| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
To avoid issues where a user with no UID but without the posix=false
flag was passed to sysdb, we only allow generating the new ID in the
local domain. This might prevent bugs where non-POSIX users would get a
UID created by sysdb which might allow accessing resources owned by that
UID.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
We already do the same for groups. If the user does not have UID number
set but does have the POSIX: false attribute set, then we save the user
with zero UID and the non-POSIX flag.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipaDomainsResolutionOrder provides a list of domains that have to be
looked up firstly during cache_req searches.
This commit only fetches this list from the server and stores its value
at sysdb so we can make use of it later on this patch series.
There are no tests for newly introduced sysdb methods are those are
basically only calling sysdb_update_domain_resolution_order(),
sysdb_get_domain_resolution_order() and
sysdb_get_use_domain_resolution_order() which are have tests written
for.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the following-up patches those newly introduced methods will be used
to deal with the domainResolutionOrder attribute.
The sysdb_update_domain_resolution_order() method is purposely not
checking whether a value has changed or not before writing to sysdb and
while may not be optimal, the readability of the code has increased a
lot by keeping it as simple as possible.
Tests for these new methods are part of the next commit.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3337
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb calls to write and read data for the certificate mapping
library to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use certificate mapping library if available to lookup a user by
certificate in LDAP.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Store the certificate used to lookup a user as mapped attribute in the
cached user object.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mapped_attrs can be a list of sysdb_attrs which are not available on
the server side but should be store with the cached user entry. This is
needed e.g. when the input to look up the user in LDAP is not an
attribute which is stored in LDAP but some data where LDAP attributes
are extracted from. The current use case is the certificate mapping
library which can create LDAP search filters based on content of the
certificate. To allow upcoming cache lookup to use the input directly it
is stored in the user object in the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a group/users are invalidated from sss_cache, the group/user
information in domain and timestamps cache are inconsistent with
regard to dataExpireTimestamp attribute.
This patch fixes the problem by explicitly invalidating the domain
cache's entry when the timestamp cache entry is invalidated
by sss_cache call. There is one new function:
* sysdb_invalidate_cache_entry()
provided for this purpose and used only in sss_cache utility.
Resolves:
https://fedorahosted.org/sssd/ticket/3164
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to store UPN suffixes pointer into the domain structure only if
the domain changed, not when a new domain was created. As an effect, the
enterprise principals flag was not enabled unless a domain changed,
preventing logins with enterprise principals.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
| |
sysdb_search_object_by_name did not work well case insensitive domain.
Resolves:
https://fedorahosted.org/sssd/ticket/3284
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3283
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This request returns either user or group object.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This request returns either user or group object.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
The function sysdb_get_sudo_filter was removed as part of
ticket #2919
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.
With this patch, we return ERR_MALFORMED_ENTRY and gracefully
skip the malformed rule instead.
Resolves:
https://fedorahosted.org/sssd/ticket/3241
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3060
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3060
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...
Resolves:
https://fedorahosted.org/sssd/ticket/3203
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cases where the domain name in sssd.conf does not match the AD
domain, our previous matching process wouldn't match. This patch
augments the matching as follows:
- the search base is known to sysdb_try_to_find_expected_dn and is
expected to be non-NULL
- the existing matching is ran first
- during the search base, matching, all the non-DC components are
stripped from the search base to 'canonicalize' the search base
- if only a single entry that matches with a non-DC DN component
(matching with a DC component would mean the DN comes from a
different domain) then this entry is a match and is returned
Resolves:
https://fedorahosted.org/sssd/ticket/3199
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The function sysdb_try_to_find_expected_dn was performing several matching
algorithms and thus it was getting big and hard to extend. This patch
doesn't contain any functional changes, only shuffles the code around
and splits the monolithic sysdb_try_to_find_expected_dn function into
smaller blocks.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted domain in the same forest is a direct or
indirect member of domain local groups from the local domain those
memberships must be resolved as well. Since those domain local groups
are not valid in the trusted domain a DC from the trusted domain which
is used to lookup the user data is not aware of them. As a consequence
those memberships must be resolved against a local DC in a second step.
Resolves https://fedorahosted.org/sssd/ticket/3206
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Currently sysdb_get_direct_parents() only return direct parents from the
same domain as the child object. In setups with sub-domains this might
not be sufficient. A new option parent_dom is added which allows to
specify a domain the direct parents should be lookup up in. If it is
NULL the whole cache is searched.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
This adds a uniqueID property on User and Group InfoPipe objects. It has a
useful value on AD- and IPA-backed domains. For Active Directory, this is the
GUID.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
scan-build wrongly assumes that output variable
"version" is not initialized if function sysdb_cache_connect
returns ERR_SYSDB_VERSION_TOO_OLD or ERR_SYSDB_VERSION_TOO_NEW
The reality is that output variable "version" is initialized
especially for these two case. Initialisation to NULL suppresses
these false positive reports.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There were unused parameter struct ldb_message *cached_group
in sysdb_store_group_attrs().
This parameter was introduced by
40de79d69860ec7f04bf7795bd88b641ec42fd23
SYSDB: Check if group attributes differ before saving a group
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
We ignored failures from sysdb_search_entry
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The boolean variable newly_created could be used uninitialized
in done section in case of failure. The variable was firstly initialized
to true after succesfull execution of function sysdb_cache_create_empty.
Uninitialized variable usually means true for boolean variable.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As many users are used to remove the persistent cache without removing
the timestamp cache, let's throw away the timestamp cache in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As sysdb_cache_connect() has two very specific use cases (connect to the
cache and connect to the timestamp cache) and each of those calls have a
predetermined/fixed sets of values for a few parameters, let's try to
make the code a bit simpler to follow by having explicit functions for
connecting to the cache and connecting to the timestamp cache.
Macros could be used as well, but I have a slightly preference for
having two new functions instead of macros accessing internal parameters
of the macro's parameter.
Related:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of modifyTimestamp needn't be a reliable way
for detecting of changes in user entry in LDAP.
The authorisation need to rely current data from LDAP
and therefore we will temporary disable optimisation with
modifyTimestamp and we will rather rely on deep comparison
of attributes. In he future, it might be changed and
responders might control the optimization level.
Resolves:
https://fedorahosted.org/sssd/ticket/3110
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
current time
sysdb is already able to retrieve the current timestamp if the caller
doesn't specify it. However, for the timestamp cache this came too late
and the timestamp cache used zero as the 'now' time.
Resolves:
https://fedorahosted.org/sssd/ticket/3064
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was a crash in nss responder when a group contained
a user with special charactes which shoudl be sanitized before
using in filter.
==31651== Conditional jump or move depends on uninitialised value(s)
==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215)
==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759)
==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375)
==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799)
==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168)
==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382)
==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916)
==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791)
==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314)
==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580)
==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96)
==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341)
Resolves:
https://fedorahosted.org/sssd/ticket/3121
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The IPA server must send the email address of a user to the clients to
allow login by email.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Email addresses and Kerberos user principals names (UPNs) do not only
look similar they also can be used to identify a user uniquely.
In future this approach should be replace by a more generic one where
the attributes which can uniquely identifies a user can be configured to
support even a wider range of login names.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2948
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
|
|
|
|
|
|
|
| |
do_update should be only set if there is a change, i.e if something was
added to the ldb_message.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|