| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is written primary for sudo use case, but it makes sure the we do
not merge two record in other parts of the code that uses sysdb_store_custom.
1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.
2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.
Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
|
| |
|
|
|
|
|
| |
Unless it is cn=defaults.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
|
| |
|
|
|
|
|
|
|
| |
This can speed up sssd startup.
Resolves:
https://pagure.io/SSSD/sssd/issue/3265
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To discover Active Directory site for a client we must first contact any
directory controller for an LDAP ping. This is done by searching
domain-wide DNS tree which may however contain servers that are not
reachable from current site and than we face long timeouts or failure.
This patch makes sssd remember the last successfuly discovered site
and use this for DNS search to lookup a site and forest again similar
to what we do when ad_site option is set.
Resolves:
https://pagure.io/SSSD/sssd/issue/3265
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.
If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3562
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are some changes in systemtap 3.2 which generate temporary
source files and remove them later. We are not interested in code
coverage in this area. Lets ignore them.
...
genhtml: failure 00:00:01 ci-build-coverage/ci-genhtml.log
FAILURE
sh$ cat ci-build-coverage/ci-genhtml.log
Start: Mon Oct 30 13:43:52 UTC 2017
+ eval 'genhtml --output-directory \
"$coverage_report_dir" \
--title "sssd" --show-details \
--legend --prefix "$BASE_DIR" \
ci.info |& tee ci-genhtml.out'
++ genhtml --output-directory ci-report-coverage --title sssd \
--show-details --legend --prefix /home/build/sssd ci.info
++ tee ci-genhtml.out
Reading data file ci.info
Found 447 entries.
Using user-specified filename prefix "/home/build/sssd"
Writing .css and .png files.
Generating output.
genhtml: ERROR: cannot read /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
Processing file stap_generated_probes.o.dtrace-temp.c
End: Mon Oct 30 13:43:53 UTC 2017
sh$ ls -l /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
ls: cannot access '/home/build/sssd/stap_generated_probes.o.dtrace-temp.c': No such file or directory
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Note in the man pages that current version of SSSD does not support
host entries in the 'Security filtering' list.
Resolves:
https://pagure.io/SSSD/sssd/issue/3444
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When we introduced socket activation, we changed the internall behaviour.
Previously we disabled sudo if it was not listed in services, with
socket activation we removed this feature. Some users were confused
so this change documents current behaviour.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's copy the cr_domain list for each request as this list may be
free'd due to a refresh domains request.
Resolves: https://pagure.io/SSSD/sssd/issue/3551
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
id_provider=local
This commit makes the check when adding an object in a MPG domain
stricter in the sense that not only same names are allowed in a MPG
domain, but also the same groups are not allowed either.
This commit is a backwards-incompatible change, but one that is needed,
otherwise requesting the duplicate group first and then requesting the
user entry would yield two object when searching by GID.
In order to keep backwards-compatibility, this uniqueness is NOT
enforced with id_provider=local. This constraint can be removed in
the future (or the local provider can be dropped altogether)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the primary group GID or the group name is requested before the user
is, we need to also search the user space to save the user in the back
end which then allows the responder to generate the group from the
user entry.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows saving the users in the MPG domain in the SDAP
layer.
The commit contains the following changes:
- abstracts the change where if the primary GID exists in the original
object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
which will allow the original primary GID to be exposed as a
secondary group
- if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
is added. This will allow to handle LDAP objects that only contain
the UID but no GID. Since this is a new use-case, a test is added
later
- a branch that handles the above is added to sdap_save_user() also
for joined domains that set the MPG flag. Previously, only
subdomains were handled.
- to allow passing GID=0 to the sysdb layer, the range check is
relaxed.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since this confdb definition was completely unused across the codebase,
this patch just removes the definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auto_private_groups option is used to configure the domain->mpg flag
which was already set automatically for subdomains, but for some time was
not settable by the admin via the configuration file.
The new option name, instead of the old magic_private_groups, was chosen
purely because this name would hopefully be better understood by admins.
The option doesn't do anything yet, it is just added to all the places a
new option should be added to.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3556
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Document that by setting memcache_timeout to 0 the in-memoory cache
will be disabled.
Related:
https://pagure.io/SSSD/sssd/issue/3496
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the memcache files will not be created when
memcache_timeout is set to zero.
Resolves:
https://pagure.io/SSSD/sssd/issue/3496
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3496
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit a309525cc47da726461aec1f238165c17aade2a6.
Even though original patch was correct it is better to revert it
becuse otherwise we hit a bug in MIT krb5 when fallback to admin_server
if kpasswd_server is not set does not work.
And it would take some time to propagate krb5 fix to downstream
distributions.
https://bugzilla.redhat.com/show_bug.cgi?id=1498347
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
| |
This patch implements verification of pam_rhost against
rules stored in LDAP entry of a user.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply the sudo threshold to IPA provider sudo command and command
group searches to prevent SSSD from creating large search filters.
The IPA sudo threshold value will utilize the sudo responder
sudo_threshold value. If the threshold is exceeded, a basic search
filter will be used as a fallback to retrieve all IPA sudo commands or
command groups.
Resolves:
https://pagure.io/SSSD/sssd/issue/3507
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a timeout option to the internal client calls so that
the timeout is not hard-coded anymore in the low level poll() calls but
can be set by the caller with sss_nss_make_request_timeout(). Since the
old timeout value is not changed by this patch there is no functional
change expected.
Related to https://pagure.io/SSSD/sssd/issue/2478
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of requiring that admins enable and look at our logs, let's log
to syslog what's the DP status.
Resolves:
https://pagure.io/SSSD/sssd/issue/3307
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Related: https://pagure.io/SSSD/sssd/issue/3307
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3545
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
FakeAD is openldap with ldif schema which allows to load static data
from real AD. Instance of class will also contain some predefined
users/groups which can be used for basic sanity testing in sssd of AD features.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch prepends path to sssd python modules; so we will be
able to import them without any issue and they will be preferred over
system modules.
sh$[/tmp/sssd-intg.3gb4hzpn/var/log/sssd] python2
Python 2.7.13 (default, Aug 16 2017, 12:56:26)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import SSSDConfig
>>> print(SSSDConfig.__file__)
/tmp/sssd-intg.3gb4hzpn/lib/python2.7/site-packages/SSSDConfig/__init__.pyc
>>> import pyhbac
>>> print(pyhbac.__file__)
/tmp/sssd-intg.3gb4hzpn/lib64/python2.7/site-packages/pyhbac.so
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://stackoverflow.com/questions/9698614/super-raises-typeerror-must-be-type-not-classobj-for-new-style-class
========================== ERRORS ===========================
_______ ERROR at setup of test_regression_ticket2163 ________
Traceback (most recent call last):
File "src/tests/intg/test_pysss_nss_idmap.py", line 48, in ad_inst
instance.teardown()
File "src/tests/intg/ds_openldap.py", line 371, in teardown
super(FakeAD, self).teardown()
TypeError: super() argument 1 must be type, not classobj
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
It will allow to prefer locally built python modules
in integration tests.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
intg/bld/src/tests/intg/config.py:5:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:6:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:7:15: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:8:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:9:10: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:10:8: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:11:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:12:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:13:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:14:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:15:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:16:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:17:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:18:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:20:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:21:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:22:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:23:7: E221 multiple spaces before operator
pep8 will prevent reformatting in case of added new options
e.g. 53a4219e2f51cd0443931aa931505bf0b4bf5a45
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Related to old bug
https://pagure.io/SSSD/sssd/issue/1224
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is missing command name in help
sh# sssctl debug-level --help
Usage: DEBUG_LEVEL_TO_SET
-c, --config=STRING Specify a non-default config file
Help options:
-?, --help Show this help message
--usage Display brief usage message
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch sanitizes the input for sysdb searches by UPN/email, SID and
UUID.
This security issue was assigned CVE-2017-12173
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In case add_pam_cert_response() failed pam_status has to be set to
PAM_AUTHINFO_UNAVAIL. Although it's done properly in the code,
pam_status was overwritten just after the if block with PAM_SUCCESS.
The original faulty code was added as part of 32474fa2f0.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().
This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Several memory allocations across the KCM codebase did not check their
result for NULL. This patch fixes that.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inside the tevent request, we should use 'state' as the intermediate
memory context and steal the result up to 'mem_ctx' on success.
'mem_ctx' itself should only be used to create the tevent_req as the
first thing during the request creation.
However, this bug is not very severe as the mem_ctx was always the KCM
operation memory context, so the memory was freed when the operation
terminated.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is not a big deal as the mem_ctx parameter of the operation is
typically just a short-lived operation context. Nonetheless, it is best
practice to not rely on how the memory context is set up in utility
functions.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3517
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
IPA and AD providers default to userCertificate;binary for the
ldap_user_certificate option. It will be good to default that value
also for the generic LDAP provider.
Resolves:
https://pagure.io/SSSD/sssd/issue/3499
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
