summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* intg: Allow to test netgroupsLukas Slebodnik2016-08-102-0/+156
| | | | | | | | | | | | | | | | | | | | | | | | | sh-4.2# getent netgroup -s sss QAUsers QAUsers ( ,qa1,example.com) ( ,qa2,example.com) ( ,qa3,example.com) sh-4.2# getent netgroup -s sss QASystems QASystems (qahost1.example.com,,) (qahost2.lab.eng.pnq.redhat.com,,) sh-4.2# getent netgroup -s sss test sh-4.2# echo $? 2 sh-4.2# python Python 2.7.5 (default, Aug 2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_netgroup >>> sssd_netgroup.get_sssd_netgroups('QAUsers') (1, 0, [(None, 'qa1', 'example.com'), (None, 'qa2', 'example.com'), (None, 'qa3', 'example.com')]) >>> sssd_netgroup.get_sssd_netgroups('QASystems') (1, 0, [('qahost1.example.com', None, None), ('qahost2.lab.eng.pnq.redhat.com', None, None)]) >>> sssd_netgroup.get_sssd_netgroups('test') (0, 0, []) >>> Reviewed-by: Petr Čech <pcech@redhat.com>
* intg: Make location of sssd nss module configurableLukas Slebodnik2016-08-102-1/+2
| | | | | | | | | | | | | | | | | | | | | | The path to sssd nss module (libsss_nss.so) was relative to prefix and expected subdirectory "lib". 32bit and 64bit platforms and different distributions use different paths. This patch allows to use python module sssd_id even with real module and not just integration tests. It is just required to prepare "config.py" with right path. e.g. cd ~/sssd/src/tests/intg [~/sssd/src/tests/intg]$ echo "NSS_MODULE_DIR = '/usr/lib64'" > config.py [~/sssd/src/tests/intg]$ python Python 2.7.12 (default, Jul 18 2016, 09:57:01) [GCC 6.1.1 20160621 (Red Hat 6.1.1-3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_id >>> sssd_id.get_user_gids('user') (1, 0, [5977, 1070, 5845, 1076, 1074, 10327, 5975, 5766]) Reviewed-by: Petr Čech <pcech@redhat.com>
* config_schema: Add ldap_user_email to schemaLukas Slebodnik2016-08-101-0/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
* sssctl: use internal API to remove filesPavel Březina2016-08-092-5/+4
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* utils: add remove_subtreePavel Březina2016-08-093-7/+82
| | | | | | | Remove all entries in a directory but will not remove the directory itself. Reviewed-by: Petr Cech <pcech@redhat.com>
* UTILS: Fixing duplication of pid file declarationPetr Cech2016-08-094-8/+5
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2978 Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Do not check local users with disabled local_negative_timeoutLukas Slebodnik2016-08-091-18/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sssd_nss can set different negative timeout for local users and groups. However, checking whether user/group is local is quite expensive operation. We can avoid such operations if local_negative_timeout is not set. This fix improve performance(40%) of lookup non-existing entries in offline mode and with disabled local_negative_timeout. sh$ cat pok.sh for i in {1..10000}; do getent passwd -s sss temp$i getent group -s sss temp$i done #without patch sh $time /bin/bash pok.sh real 0m41.534s user 0m3.580s sys 0m14.202s #with patch sh $time /bin/bash pok.sh real 0m26.686s user 0m3.292s sys 0m13.165s Resolves: https://fedorahosted.org/sssd/ticket/3122 Reviewed-by: Petr Cech <pcech@redhat.com>
* sssctl: Generic help for cache-upgrade and config-checkMichal Židek2016-08-092-0/+12
| | | | | | | | | | | sssctl COMMAND --help should print at least generic help, even if the command does not accept any command specific options. Resolves: https://fedorahosted.org/sssd/ticket/3086 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Initialize D-Bus as soon as possiblePavel Březina2016-08-092-11/+23
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3111 Reviewed-by: Petr Cech <pcech@redhat.com>
* IPA: Check the return value of sss_parse_internal_fqnameJakub Hrozek2016-08-081-0/+8
| | | | | | We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: Do not act on ldb_message in case of a failureJakub Hrozek2016-08-081-15/+18
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Fixing wrong pam error code for passwdPetr Cech2016-08-081-0/+5
| | | | | | | This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109
* LDAP: Fix Dereference after NULL checkLukas Slebodnik2016-08-081-1/+1
| | | | | | | | | | | The commit dc30c60f166ad9adc63a47a1013508a71624ac87 changed the logic in NULL check - if (protocol) { + if (protocol == NULL) { Found by Coverity: Reviewed-by: Petr Čech <pcech@redhat.com>
* SDAP: Don't log an op failure when no users are foundFabiano Fidêncio2016-08-051-3/+6
| | | | | | | | | | | | | | | When no users are found during the search users process, just log (at TRACEL_ALL level) that zero users were retrieve and avoid logging (at OP_FAILURE level) that a failure has occurred, which may end up misleading admins, giving them the impression that something wrong has happened. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/3089 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* tools: Add missing gettext macroMichal Židek2016-08-051-1/+1
| | | | | | The message in SSS_TOOL_DELIMITER should be translated. Reviewed-by: Petr Čech <pcech@redhat.com>
* PROVIDER: Conversion empty string from D-Bus to NULLPetr Cech2016-08-052-4/+4
| | | | | | | | | | This patch fixes the issue with empty string recieving from D-Bus. Data providers obtains NULL. So this is simple conversin. Resolves: https://fedorahosted.org/sssd/ticket/3084 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Revert "LDAP: Lookup services by all protocols unless a protocol is specified"Petr Cech2016-08-051-5/+2
| | | | | | This reverts commit aa58e216c1f794bd335151f19e79adbb3ddf4c73. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Changing of confusing debug messagePetr Cech2016-08-052-3/+6
| | | | | | | | | | | This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set the ↵Jakub Hrozek2016-08-052-10/+93
| | | | | | | | | | | | | current time sysdb is already able to retrieve the current timestamp if the caller doesn't specify it. However, for the timestamp cache this came too late and the timestamp cache used zero as the 'now' time. Resolves: https://fedorahosted.org/sssd/ticket/3064 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Sanitize dn in sysdb_get_user_members_recursivelyLukas Slebodnik2016-08-051-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | There was a crash in nss responder when a group contained a user with special charactes which shoudl be sanitized before using in filter. ==31651== Conditional jump or move depends on uninitialised value(s) ==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215) ==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759) ==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375) ==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799) ==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168) ==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382) ==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916) ==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791) ==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314) ==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580) ==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96) ==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: sysdb_search_users does not set users_count for failuresLukas Slebodnik2016-08-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | ==32577== Conditional jump or move depends on uninitialised value(s) ==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556) ==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625) ==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298) ==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130) ==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688) ==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578) ==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353) ==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197) ==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911) ==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114) ==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533) ==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637) ==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140) ==32577== by 0x529DD02: server_loop (server.c:702) ==32577== by 0x110951: main (data_provider_be.c:587) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: sanitize member name before using in filterLukas Slebodnik2016-08-051-1/+10
| | | | | | | | | | | | | | | It caused an errors. (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectclass=user)(nameAlias=t(u)ser@ldap)) (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x0080): Error: 5 (Input/output error) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssctl: Consistent commands namingMichal Židek2016-08-058-68/+69
| | | | | | | | | | | Use TOPIC-ACTION pattern for sssctl command names. Resolves: https://fedorahosted.org/sssd/ticket/3087 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_ini: Change debug level of config error msgsMichal Židek2016-08-041-2/+2
| | | | | | | | | Syntax errors in configuration files prevent SSSD or sssctl to start completely. It would be good to display these errors by default with the highest level. Reviewed-by: Petr Čech <pcech@redhat.com>
* RESPONDERS: Pass errno to strerror() when SELINUX_getpeercon() failsFabiano Fidêncio2016-08-041-0/+1
| | | | | | | | | | | Currently ret, which is -1, is passed to strerror() instead of errno. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Show a bit more info in case of SELINUX_getpeercon() failureFabiano Fidêncio2016-08-041-0/+2
| | | | | | | | | | | | Be explicit that it may happen when SELinux is disabled and also suggest to enable SELinux. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Decrease debug level for failures in SELINUX_getpeercon()Fabiano Fidêncio2016-08-041-2/+2
| | | | | | | | | | | | As this is not FATAL and may happen when SELinux is disabled, let's just decrease the debug level to MINOR_FAILURE Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fixed some typos in man pagesThorsten Scherf2016-08-042-2/+2
| | | | Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
* LDAP: Use FQDN when linking parent LDAP groupsJakub Hrozek2016-08-041-1/+1
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3093 Because we compare the list of LDAP names with the list of sysdb names, we need to qualify the list of LDAP names before running the diff. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Changing of confusing debug messagePetr Cech2016-08-021-1/+1
| | | | | | | | | This debug message used to confuse our customer. So this patch changes it. Resolves: https://fedorahosted.org/sssd/ticket/3091 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* LDAP: Fix storing initgroups for users with no supplementary groupsJakub Hrozek2016-08-021-14/+18
| | | | | | | If there are no supplementary groups, we tried to qualify a NULL pointer to an array which resulted in an error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SDAP: add enterprise principal strings for user searchesSumit Bose2016-07-295-4/+82
| | | | | | | | | | Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: add special handling for IPA Kerberos enterprise principal stringsSumit Bose2016-07-291-0/+17
| | | | | | | | | | Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To allow searches with the plain alias 'name@alt.realm' the returned value is converted before it is saved to the cache. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Fix domain for UPN based lookupsSumit Bose2016-07-291-0/+17
| | | | | | | Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: use different neg cache name for UPN searchesSumit Bose2016-07-291-2/+10
| | | | | | | | | | If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: continue with UPN/email search if name was not foundSumit Bose2016-07-291-0/+39
| | | | | | | | Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: continue with UPN/email search if name was not foundSumit Bose2016-07-291-6/+6
| | | | | | | | Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP/IPA: add local email address to aliasesSumit Bose2016-07-292-0/+71
| | | | | | | | Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* utils: add is_email_from_domain()Sumit Bose2016-07-293-0/+49
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: add user email to fill_orig()Sumit Bose2016-07-292-0/+3
| | | | | | | The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: include email in UPN searchesSumit Bose2016-07-292-10/+40
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: include email in UPN searchesSumit Bose2016-07-292-3/+3
| | | | | | | | | | | Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: new attribute option ldap_user_emailSumit Bose2016-07-2910-0/+24
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: allow multiple user principalsSumit Bose2016-07-291-14/+18
| | | | | | | | | | In general a user can have multiple principals and recent IPA version added support to defined multiple principals. With this patch SSSD does not only store the first but all principals read by LDAP from a server. Resolves https://fedorahosted.org/sssd/ticket/2958 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: fix lookup by UPN for subdomainsSumit Bose2016-07-291-4/+12
| | | | | | | | | | Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: properly override group member namesSumit Bose2016-07-295-129/+134
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: add sysdb_get_user_members_recursively()Sumit Bose2016-07-292-0/+66
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: expand ghost members of AD groups in server-modeSumit Bose2016-07-291-1/+78
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make ipa_resolve_user_list_{send|recv} public and allow AD usersSumit Bose2016-07-292-4/+24
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* test_utils: Fixing assignment discards 'const' qualifierPetr Cech2016-07-261-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2025-10-02 11:19:41 +0000