summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_async_connection.c
Commit message (Collapse)AuthorAgeFilesLines
* Downcast to errno_t after tevent_req_is_errorLukas Slebodnik2016-06-291-5/+15
| | | | | | | | | | | | | Functions tevent_req_is_error and _tevent_req_error use type uint64_t for error code. SSSD uses errno_t which is an alias for int. Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR can return 0 due to implicit down casting from uint64_t -> int. This patch makes down casting explicit and returns EINVAL if result of downcasting is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Inform about (un)successful connectionPavel Březina2016-05-111-0/+5
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Add return code ERR_ACCOUNT_LOCKEDPavel Reichl2016-02-171-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sdap_connect_send: fail if uri or sockaddr is NULLPavel Březina2016-01-191-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>
* FO: Use refcount to keep track of servers returned to callersJakub Hrozek2015-10-231-2/+2
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Improve messages about failuresPavel Reichl2015-08-071-2/+6
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviourJakub Hrozek2015-06-141-7/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Do not set keytab through environment variableJakub Hrozek2015-06-141-10/+0
| | | | | | | | | | Otherwise each connection would clobber the environment variable with its own. This is a temporary workaround until SSSD's ldap_child is able to store ccaches in a collection. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: return after tevent_req_errorJakub Hrozek2015-05-111-0/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SDAP: Make StartTLS bind configurable with ldap_opt_timeoutJakub Hrozek2015-03-231-2/+3
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make simple bind timeout configurableJakub Hrozek2015-03-231-5/+8
| | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-171-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: check that connection is open before bindPavel Reichl2014-10-121-10/+103
| | | | | | | | | | | | | | | | Tivoli server does not return an empty response when being asked for the rootDSE data but an error. In this case the rootDSE lookup in SSSD will terminate the connection to the server and return a error. But since errors except timeouts are ignored SSSD will try to continue with the bind, but since the connection is already terminated this will fail as well. And this will terminate the whole operation. Make sure the connection is open before performing bind operation. Resolves: https://fedorahosted.org/sssd/ticket/2435 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: move deciding of tls usage into new functionPavel Reichl2014-10-121-20/+37
| | | | | | | Separate code for deciding tls usage from sdap_cli_connect_send() to new function decide_tls_usage(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Do not clobber return value when multiple controls are returnedJakub Hrozek2014-09-161-3/+4
| | | | | | | | We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Check the LDAP handle before using itJakub Hrozek2014-05-121-0/+13
| | | | | | | | | | As the connection code is async-driven, the LDAP handle might be invalidated before SSSD attempts to use it. Similar to commit 5fe6ca5e339fd345119752e996c14edf8db57660, this patch adds a NULL check for the LDAP handle and aborts the request instead of crashing. Resolves: https://fedorahosted.org/sssd/ticket/2305
* sdap: move non async functions from sdap_async_connection.c to sdap_utils.cPavel Březina2014-02-181-18/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-02-121-58/+74
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-121-132/+132
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix formating of variables with ber_ typeLukas Slebodnik2013-09-111-2/+3
|
* Fix formating of variables with type: time_tLukas Slebodnik2013-09-111-1/+1
|
* Fix formating of variables with type: intLukas Slebodnik2013-09-111-1/+1
|
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-1/+2
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* Fixing critical format string issues.Lukas Slebodnik2013-05-201-2/+2
| | | | | | --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
* sdap: add sdap_connect_host requestPavel Březina2013-05-021-0/+186
| | | | | Create connection to specified LDAP server without using any failover stuff.
* Display the last grace warning, tooJakub Hrozek2013-05-021-1/+1
| | | | | | | Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
* LDAP: Fix value initialization warningsLukas Slebodnik2013-04-041-1/+1
|
* Making the authtok structure really opaque.Lukas Slebodnik2013-04-021-3/+9
| | | | | | | | | | | | | | | | | | | | Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
* LDAP: Fix value initializationOndrej Kos2013-03-271-1/+1
|
* Use common error facility instead of sdap_resultSimo Sorce2013-03-191-90/+62
| | | | | | | | | Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
* LDAP: Check for authtok validityJakub Hrozek2013-02-111-7/+9
| | | | | | | | | | The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
* Fix LDAP authentication - invalid password lengthPavel Březina2013-01-141-1/+1
| | | | | | sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
* Change pam data auth tokens.Simo Sorce2013-01-101-37/+51
| | | | Use the new authtok abstraction and interfaces throught the code.
* LDAP: Expire even non authenticated connectionsJakub Hrozek2012-11-181-8/+11
| | | | | | | The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
* FO: Check server validity before setting statusJakub Hrozek2012-09-131-7/+14
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* Unbreak SASLPavel Březina2012-07-311-9/+12
| | | | | | | Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.
* Fix uninitialized valuesNick Guay2012-07-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1379
* LDAP: Properly cast type for MINSSF valueJan Vcelak2012-07-181-11/+9
|
* LDAP: Print extended failure message for SASL bindStephen Gallagher2012-07-021-2/+14
|
* Simple implementation of Netscape password warning expiration controlJoshua Roys2012-05-221-22/+74
|
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-05-091-15/+18
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Get the RootDSE after binding if not successfull beforeJakub Hrozek2012-04-201-26/+104
| | | | https://fedorahosted.org/sssd/ticket/1258
* Free controls in sdap_rebind_procJakub Hrozek2012-04-201-4/+6
|
* Do not call sdap_auth if not neededJakub Hrozek2012-04-181-7/+11
|
* LDAP: Fix memory leaks in synchronous_tls_setupStephen Gallagher2012-03-261-8/+10
| | | | | | | | | | We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.
* LDAP: Errors retrieving the RootDSE should not be fatalStephen Gallagher2012-03-161-15/+8
| | | | | | | | If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257
* Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek2012-03-081-2/+4
|
* Only do one cycle when resolving a serverJakub Hrozek2012-03-061-7/+6
| | | | https://fedorahosted.org/sssd/ticket/1214
* LDAP: Copy URI instead of pointing at failover service recordStephen Gallagher2012-01-141-2/+8
| | | | | | | | In a heavy load environment, sometimes the failover service record would be updated and free the URI value. We need to guarantee that this URI string remains valid throughout the entire request. https://fedorahosted.org/sssd/ticket/1139
* Add sdap_connection_expire_timeout optionStephen Gallagher2011-12-121-0/+12
| | | | https://fedorahosted.org/sssd/ticket/1036
generated by cgit (git 2.34.1) at 2025-08-31 21:56:04 +0000