| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.
Details about mapping and matching rules can be found in the included
man page.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dbus-1.11.8 added attributes for format string check to
few functions in public header files. And therefore there is a warning.
src/lib/sifp/sss_sifp_utils.c: In function ‘sss_sifp_set_io_error’:
src/lib/sifp/sss_sifp_utils.c:44:5: error: format not a string literal
and no format arguments [-Werror=format-security]
dbus_set_error(ctx->io_error, error->name, error->message);
^~~~~~~~~~~~~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
sssd-1.14.1/src/lib/sifp/sss_sifp_dbus.c:51: check_return:
Calling "dbus_message_append_args_valist" without checking return value
(as is done elsewhere 4 out of 5 times).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
src/lib/ipa_hbac/ipa_hbac.h:68: warning: expected whitespace after [ command
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Warning: tag INPUT: input source `src/providers/ipa/ipa_hbac.h' does not exist
warning: source src/providers/ipa/ipa_hbac.h is not
a readable file or directory... skipping.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/confdb/confdb.h:572: warning: argument 'memctx' of command @param
is not found in the argument list of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
src/confdb/confdb.h:592: warning: The following parameters of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
are not documented:
src/lib/idmap/sss_idmap.h:315: warning: argument 's_cv' of command @param
is not found in the argument list of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
src/lib/idmap/sss_idmap.h:94: warning: The following parameters of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
are not documented:
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
So the caller is able to get error description.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Current version of infopipe leverage different interfaces and
object paths which were not accessible through the simple ifp
library. This patch changes the API, which is ok since it was
never declared as a public library and beside deprecated
openlmi there are no known users. We will use this in sssctl tool.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
With this plugin winbind can use the same id-mapping as SSSD which makes
it possible to run both together in a consistent way.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Moving the library to the lib directory will force maintainers to think
twice about changes, because it would be obvious this is a library.
Also don't use includes from sssd source tree paths, but add the util
path to Makefile's CFLAGS so that other projects can copy the
hbac_evaluator.c file verbatim.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Domain SID (not name) is part of identification string for helper range
in generate_sec_slice_name().
Use more generic name for range identifier when calculating range for
new slice in sss_idmap_calculate_range().
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
Some ID ranges are precalculated when ID mapping is being initialized.
This patch utilizes these (helper) ranges when new domains are generated
if appropriate.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Create new internal structure idmap_range_params by merging ID mapping
range relevant fields from idmap_domain_info and remove corrsponding
fields.
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Max value of id mapping range was 1 unit too high.
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two cases that may happen when a user calls Get or GetAll:
1) the attribute is missing
2) the attribute is empty
sss_sifp has two error code to distinguish between those two cases:
1) SSS_SIFP_ATTR_MISSING
2) SSS_SIFP_ATTR_NULL
Usually the caller is not interested on situations when the attribute
is empty and it can be considered as error. Having it as a separate
error code instead of setting the output value to NULL is necesarry
since attribute does not have to be a pointer.
This patch however sets pointer type attributes to NULL since it may
simplify the code path when the caller is actually interested in
this information (e. g. empty server list on domain objects).
It is not possible to send a NULL string over a D-Bus nor it is
possible to have hash table NULL with current code so these two
scenarios are not tested. However, it is handled in sss_sifp_attr
code for completeness.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Version symbol files will help package systems to catch backward compatible
changes (newly added functions) into library.
The difference between libraries libsss_nss_idmap_test.so and
libsss_nss_idmap.so is that the 1st library will not be installed and has more
exported functions, which are necessary for mocking with cmocka for test
sss_nss_idmap-test.
Resolves:
https://fedorahosted.org/sssd/ticket/2194
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2254
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If POSIX IDs are managed externally e.g. by AD it might be possible that
the IDs are centrally manages for the whole forest. Hence there might
not be a single ID range for each member domain in the forest but only a
single ID range for the whole forest. This means that we have to allow
collisions if ID ranges in this case.
Unit tests are added to make sure that the collisions are only allowed
for external mappings.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1534
|
| |
|
|
|
|
|
|
| |
Some platform have header file endian.h and anothers have sys/endian.h.
We nedd to use conditional build to handle it correctly, therefore new header
file sss_endian.h was created.
|
|
|
|
|
|
|
|
|
|
| |
With this call it can be checked if for a given domain algorithmic
mapping is available or if the ID must be read from an external source.
The default if an error occurs or no matching range was found is false,
i.e external mapping, to meet the requirements for simple LDAP based
domains where only external mapping is available.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
|
|
|
|
|
| |
When ID are mapped externally it must be checked if the extern ID falls
into the right configured range to avoid ID conflicts.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
|
|
|
|
|
|
|
|
| |
Since it is planned that the LDAP based ID providers (LDAP, AD, IPA)
will always use libsss_idmap to map ID or get information about how to
map it, it must be possible to add domains to libsss_idmap which do not
have a SID or where is SID is not known when external mapping is used.
Algorithmic mapping always requires a domain SID.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
|
|
|
|
|
|
|
|
| |
The idea is that ranges for IDs from AD can be used in libsss_idmap as
well, but whenever a mapping is requested for this range a specific
error code IDMAP_EXTERNAL is returned to tell SSSD to do
an AD lookup. This way SSSD does not need to inspect the ranges itself
but all is done inside if libsss_idmap.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
|
|
|
|
|
|
| |
To be able to detect configuration changes in idranges managed by
FreeIPA an identifier should be stored on the client together with the
other idrange related data.
Fixes https://fedorahosted.org/sssd/ticket/1979
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently libss_idmap implicitly assumes that the RID 0 is always mapped
to the first ID of the given range. This is not the case anymore when
multiple ranges are used e.g. for trusted domains in FreeIPA.
A new call sss_idmap_add_domain_ex() was added which can take the first
RID as an argument. This new call will get more options with other
patches hence I didn't change the library version with this patch.
Fixes https://fedorahosted.org/sssd/ticket/1938
|
| |
|
|
|
|
|
| |
Before the recent changes, the variable was set to 0 too because it used
to be part of a structure allocated with talloc_zero.
|
|
|
|
|
|
|
|
| |
Calculation of range for domains is moved from
sdap_idmap code to sss_idmap code. Some refactoring
have been done to allow this move.
https://fedorahosted.org/sssd/ticket/1844
|