| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
We make sure in responder dp code that we do not contact
data provider if the provider is a local one. We just
return success.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Those checks were redundant, since they are already part of cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally sss_cmd_send_empty() called also sss_cmd_done() to send
an empty reply packet to the cliant where as sss_cmd_send_error()
did not invoke this call and required the caller to call it manually.
For this reason, a possible error in users_find_by_cert_done() was not
send to the caller.
This patch unifies the usage of those two functions in a way that both
of them only creates the reply packet but do not send it. Another
sss_cmd_done() call is required to send the reply.
Because sss_cmd_done() is now always called, unit tests needed to be
changed to always mock a value for __wrap_sss_cmd_done.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We will only remember entry in the negative cache if the data provider
requests succeeded because only then we can be sure that the entry
does not exist.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch allows plugins that do not require name qualification
on multi-domain search to perform lookup also in subdomains.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original debugging was unnecessarily large. I removed request name
from all debug messages (keeping the request number). The name is now
print only when a new request is created. I also added an explicit message
to see what object are we currently looking up.
For example:
[cache_req_set_plugin] (0x2000): CR #4: Setting "Group by ID" plugin
[cache_req_send] (0x0400): CR #4: New request 'Group by ID'
[cache_req_select_domains] (0x0400): CR #4: Performing a multi-domain search
[cache_req_set_domain] (0x0400): CR #4: Using domain [LDAP.PB]
[cache_req_search_send] (0x0400): CR #4: Looking up GID:20001@LDAP.PB
[cache_req_search_ncache] (0x0400): CR #4: Checking negative cache for [GID:20001@LDAP.PB]
[cache_req_search_ncache] (0x0400): CR #4: [GID:20001@LDAP.PB] is not present in negative cache
[cache_req_search_cache] (0x0400): CR #4: Looking up [GID:20001@LDAP.PB] in cache
[cache_req_search_send] (0x0400): CR #4: Returning [GID:20001@LDAP.PB] from cache
[cache_req_create_and_add_result] (0x0400): CR #4: Found 1 entries in domain LDAP.PB
[cache_req_done] (0x0400): CR #4: Finished: Success
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This request returns either user or group object.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This request returns either user or group object.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Sometimes we want to get extra attributes when looking up user.
For example in object by name search.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some plug-ins allow to specify what attributes should be returned,
but we always need to make sure that operational attributes such
as expiration time is returned so we can calculate the expiration
status.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When we are looking name by sid or sid by name we want to be also
able to translate well known sid/name into its pair equivalent.
This adds the ability to mock cache_req_result if a well known object
is found.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
For enumeration purpose, we want to limit the number of returned results
This is a preparation for changes in NSS responder.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Skip domains without enumeration if a plug-in requires it.
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In enumeration calls we want to get objects from all domains, not
only from the first matched domain. We move the cache search result
into a structure that contains combination of domain and ldb_result.
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If we always want to contact the data provider to fetch data,
we don't need to search the cache prior to this call.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If overriden name was provided we stole already freed value.
Name is attached to "user" talloc context which we freed before
stealing the value. This caused crash in SSSD.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Now, we return the original name, assuming it is a shortname,
instead of returning an error.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
So we do not depend on #include order.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global names context is used to parse AD well known SIDs and names
into its opposite. This patch moves definition of this parameter
from nss responder into common responder context so it can be
used also by other responders.
This change will be use to enable looking up well known SIDs and
names directly in cache_req.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add basic tests for sssctl user/group-show commands. This includes
regression test for ticket #3235.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Lowercase the filter in case insensitive domains.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also search by alias when using sssctl to query the cache.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The domain case sensitivity was wrongly set in the domain
context after initialization if the provider was AD.
Resolves:
https://fedorahosted.org/sssd/ticket/3235
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When ldap doesn't contain any sudorule during the initial full refresh,
usn is set to 1 instead of remaining unset and we are trying to
search modifyTimestamp>=1 during smart refresh which doesn't return any result
on openldap servers.
Resolves:
https://fedorahosted.org/sssd/ticket/3257
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
If the script measured an 'id' run from the cache, there would be no
transactions and dereferencing the aggrefate would throw an error.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When both TEVENT_FD_WRITE and TEVENT_FD_READ are set, and an error/EOF
occurs when reading from the socket, we will get a use after free
in the second call ares_process_fd. The first call will free the watch
structure via a callback.
Prevent this by calling ares_process_fd only once.
Invalid read of size 4
at fd_input_available (async_resolv.c:147)
by epoll_event_loop (tevent_epoll.c:728)
by epoll_event_loop_once (tevent_epoll.c:926)
by std_event_loop_once (tevent_standard.c:114)
by _tevent_loop_once (tevent.c:533)
by tevent_common_loop_wait (tevent.c:637)
by std_event_loop_wait (tevent_standard.c:140)
by server_loop (server.c:702)
by main (data_provider_be.c:587)
Address ... is 112 bytes inside a block of size 136 free'd
at free (vg_replace_malloc.c:530)
by _talloc_free_internal (talloc.c:1116)
by _talloc_free (talloc.c:1647)
by ares__close_sockets (ares__close_sockets.c:50)
by handle_error (ares_process.c:679)
by read_tcp_data (ares_process.c:391)
by processfds (ares_process.c:138)
by fd_input_available (async_resolv.c:144)
by epoll_event_loop (tevent_epoll.c:728)
by epoll_event_loop_once (tevent_epoll.c:926)
by std_event_loop_once (tevent_standard.c:114)
by _tevent_loop_once (tevent.c:533)
by tevent_common_loop_wait (tevent.c:637)
by std_event_loop_wait (tevent_standard.c:140)
by server_loop (server.c:702)
Resolves:
https://fedorahosted.org/sssd/ticket/3250
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This method has been only used by OpenLMI, which has been deprecated and
its support dropped from SSSD on commit 99b2352.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In commit eeecc48d22a28bb69da56f6ffd8824163fc9bf00 we disabled
default_domain_suffix for the SSH responder, but in a wrong way -- we
disabled the functionality completely, also for users, not only for
computers. This might have been correct at the time, since SSH keys in ID
overrides are a relatively new feature, but it's definitely not correct
in general.
Instead, this patch restores the use of default_domain_suffix, but only
for looking up public keys of users, not of computers.
Resolves:
https://fedorahosted.org/sssd/ticket/3259
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
dbus-1.11.8 added attributes for format string check to
few functions in public header files. And therefore there is a warning.
src/lib/sifp/sss_sifp_utils.c: In function ‘sss_sifp_set_io_error’:
src/lib/sifp/sss_sifp_utils.c:44:5: error: format not a string literal
and no format arguments [-Werror=format-security]
dbus_set_error(ctx->io_error, error->name, error->message);
^~~~~~~~~~~~~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The errno is macro expandee into '(*__errno_location ())'.
The reason is that errno is private in glibc and and the
function __errno_location return address of private errno.
sh$ objdump -T /lib64/libc.so.6 | grep errno
00000010 g D .tbss 00000004 GLIBC_PRIVATE errno
000208a0 g DF .text 00000011 GLIBC_2.2.5 __errno_location
001366b0 g DF .text 0000005f GLIBC_2.2.5 clnt_sperrno
00136710 g DF .text 00000074 GLIBC_2.2.5 clnt_perrno
00000064 g D .tbss 00000004 GLIBC_PRIVATE __h_errno
0011aad0 g DF .text 00000011 GLIBC_2.2.5 __h_errno_location
It looks like clang static analyzer assume that value can be
changed due to function call.
errno = 0;
val = strtol(values[0], NULL, 0);
// Taking true branch => assuming "errno != 0"
if (errno) {
ret = errno;
// errno was stored to ret but clang later assumes
// that ret can be 0
goto failed;
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal header file "util/util.h" was removed from sss_utf8.h
as part of commit de5fa34860886ad68fba5e739987e16c342e8f14.
It was neccessary to ensure libipa_hbac can be build with C90
compatible compiler.
This header file includes many system header file and after
this change caused missing declaration of the function free()
src/util/sss_utf8.c: In function ‘sss_utf8_free’:
src/util/sss_utf8.c:40:12: error: implicit declaration of function ‘free’
[-Werror=implicit-function-declaration]
return free(ptr);
^~~~
src/util/sss_utf8.c:40:12: warning: incompatible implicit declaration
of built-in function ‘free’
src/util/sss_utf8.c:40:12: note: include ‘<stdlib.h>’ or provide
a declaration of ‘free’
cc1: some warnings being treated as errors
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The WEXITSTATUS is defined in stdlib.h on linux.
There is a nice comment in stdlib.h:
/* Define the macros <sys/wait.h> also would define this way. */
It's better to not rely on this and use more platfom friendly
way with including "sys/wait.h". For example the libc on FreeBSD
does not provide WEXITSTATUS in stdlib.h.
I found this macro mentioned only in the manual page for wait(2)
and there is mentioned just the "sys/wait.h" and not "stdlib.h"
src/tools/sssctl/sssctl.c: In function 'sssctl_run_command':
src/tools/sssctl/sssctl.c:110: error: implicit declaration of function
'WEXITSTATUS'
gmake[2]: *** [Makefile:22383: src/tools/sssctl/sssctl-sssctl.o] Error 1
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
