summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_async_private.h
Commit message (Collapse)AuthorAgeFilesLines
* sdap_get_users_send(): new argument mapped_attrsSumit Bose2017-03-231-0/+1
| | | | | | | | | | | | | | | | mapped_attrs can be a list of sysdb_attrs which are not available on the server side but should be store with the cached user entry. This is needed e.g. when the input to look up the user in LDAP is not an attribute which is stored in LDAP but some data where LDAP attributes are extracted from. The current use case is the certificate mapping library which can create LDAP search filters based on content of the certificate. To allow upcoming cache lookup to use the input directly it is stored in the user object in the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP/AD: resolve domain local groups for remote usersSumit Bose2016-10-311-0/+10
| | | | | | | | | | | | | If a user from a trusted domain in the same forest is a direct or indirect member of domain local groups from the local domain those memberships must be resolved as well. Since those domain local groups are not valid in the trusted domain a DC from the trusted domain which is used to lookup the user data is not aware of them. As a consequence those memberships must be resolved against a local DC in a second step. Resolves https://fedorahosted.org/sssd/ticket/3206 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap: make some nested group related calls publicSumit Bose2016-10-311-0/+16
| | | | | | | sdap_nested_groups_store() and rfc2307bis_nested_groups_send/recv() will be reused for domain local group lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb namesJakub Hrozek2016-07-071-1/+1
| | | | | | Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use the IPA provider interface to resolve external group membersJakub Hrozek2016-02-241-3/+15
| | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2522 Currently the approach is not optimized for performance, because each external member is resolved in a full transaction to make sure even ID views and similar information is processed. In future, we should implement https://fedorahosted.org/sssd/ticket/2943 we will again be able to process all the data in a single transaction. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-141-0/+7
| | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP/AD: do not resolve group members during tokenGroups requestSumit Bose2015-03-171-0/+6
| | | | | | | | | | | | | | | | | | | | | | During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* make make_realm_upper_case() staticPavel Březina2014-02-181-1/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: get_sysdb_grouplist() can return either names or dnPavel Březina2013-09-261-0/+6
| | | | | | | | | We need to work with distinguish names when processing cross-domain membership, because groups and users may be stored in different sysdb tree. Resolves: https://fedorahosted.org/sssd/ticket/2066
* LDAP: new SDAP domain structureJakub Hrozek2013-06-071-2/+1
| | | | | | | | | | | Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
* refactor nested group processing: replace old codePavel Březina2013-04-021-0/+16
| | | | https://fedorahosted.org/sssd/ticket/1784
* ldap: Fallback option for rfc2307 schemaSimo Sorce2013-03-201-9/+1
| | | | | | | | | | | Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
* Add domain to sysdb_search_group_by_name()Simo Sorce2013-01-151-0/+1
| | | | Also remove unused sysdb_search_domgroup_by_name()
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-151-0/+1
| | | | Also remove unused sysdb_search_domuser_by_name()
* LDAP: Make sdap_initgr_common_store() non-staticStephen Gallagher2012-06-121-0/+8
| | | | | Move it to a private header so it can be reused by other initgroups C files.
* LDAP: Add helper function to get list of a user's groups from sysdbStephen Gallagher2012-06-121-0/+5
|
* Modifications to simplify list_missing_attrsJan Zeleny2012-02-241-2/+0
|
* Renamed some LDAP routinesJan Zeleny2011-11-231-0/+15
| | | | | These were renamed just ot make sure they are not mistook for IPA netgroup functions.
* SysDB commands that save lastUpdate allows this value to be passed inPavel Březina2011-10-131-1/+2
| | | | https://fedorahosted.org/sssd/ticket/836
* sdap_async_accounts.c splitJan Zeleny2011-08-151-0/+17
| | | | | | | | | The file has been split in three: sdap_async_users.c sdap_async_groups.c sdap_async_initgroups.c https://fedorahosted.org/sssd/ticket/864
* Add sdap_call_conn_cb() to call add connection callback directlySumit Bose2011-06-301-0/+2
|
* Add ldap_deref optionSumit Bose2010-10-221-0/+2
|
* Make ldap_child report kerberos return code to parentJakub Hrozek2010-10-131-1/+3
|
* Revert "Make ldap bind asynchronous"Jakub Hrozek2010-09-151-8/+0
| | | | This reverts 56d8d19ac9d857580a233d8264e851883b883c67
* Make ldap bind asynchronousMartin Nagy2010-09-021-0/+8
| | | | | | Every ldap function that could possibly create a new connection is now wrapped in a tevent_req. If the connection is created, we will call the function again after the socket is ready for writing.
* GSSAPI ticket expiry time is returned from ldap_child and stored in ↵eindenbom2010-07-091-1/+2
| | | | sdap_handle for future reference.
* Disable connection callbacks when going onlineStephen Gallagher2010-06-091-0/+1
| | | | | | | | Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.
* Add ldap_krb5_ticket_lifetime optionSumit Bose2010-05-161-0/+1
|
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-161-0/+2
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher2010-05-071-2/+0
| | | | | | | This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
* Add dynamic DNS updates to FreeIPAStephen Gallagher2010-05-071-0/+2
| | | | | | | | | | | | | | | | | | This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
* Make the handling of fd events opaqueSumit Bose2010-04-261-9/+7
| | | | | | | Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
* Rename server/ directory to src/Stephen Gallagher2010-02-181-0/+68
Also update BUILD.txt
generated by cgit (git 2.34.1) at 2025-09-04 15:24:46 +0000