sssd.git/src/responder/common, branch master Unnamed repository; edit this file 'description' to name the repository. Move sized_output_name() and sized_domain_name() into responder common code 2017-04-21T09:24:41+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-19T15:44:40+00:00 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8 These functions are used to format a name into a format that the user configured for output, including case sensitiveness, replacing whitespace and qualified format. They were used only in the NSS responder, which typically returns strings to the NSS client library and then the user. But it makes sense to just reuse the same code in the IFP responder as well, since it does essentially the same job. The patch also renames sized_member_name to sized_domain_name. Previously, the function was only used to format a group member, the IFP responder would use the same function to format a group the user is a member of. Related to: https://pagure.io/SSSD/sssd/issue/3268 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.

But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.

The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.

Related to:
    https://pagure.io/SSSD/sssd/issue/3268

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
responders: do not leak selinux context on clients destruction 2017-04-03T13:37:27+00:00 Pavel Březina pbrezina@redhat.com 2017-04-03T10:56:01+00:00 05c2c3047912fca1c1a35ab1c8d3157b05383495 The SELinux context created in get_client_cred is not talloc bound and we were leaking it if available with each client's destruction. Resolves: https://pagure.io/SSSD/sssd/issue/3360 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.

Resolves:
https://pagure.io/SSSD/sssd/issue/3360

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CACHE_REQ: Domain type selection in cache_req 2017-03-30T12:09:22+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-24T09:39:12+00:00 cee85e8fb9534ec997e5388fce59f392cf029573 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
    https://pagure.io/SSSD/sssd/issue/3310

Adds a new enumeration cache_req_dom_type. It is a tri-state that
allows the caller to select which domains can be contacted - either only
POSIX, only application domains or any type.

Not all plugins of cache_req have the new parameter added -- only those
that are usable/useful in a non-POSIX environment. For example, it makes
no sense to allow the selection for calls by ID because those are
inherently POSIX-specific. Also, services or netgroups are supported
only coming from POSIX domains.

At the moment, the patch should not change any behaviour as all calls
default to contacting POSIX domains only.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Add domain_resolution_order config option 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-26T01:00:14+00:00 16385568547351b5d2c562f3081f35f3341f695b This is the local equivalent of option of ipaDomainResolutionOrder and has precedence over the ones set on IPA side making the precedence order to be like: Local > View > Globally. As done for the IPA side configurations, the domains which were not explicitly set up will be apennded to the final of the domain_resolution_order list in the very same order they're presented in the "domains" option of [sssd] section in the config file. There's no guarantee of order for the subdomains though. It's also important to mention that no expansion magic is performed on our side. It means that if 'example.com' is set it does *not* stand for all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com', etc). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is the local equivalent of option of ipaDomainResolutionOrder and
has precedence over the ones set on IPA side making the precedence order
to be like: Local > View > Globally.

As done for the IPA side configurations, the domains which were not
explicitly set up will be apennded to the final of the
domain_resolution_order list in the very same order they're presented in
the "domains" option of [sssd] section in the config file. There's no
guarantee of order for the subdomains though.

It's also important to mention that no expansion magic is performed on
our side. It means that if 'example.com' is set it does *not* stand for
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
etc).

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Make use of domainResolutionOrder 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-25T23:27:50+00:00 66c8e92eb5a4985bb7f64c349a53b08030a000cf domainResolutionOrder has been introduced in the previous commits and allows the admin to set up a specific order which the domains will be resolved during a lookup and with this patch we can take advantage of this. In order to have it working a new structure has been added (struct domain_resolution_order) to the responder context and will be used by the cache_req to perform the lookups based on this list. As the ipaDomainResolutionOrder may be set globally on IPA or per View, SSSD does respect the following precedence order: View > Globally. The way the list is built is quite simple, basically having the domains present on ipaDomainResolutionOrder as the first domains (in that specific order) and then appending the remaining domains to this list. The final result is a completely flat list with all the domains respecting the specified order (it's important to remember that the domains not specified won't follow any specific order, they're just "random" based on the domains list present in the responder context. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
domainResolutionOrder has been introduced in the previous commits and
allows the admin to set up a specific order which the domains will be
resolved during a lookup and with this patch we can take advantage of
this.

In order to have it working a new structure has been added
(struct domain_resolution_order) to the responder context and will be
used by the cache_req to perform the lookups based on this list.

As the ipaDomainResolutionOrder may be set globally on IPA or per View,
SSSD does respect the following precedence order: View > Globally.

The way the list is built is quite simple, basically having the domains
present on ipaDomainResolutionOrder as the first domains (in that
specific order) and then appending the remaining domains to this list.
The final result is a completely flat list with all the domains
respecting the specified order (it's important to remember that the
domains not specified won't follow any specific order, they're just
"random" based on the domains list present in the responder context.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Descend into subdomains on lookups 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-01T08:34:57+00:00 dcc52d9c6411528bab815351d1e6145d211a4765 Let's make all plugins, but the "host_by_name", to descend into the subdomains on lookups. This patch basically prepares the field for the coming up patches that will allow group/user resolution in all domains (or a subset of the domains) to be possible by only using the short names without the domain component. The "host_by_name" plugin was not changed as it's a specific IPA plugin and won't find anything on its subdomains. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> 
Let's make all plugins, but the "host_by_name", to descend into the
subdomains on lookups.

This patch basically prepares the field for the coming up patches that
will allow group/user resolution in all domains (or a subset of the
domains) to be possible by only using the short names without the domain
component.

The "host_by_name" plugin was not changed as it's a specific IPA plugin
and won't find anything on its subdomains.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
SUBDOMAINS: Allow use_fully_qualified_names for subdomains 2017-03-29T12:00:17+00:00 Michal Židek mzidek@redhat.com 2017-03-23T12:14:56+00:00 a63d74f65db2db7389cd373cb37adcdaaa2d56ea Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.

Resolves:
https://pagure.io/SSSD/sssd/issue/3337

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
nss: allow larger buffer for certificate based requests 2017-03-23T16:23:42+00:00 Sumit Bose sbose@redhat.com 2017-02-28T13:19:53+00:00 a0b1bfa76073d3ce3208e67e6d72bb92088edac5 To make sure larger certificates can be processed as well the maximal buffer size is increased for requests by certificate. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
To make sure larger certificates can be processed as well the maximal
buffer size is increased for requests by certificate.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CACHE_REQ: shortcut if object is found 2017-03-14T11:35:14+00:00 Pavel Březina pbrezina@redhat.com 2017-03-09T12:27:31+00:00 606015a4f71d8ee809347188667d268f73110483 If we get a cache-hit but the object is expired or needs a midpoint refresh we assume that this domain is the one the result should come from and go to data provider directly. Related: https://pagure.io/SSSD/sssd/issue/3001 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If we get a cache-hit but the object is expired or needs a midpoint
refresh we assume that this domain is the one the result should come
from and go to data provider directly.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CACHE_REQ: Check the caches first 2017-03-14T11:35:01+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-02-22T07:07:45+00:00 8bb6680637ead03e24a38d15ec5265d11a920a1d This patch introduces a new configurable option to define whether the responder should query all domains' caches before querying the Data Providers. This new option is called cache_first and, by default, it's disabled, meaning that, for each provider, the responder may contact the cache and the data provider in the same iteration. Co-Author: Pavel Březina <pbrezina@redhat.com> Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch introduces a new configurable option to define whether the
responder should query all domains' caches before querying the Data
Providers.

This new option is called cache_first and, by default, it's disabled,
meaning that, for each provider, the responder may contact the cache and
the data provider in the same iteration.

Co-Author: Pavel Březina <pbrezina@redhat.com>

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>