| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new option that allows to distinguish domains that do contain
POSIX users and groups and those that don't. The POSIX domains are the
default. The non-POSIX domains are selected by selecting an
"application" type domain.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the local equivalent of option of ipaDomainResolutionOrder and
has precedence over the ones set on IPA side making the precedence order
to be like: Local > View > Globally.
As done for the IPA side configurations, the domains which were not
explicitly set up will be apennded to the final of the
domain_resolution_order list in the very same order they're presented in
the "domains" option of [sssd] section in the config file. There's no
guarantee of order for the subdomains though.
It's also important to mention that no expansion magic is performed on
our side. It means that if 'example.com' is set it does *not* stand for
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
etc).
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new configurable option to define whether the
responder should query all domains' caches before querying the Data
Providers.
This new option is called cache_first and, by default, it's disabled,
meaning that, for each provider, the responder may contact the cache and
the data provider in the same iteration.
Co-Author: Pavel Březina <pbrezina@redhat.com>
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
implicit SSSD files domain is added
* this domain is always first in the list
The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
Resolves:
https://pagure.io/SSSD/sssd/issue/3112
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces a new option for the responders called
responder_idle_timeout, which specifies the number of seconds that the
responder process can be up without being used. The default value is
300 seconds (5 minutes) and can be configured per responder, being 60
seconds the minimum acceptable value.
Is important to note that setting "responder_idle_timeout = 0" disables
the responder timeout, which makes sense for the responders that always
will be running.
The shutdown timeout is activated per responder in case the responder
has been {dbus,socket}-activated. In case of any commnunication with the
responder the timeout is reset thereby ensuring we won't shutdown a
responder that is not idle.
Setting the responder's last request time is done slightly differently
for socket-activated and dbus-activated responders. In both cases it's
updated in any internal communication in sbus_message_handler(), but
for the socket-activated responders it's also updated when the
responder's socket is used.
Currently it works properly with all responders but the secrets one,
which has a different logic and must be treated separately in case some
change is required there.
Is worth to mention that this commit does not affect the responders
explicitly configured in the "services" line of sssd.conf.
Related:
https://fedorahosted.org/sssd/ticket/3245
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/3207
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.
Resolves:
https://fedorahosted.org/sssd/ticket/3142
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
ended up being pushed.
The patch was incomplete as there are still some leftovers.
The .po and sssd-docs.pot were not touched as I do believe they are
autogenerated from Zanata.
Related:
https://fedorahosted.org/sssd/ticket/3052
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
that ended up being pushed.
That patch was incomplete as there are still some leftovers.
Related:
https://fedorahosted.org/sssd/ticket/3051
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We read override_space from [sssd] not
[nss] section.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our users constantly make the mistake of typing `debug = 9` in the
sssd.conf instead of `debug_level = 9` as would be correct. This
happens frequently-enough that we should just alias it rather than
continue to have people make mistakes.
Resolves:
https://fedorahosted.org/sssd/ticket/2999
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option is an optional one that is run when a sbus ping times out
and before a SIGKILL signal is sent.
It is undocumented by default.
diag_cmd (string):
A command that should be run for diagnostic purpose when an sbus timeout
fails. The option value may contain %p which would be expanded for the
process ID of the process that timed out
Example:
pstack %p
This setting would print the stackstrace of the service whose ping timed out.
Default: not set.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
src/config/testconfigs/sssd-valid.conf explicitly contains
config_file_version. Recently we changed the default value to 2
and therefore it needn't be listed in configuration file.
This patch test real sssd.conf without config_file_version.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Python module SSSDConfig should be able to save configuration file
and later load the same configuration file without problem.
Unit test for:
https://fedorahosted.org/sssd/ticket/2837
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2837
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Default to config file version 2 if the version
is not specified explicitly.
Ticket:
https://fedorahosted.org/sssd/ticket/2688
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some environments use a different DNS server than identity server. For
these environments, it would be useful to be able to override the DNS
server used to perform DNS updates.
This patch adds a new option dyndns_server that, if set, would be used
to hardcode a DNS server address into the nsupdate message.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In Python 3, dict.keys() returns a view rather than a list. Since dict keys
aren't in any particular order, indexing them doesn't make sense.
Resolves:
https://fedorahosted.org/sssd/ticket/2699
Reviewed-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test SSSDConfigTest is executed twice with make check
if python2 and python3 are available.
Tests are executed in parallel with new automake
and therefore it caused sometimes failures e.g.
ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig
mode = os.stat(of)[ST_MODE]
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf'
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* fix hashbangs
* remove strict requirements of python2 in build system
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* fix incompatible imports
* fix translation.[u]?gettext
* fix dict method has_key
* fix octal literals PEP 3127
* long is not defined in python3
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori@redhat.com>
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2017
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2356
The python scripts are not tested with python3 and /usr/bin/python can be
symbolic link to python3 on some distributions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
LDAP server can contain template for home directory instead of plain string.
This patch adds new expand option "%H", which will be replaced with value
from configuration option homedir_substring (from sssd.conf)
Resolves:
https://fedorahosted.org/sssd/ticket/1853
|
| |
|
|
|
|
|
|
| |
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of appending the search patch in the source directory should be
prepended. Otherwise the test might find files installed in the default
paths of the system first.
As a result the compiled python files in the build directory must be
remove in the clean target to make 'make distcheck' pass.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes https://fedorahosted.org/sssd/ticket/2256
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Added and documented option offline_timeout.
Resolves:
https://fedorahosted.org/sssd/ticket/1718
|
| |
|
|
|
|
|
|
|
|
| |
This patch makes the refresh of available subdomains configurable.
New option:
subdomain_refresh_interval (undocumented)
Resolves:
https://fedorahosted.org/sssd/ticket/1968
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1713
Add new option refresh_expired_interval.
|
| |
|
|
|
| |
realmd needs to be able to tag various domains with basic info
when it configures a domain.
|
| |
|
|
| |
It was mentioned in the manpages, but not accepted by the API
|
| |
|
|
|
|
| |
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
