| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
It is read only from "[sssd]" section.
Resolves:
https://pagure.io/SSSD/sssd/issue/3511
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 895584001760e8188db486bc39f9938624822d35)
(cherry picked from commit 69e61a52493a8c143f83763c2dd783cabea5c9f4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSDConfig internally handle debug_level as an integer.
But in case of bitmask version of debug_level (>=16)
it stored value as a decimal which is confusing
e.g.
debug_level = 8176
vs.
debug_level = 0x1ff0
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fca26b76f23ee4457d6796b19892ed97362b6c8d)
(cherry picked from commit 712f1cc9acb8b71e6906d7a168a045920d491d96)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
debug_level is usually defined as decimal value <= 10
or as a hexadecimal value which is used as a bitmask
Parsing of hexadecimal value was partially fixed by commit
7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for
sssd domains. It was not fixed for sssd services.
File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM
pam = self.sssdConfig.get_service('pam')
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service
service.set_option(opt['name'], opt['value'])
File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option
(option_schema[0], optionname, type(value)))
TypeError: Expected <class 'int'> for debug_level, received <class 'str'>
Resolves:
https://pagure.io/SSSD/sssd/issue/3410
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6df5b36008fef9c1f6dcf8f31af033a467e744c7)
(cherry picked from commit facc24ec969087bd20e58636d263553ccc97ab4e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Option subdomain_homedir was missing from Python config API an
cfg_rules leading to config file validation failures. Add this option
into the necessary locations similar to other provider-generic domain
options.
Resolves:
https://pagure.io/SSSD/sssd/issue/3389
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit beab60d88fc07d463f6fb3756c8f3d29bdd78827)
|
| |
|
|
|
|
|
|
|
|
| |
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
|
| |
|
|
|
|
|
|
| |
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6d19051c50c10fc4de056ebb385c63ec0ed221cb)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cc4d1af16820b15595b60c3df15220fb852eb897)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit aeab20358006d728a284f969f92f3890498cd651)
|
| |
|
|
|
|
|
|
|
|
|
| |
We read override_space from [sssd] not
[nss] section.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63)
|
| |
|
|
|
|
|
|
|
|
|
| |
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 03b859510dc13a13a456ca4aa94c0561a0e9684c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 544a20de7667f05c1a406c4dea0706b0ab507430)
|
| |
|
|
|
|
|
|
|
|
| |
src/config/testconfigs/sssd-valid.conf explicitly contains
config_file_version. Recently we changed the default value to 2
and therefore it needn't be listed in configuration file.
This patch test real sssd.conf without config_file_version.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 7388fc91bd6c22705e60632346ec815f4a4963f1)
|
| |
|
|
|
|
|
|
|
|
|
| |
Python module SSSDConfig should be able to save configuration file
and later load the same configuration file without problem.
Unit test for:
https://fedorahosted.org/sssd/ticket/2837
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 87ef67286b64af98d32a3a5abcd28a9c2886f751)
|
| |
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2837
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6a044fa43d53638c1d0b874d43f58c0428820362)
|
| |
|
|
|
|
|
|
|
|
| |
Default to config file version 2 if the version
is not specified explicitly.
Ticket:
https://fedorahosted.org/sssd/ticket/2688
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.
This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In Python 3, dict.keys() returns a view rather than a list. Since dict keys
aren't in any particular order, indexing them doesn't make sense.
Resolves:
https://fedorahosted.org/sssd/ticket/2699
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test SSSDConfigTest is executed twice with make check
if python2 and python3 are available.
Tests are executed in parallel with new automake
and therefore it caused sometimes failures e.g.
ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig
mode = os.stat(of)[ST_MODE]
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf'
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* fix hashbangs
* remove strict requirements of python2 in build system
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* fix incompatible imports
* fix translation.[u]?gettext
* fix dict method has_key
* fix octal literals PEP 3127
* long is not defined in python3
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2017
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2356
The python scripts are not tested with python3 and /usr/bin/python can be
symbolic link to python3 on some distributions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
| |
|
|
|
|
|
|
| |
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of appending the search patch in the source directory should be
prepended. Otherwise the test might find files installed in the default
paths of the system first.
As a result the compiled python files in the build directory must be
remove in the clean target to make 'make distcheck' pass.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Added and documented option offline_timeout.
Resolves:
https://fedorahosted.org/sssd/ticket/1718
|
| |
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
| |
|
|
|
| |
realmd needs to be able to tag various domains with basic info
when it configures a domain.
|
| |
|
|
| |
It was mentioned in the manpages, but not accepted by the API
|
| |
|
|
|
|
| |
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1832
While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
manually.
This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.
This option is off by default in the IPA provider.
Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg
|
| |
|
|
|
|
|
| |
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
|
| |
|
|
|
|
| |
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
| |
|
|
|
|
| |
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1376
|
