summaryrefslogtreecommitdiffstats
path: root/src/config
Commit message (Collapse)AuthorAgeFilesLines
* CONFIG: Fix schema for try_inotifyLukas Slebodnik2017-09-132-4/+4
| | | | | | | | | | | It is read only from "[sssd]" section. Resolves: https://pagure.io/SSSD/sssd/issue/3511 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 895584001760e8188db486bc39f9938624822d35) (cherry picked from commit 69e61a52493a8c143f83763c2dd783cabea5c9f4)
* SSSDConfig: Fix saving of debug_levelLukas Slebodnik2017-05-293-0/+52
| | | | | | | | | | | | | | | | | SSSDConfig internally handle debug_level as an integer. But in case of bitmask version of debug_level (>=16) it stored value as a decimal which is confusing e.g. debug_level = 8176 vs. debug_level = 0x1ff0 Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fca26b76f23ee4457d6796b19892ed97362b6c8d) (cherry picked from commit 712f1cc9acb8b71e6906d7a168a045920d491d96)
* SSSDConfig: Handle integer parsing more lenientlyLukas Slebodnik2017-05-293-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | debug_level is usually defined as decimal value <= 10 or as a hexadecimal value which is used as a bitmask Parsing of hexadecimal value was partially fixed by commit 7fac271ccebb84743c39f553eb5ec013cf1d10aa but only for sssd domains. It was not fixed for sssd services. File "/usr/share/authconfig/authinfo.py", line 3142, in writeSSSDPAM pam = self.sssdConfig.get_service('pam') File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 1620, in get_service service.set_option(opt['name'], opt['value']) File "/usr/lib/python3.6/site-packages/SSSDConfig/__init__.py", line 932, in set_option (option_schema[0], optionname, type(value))) TypeError: Expected <class 'int'> for debug_level, received <class 'str'> Resolves: https://pagure.io/SSSD/sssd/issue/3410 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 6df5b36008fef9c1f6dcf8f31af033a467e744c7) (cherry picked from commit facc24ec969087bd20e58636d263553ccc97ab4e)
* CONFIG: Add subdomain_homedir to config locationsJustin Stephenson2017-05-263-0/+4
| | | | | | | | | | | | | | Option subdomain_homedir was missing from Python config API an cfg_rules leading to config file validation failures. Add this option into the necessary locations similar to other provider-generic domain options. Resolves: https://pagure.io/SSSD/sssd/issue/3389 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit beab60d88fc07d463f6fb3756c8f3d29bdd78827)
* CONFIG: session_provider does not exist anymoreJakub Hrozek2017-05-263-4/+0
| | | | | | | | | | The session_provider used to exist a long time ago when we used to set the SELinux context from it, but the provider had been removed for a long time. We just forgot to remove the value from the config API and the validator. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
* CONFIG: selinux_provider is a valid provider typeJakub Hrozek2017-05-263-0/+4
| | | | | | | | We should not warn about it in the validator and should allow selinux_provider from the config API. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
* CONFIG: re_expression is an allowed option for all domainsJakub Hrozek2017-05-263-0/+4
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 6d19051c50c10fc4de056ebb385c63ec0ed221cb)
* CONFIG: full_name_format is an allowed option for all domainsJakub Hrozek2017-05-263-0/+4
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit cc4d1af16820b15595b60c3df15220fb852eb897)
* config: Add config_file_version to schemaMichal Židek2017-05-262-0/+2
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit aeab20358006d728a284f969f92f3890498cd651)
* config: Allow timeout for all sevicesMichal Židek2017-05-261-1/+1
| | | | | | | | | | | Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 1b9b5477027d86a2afb2e72981253d108c5398da)
* config: Fix user_attributesMichal Židek2017-05-262-1/+2
| | | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 0a172552ec16f3b84d127399551cad786da8fd9d)
* config: override_space is monitor's optionMichal Židek2017-05-263-3/+4
| | | | | | | | | | | We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit fc04d11c2fdde0bfe280c6030df2b1d6bf15ce63)
* SSSDConfig: Python 3.6 invalid escape sequence deprecation fixVille Skyttä2017-03-271-1/+1
| | | | | | | | https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 00172861b6908a72c41046e1b2b48d2b009127dd) (cherry picked from commit 80e4d575c297358b40e2c8416bd6f22f5044a239)
* AD_PROVIDER: Add ad_enabled_domains optionPetr Cech2016-11-082-0/+2
| | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit d6342c92c226becbdd254f90a0005b8c00c300dc)
* PAM: add pam_response_filter optionSumit Bose2016-11-022-0/+2
| | | | | | | | | Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSSDConfig: Do not fail with nonexisting domains/servicesLukas Slebodnik2016-09-223-2/+48
| | | | | | | | | | | dict.keys() returns iterator in python3 and not list Chaging data in dictionary while using iterator fails with "RuntimeError: dictionary changed size during iteration" https://fedorahosted.org/sssd/ticket/3107 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
* p11: add missing man page entry and config APISumit Bose2016-09-192-0/+4
| | | | | | | | The pam_cert_auth and pam_cert_db_path option where missing in the config API and had no man page entries. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 875c90d531e6869a92da4b515db729ffce7c4244)
* PROXY: Adding proxy_max_children optionPetr Cech2016-09-142-0/+4
| | | | | | | | | | | | The new option 'proxy_max_children' is applicable in domain section. Default value is 10. Resolves: https://fedorahosted.org/sssd/ticket/3153 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
* IPA SUDO: download externalUser attributePavel Březina2016-03-091-0/+1
| | | | | | | | | | | This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 991c9f47fcb24704b880f60ab8ee77cfda056e2c)
* Add a new option ldap_group_external_memberJakub Hrozek2016-02-244-0/+4
| | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 3cf7fdfcaedb986f42a6640e26aa057007b64045)
* PAM: Pass account lockout status and display messagePavel Reichl2016-02-172-0/+2
| | | | | | | | | | Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4180d485829969d4626cc7d49d2b5f7146512f21)
* IDMAP: Add support for automatic adding of rangesPavel Reichl2016-01-204-0/+4
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 8babbeee01e67893af4828ddfc922ecac0be4197)
* AD: add task to renew the machine account password if neededSumit Bose2016-01-192-0/+4
| | | | | | | | | | | | | | | | | | | AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5f7cd30c865046a7ea69944f7e07c85b4c43465a)
* IPA SUDO: Add support for ipaSudoRunAsExt* attributesPavel Březina2016-01-191-0/+3
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit a7d2b4f157194c14bc4a40c74f6416b82befa460)
* IPA SUDO: Add ipasudocmd mappingPavel Březina2016-01-191-0/+4
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit cc7766c8456653ab5d7dedbf432cb1711a905804)
* IPA SUDO: Add ipasudocmdgrp mappingPavel Březina2016-01-191-0/+5
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ed8650be18af26b7bf389e1246f7e8cdb363f829)
* IPA SUDO: Add ipasudorule mappingPavel Březina2016-01-191-0/+20
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit a2057618f30a3c64bdffb35a2ef3c2ba148c8a03)
* AD: Add autofs providerJakub Hrozek2015-12-102-1/+11
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 03b859510dc13a13a456ca4aa94c0561a0e9684c)
* p11: enable ocsp checksSumit Bose2015-11-263-1/+4
| | | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 544a20de7667f05c1a406c4dea0706b0ab507430)
* SSSDConfigTest: Test real config without config_file_versionLukas Slebodnik2015-10-192-0/+107
| | | | | | | | | | src/config/testconfigs/sssd-valid.conf explicitly contains config_file_version. Recently we changed the default value to 2 and therefore it needn't be listed in configuration file. This patch test real sssd.conf without config_file_version. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 7388fc91bd6c22705e60632346ec815f4a4963f1)
* SSSDConfigTest: Try load saved configLukas Slebodnik2015-10-191-1/+11
| | | | | | | | | | | Python module SSSDConfig should be able to save configuration file and later load the same configuration file without problem. Unit test for: https://fedorahosted.org/sssd/ticket/2837 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 87ef67286b64af98d32a3a5abcd28a9c2886f751)
* SSSDConfig: Do not raise exception if config_file_version is missingMichal Židek2015-10-192-9/+4
| | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2837 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 6a044fa43d53638c1d0b874d43f58c0428820362)
* PAM: Make p11_child timeout configurableMichal Židek2015-09-232-0/+2
| | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* CONFDB: Assume config file version 2 if missingMichal Židek2015-09-033-15/+4
| | | | | | | | | | Default to config file version 2 if the version is not specified explicitly. Ticket: https://fedorahosted.org/sssd/ticket/2688 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-143-0/+4
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: use "higher value wins" when ordering rulesPavel Březina2015-08-142-0/+2
| | | | | | | | | | | | This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSSDConfig: Return correct types in python3Lukas Slebodnik2015-08-042-2/+4
| | | | | | | | | | In Python 3, dict.keys() returns a view rather than a list. Since dict keys aren't in any particular order, indexing them doesn't make sense. Resolves: https://fedorahosted.org/sssd/ticket/2699 Reviewed-by: Christian Heimes <cheimes@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-312-0/+2
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-154-0/+4
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM: authenticate agains cachePavel Reichl2015-07-063-2/+6
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: add ldap_user_certificate optionSumit Bose2015-06-194-0/+4
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* adding ldap_user_auth_type where missingSumit Bose2015-06-194-0/+5
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-053-2/+6
| | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: new option krb5_map_userPavel Reichl2015-05-285-3/+10
| | | | | | | | | | New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSSDConfigTest: Use unique temporary directoryLukas Slebodnik2015-05-261-8/+15
| | | | | | | | | | | | | | | | Test SSSDConfigTest is executed twice with make check if python2 and python3 are available. Tests are executed in parallel with new automake and therefore it caused sometimes failures e.g. ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig mode = os.stat(of)[ST_MODE] FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf' Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-082-0/+3
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Remove the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-242-2/+0
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TESTS: Run python tests with all supported python versionsLukas Slebodnik2015-02-252-0/+10
| | | | | | | This patch add simple bash wrappers for python tests. They are executed either with python2 or python3. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* PAM: new option pam_account_expired_messagePavel Reichl2015-02-232-0/+2
| | | | | | | | | | This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Remove strict requirements of python2Lukas Slebodnik2015-02-131-1/+1
| | | | | | | | | | * fix hashbangs * remove strict requirements of python2 in build system Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 06:31:02 +0000