summaryrefslogtreecommitdiffstats
path: root/src/providers/ad/ad_common.h
Commit message (Collapse)AuthorAgeFilesLines
* UTIL: Introduce subdomain_create_conf_path()Michal Židek2017-03-291-4/+0
| | | | | | | | | | This is a utility function that replaces the create_subdom_conf_path(). Differently than the latter, it only takes one parameter and is going to be used in a few different places (thus adding it to util.h). Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
* SUBDOMAINS: Configurable search basesMichal Židek2017-03-151-3/+19
| | | | | | | | | | | Added new trusted domain section in the sssd.conf were the search bases for the trusted domain can be specified. Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD_PROVIDER: Add ad_enabled_domains optionPetr Cech2016-08-171-0/+1
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: netlogon_get_domain_info() allow missing arguments and empty resultsSumit Bose2016-07-251-0/+1
| | | | | | | | | | | netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: avoid memory leak in netlogon_get_domain_info() and make it publicSumit Bose2016-07-251-0/+6
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Switch to new interfacePavel Březina2016-06-201-9/+9
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD: use krb5_keytab for subdomain initializationSumit Bose2016-06-091-1/+2
| | | | | | | | | | During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: add task to renew the machine account password if neededSumit Bose2016-01-191-0/+5
| | | | | | | | | | | | | | | | | | AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Add autofs providerJakub Hrozek2015-11-261-0/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Remove unused memory context from ad_user_conn_listLukas Slebodnik2015-11-111-2/+1
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* AD: Consolidate connection list construction on ad_common.cJakub Hrozek2015-10-071-0/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Provide common connection list construction functionsJakub Hrozek2015-10-071-0/+5
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Add ad_create_1way_trust_optionsJakub Hrozek2015-06-141-0/+6
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 For one-way trusts we can assume that AD domain is the same as the Kerberis realm. On the other hand, SASL realm and keytab path are specified, unlike two-way trusts that use the system keytab. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA/AD: Set up AD domain in ad_create_2way_trust_optionsJakub Hrozek2015-06-141-0/+1
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Split off ad_create_default_optionsJakub Hrozek2015-06-141-0/+2
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Make the function reusable and add a simple unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Rename ad_create_default_options to ad_create_2way_trust_optionsJakub Hrozek2015-06-141-3/+3
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: add new option ad_sitePavel Reichl2015-01-261-0/+1
| | | | | | | | | This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-251-0/+1
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD-GPO: config changes for gpo_map_* optionsYassir Elley2014-09-081-0/+9
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: add ad_gpo_cache_timeout optionYassir Elley2014-07-311-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: cleanup redundant #define statementsPavel Reichl2014-06-181-0/+7
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2185 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Implemented LDAP component of GPO-based access controlYassir Elley2014-05-131-0/+1
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SUDO: AD providerSumit Bose2014-03-021-0/+4
| | | | | | | | | | | | | | This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: Add a new option to turn off GC lookupsJakub Hrozek2013-12-191-0/+1
| | | | | | | | | | SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.
* AD: Add a utility function to create list of connectionsJakub Hrozek2013-12-191-0/+7
| | | | | | | | | | ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.
* AD: Add a new option ad_access_filterJakub Hrozek2013-10-251-0/+1
| | | | | | | This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082
* AD: initialize failover with custom realm, domain and failover serviceJakub Hrozek2013-06-281-1/+4
| | | | | | | | | | This is needed so we can initialize failover using IPA realm and on-the-fly discovered DNS domain. The subdomains discovered on-thefly will use the subdomain name for realm, domain and failover service to avoid conflicts. Subtaks of: https://fedorahosted.org/sssd/ticket/1962
* AD: decouple ad_id_ctx initializationJakub Hrozek2013-06-281-0/+7
| | | | | | | | | The IPA subdomain code will perform lookups on its own in the server mode. For this, the AD provider must offer a way to initialize the ad_id_ctx for external consumers. Subtask of: https://fedorahosted.org/sssd/ticket/1962
* AD: kinit with the local DC even when talking to a GCJakub Hrozek2013-06-261-1/+2
| | | | | | | | We tried to use the GC address even for kinit which gave us errors like: "Realm not local to KDC while getting initial credentials". This patch adds a new AD_GC service that is only used for ID lookups, any sort of Kerberos operations are done against the local servers.
* AD: Remove ad_options->auth options referenceJakub Hrozek2013-06-141-1/+0
| | | | | The options are stored in ad_options->auth_ctx->opts, this member was completely unused and confusing.
* AD: Add additional service to support Global Catalog lookupsJakub Hrozek2013-06-071-0/+5
| | | | | | | | | | | | When fixed host names of AD servers are configured in the config file, we can't know (unlike when service discovery is at play) if the servers are Global Catalogs or not. This patch adds a private data to servers read from the config file that denote whether the server can be tried for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs are generated based on contents of this private data structure. Because SSSD sticks to a working server, we don't have to disable or remove the faulty GC servers from the list.
* Active Directory dynamic DNS updatesJakub Hrozek2013-05-031-0/+13
| | | | | | | | https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.
* DNS sites support - add AD SRV pluginPavel Březina2013-05-021-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1032
* Primary server support: new option in AD providerJan Zeleny2012-08-011-0/+1
| | | | | | This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: AD adaptationJan Zeleny2012-08-011-1/+2
| | | | | | This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.
* AD: use krb5_keytab for validation and GSSAPIStephen Gallagher2012-07-061-0/+1
| | | | | | This simplifies configuration by eliminating the need to specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is not located at /etc/krb5.keytab
* AD: Add AD auth and chpass providersStephen Gallagher2012-07-061-1/+6
| | | | | | These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
* AD: Add AD identity providerStephen Gallagher2012-07-061-0/+85
This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.
generated by cgit (git 2.34.1) at 2025-09-03 22:13:14 +0000