010a2f9a7552562576b843c874b The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.

Reviewed-by: Sumit Bose <sbose@redhat.com>
cache_req: use own namespace for UPNs 2017-03-02T11:48:37+00:00 Sumit Bose sbose@redhat.com 2017-02-22T13:34:06+00:00 54039570d26e29444c398aa4ad6ba638f1713566 If the UPN use the same domain name as the configured domain an unsuccessful lookup by name will already create an entry in the negative cache. If the lookup by UPN would use the same namespace the lookup will immediately be finished because there would already be an entry in the negative cache. Resolves: https://pagure.io/SSSD/sssd/issue/3313 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
If the UPN use the same domain name as the configured domain an
unsuccessful lookup by name will already create an entry in the negative
cache. If the lookup by UPN would use the same namespace the lookup will
immediately be finished because there would already be an entry in the
negative cache.

Resolves:
https://pagure.io/SSSD/sssd/issue/3313

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
cache_req: always go to dp first when looking up host 2017-02-08T20:25:48+00:00 Pavel Březina pbrezina@redhat.com 2017-02-08T12:22:42+00:00 d9780d2860b2f2c9d707bfd8f2fc72099b9545d7 We need to always lookup host in DP first to update host certificates so we are consinstent during ssh authentication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We need to always lookup host in DP first to update host certificates so
we are consinstent during ssh authentication.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
cache_req: add host by name search 2017-02-08T10:05:46+00:00 Pavel Březina pbrezina@redhat.com 2017-01-18T11:12:01+00:00 53c31b83e4d06ea4c2813eec2f1e647a613b4a2b Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
cache_req: move dp request to plugin 2017-02-08T10:05:42+00:00 Pavel Březina pbrezina@redhat.com 2017-01-17T13:11:58+00:00 4df7aec645f87342f3a5146062abcb15f71f4fd9 This will allow to use cache req even for object that do not use account request such as hosts. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This will allow to use cache req even for object that do not use
account request such as hosts.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
cache_req: search user by name with attrs 2017-02-08T10:05:33+00:00 Pavel Březina pbrezina@redhat.com 2017-01-11T10:36:50+00:00 7723e79f5a1fad4201360199037aea33f655bab6 Sometime is is desirable to aquire more attribute from user object than SYSDB_PW_ATTRS set. such as user's public key. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Sometime is is desirable to aquire more attribute from user object
than SYSDB_PW_ATTRS set. such as user's public key.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>