| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3456
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Merges: https://pagure.io/SSSD/sssd/pull-request/3374
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
ldap_user_name and ldap_group_name have
different defalts then what the man page
states.
Resolves:
https://fedorahosted.org/sssd/ticket/3022
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2858
The default attribute mappings we used to have:
ldap_autofs_map_object_class automountMap
ldap_autofs_map_name ou
ldap_autofs_entry_object_class automount
ldap_autofs_entry_key cn
ldap_autofs_entry_value automountInformation
Was wrong. Instead, this patch switches to:
ldap_autofs_map_object_class nisMap
ldap_autofs_map_name nisMapName
ldap_autofs_entry_object_class nisObject
ldap_autofs_entry_key cn
ldap_autofs_entry_value nisMapEntry
Which are attributes that are available with servers running the default
rfc2307 schema. In addition, this patch adds a syslog and DEBUG message
that warns administrators to double-check their configuration.
We don't warn when the autofs provider is set to AD, because that one
is already correct.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2796
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Striker Leggette <striker@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.
Resolves:
https://fedorahosted.org/sssd/ticket/2742
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ldap_autofs_map_name and ldap_autofs_entry_key have their rfc2307bis defaults
listed alongside the rfc2307 defaults.
ldap_autofs_entry_object_class has a fixed description and default
This patch replaces the other one I posted, implementing the alternative schema
defaults Jakub suggested.
Regards,
Robin McCorkell
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2612
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/1501
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/1501
Reuse the value of sdap_opt_timeout to set a longer bind timeout for
user authentication, ID connection authentication and authentication
during IPA migration mode.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2534
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement new option which does checking password expiration policy
in accounting phase.
This allows SSSD to issue shadow expiration warning even if alternate
authentication method is used.
Resolves:
https://fedorahosted.org/sssd/ticket/2167
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
The indentation is automatically in resulting man page. It isn't necessary to
add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map
examples.
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
|
|
|
| |
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2448
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently the uuid attributes for user and groups were removed because
it was found that there are not used at all and that some of them where
causing issues (https://fedorahosted.org/sssd/ticket/2383).
The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
to relate overrides with the original IPA objects. The previous two
patches revert the removal of the uuid attributes from users and groups
with this patch set the default value of these attributes to
ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
leaves them unset for the general LDAP case to avoid issues like the one
from ticket #2383.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2451
Added a configuration example at the bottom for
'ldap_access_order = lockout'. Also added a line
to note that 'ldap_access_provider = ldap' must
be specified for this feature to work.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2361
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2423
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1560
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2364
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
sssd-ldap hints to use the simple access provider if a nested group membership
is needed. Add explicit notice in sssd-simple about support of nested group
membership.
Resolves:
https://fedorahosted.org/sssd/ticket/2308
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2073
This commit adds a new option ldap_user_extra_attrs that is unset by
default. When set, the option contains a list of LDAP attributes the LDAP
provider would download and store in addition to the usual set.
The list can either contain LDAP attribute names only, or colon-separated
tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP
attribute name is specified, the attribute is saved to the cache verbatim.
Using a custom SSSD attribute name might be required by environments that
configure several SSSD domains with different LDAP schemas.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2235
The memberof example was misleading and was making aministrators think
that the ldap_access_filter can resolve nested group memberships.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
| |
|
|
|
|
|
|
| |
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the
refsect might help us if we ever generate other formats from XML and
certainly wouldn't hurt.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2091
|
| |
|
| |
|
|
|
|
|
|
|
| |
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|