summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* LDAP: Fixing of removing netgroup from cachePetr Cech2016-08-241-0/+16
| | | | | | | | | | There were problem with local key which wasn't properly removed. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PROXY: Use the fqname when converting to lowercaseFabiano Fidêncio2016-08-241-1/+1
| | | | | | | | | | | | | | When saving the user there is a comparison between the "cased alias" and the "lowercase password name". However, the first doesn't use fully qualified name while the second does, resulting in a not expected override of the "nameAlias" attribute of a stored user when trying to authenticate more than once using an alias. Resolves: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sdap: Skip exact duplicates when extending mapsMichal Židek2016-08-191-10/+32
| | | | | | | | | | | | | | | | | | When extending map with entry that already exists in the map in the exacty same form, then there is no need to fail. We should only fail if we try to change purpose of already used sysdb attribute. Resolves: https://fedorahosted.org/sssd/ticket/3120 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Add log message for get account infoLukas Slebodnik2016-08-171-0/+5
| | | | Reviewed-by: Petr Čech <pcech@redhat.com>
* LDAP: Log autofs rfc2307 config changes only with enabled responderLukas Slebodnik2016-08-171-1/+22
| | | | | | | | | | | grep -nE "0x0040" /var/log/sssd/sssd_example.com.log 361:(Tue Aug 16 13:04:04 2016) [sssd[be[example.com]]] [ldap_get_autofs_options] (0x0040): Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes. Reviewed-by: Petr Čech <pcech@redhat.com>
* LDAP: Adding SIGCHLD callbackPetr Cech2016-08-171-6/+26
| | | | | | | | | | | | This patch adds SIGCHLD callback for ldap_child. So if timeout is reached and ldap_child is terminated by handler we have debug message about it. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Adding SIGTERM signal before SIGKILLPetr Cech2016-08-171-4/+36
| | | | | | | | | | | | | We add better termination of ldap_child. If ldap_child reaches the timeout for termination parent sents SIGTERM signal. Child has 2 seconds for removing temporary file and exit. If it is not sufficient there is SIGKILL send to the child. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Adding support for SIGTERM signalPetr Cech2016-08-171-0/+29
| | | | | | | | | | | We add support for handling SIGTERM signal. If ldap_child receives SIGTERM signal it removes temporary file. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD_PROVIDER: ad_enabled_domains - other then masterPetr Cech2016-08-171-3/+37
| | | | | | | | | | | We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD_PROVIDER: ad_enabled_domains - only masterPetr Cech2016-08-171-0/+16
| | | | | | | | | | | We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD_PROVIDER: Initializing of ad_enabled_domainsPetr Cech2016-08-171-0/+82
| | | | | | | | | | We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD_PROVIDER: Add ad_enabled_domains optionPetr Cech2016-08-172-0/+2
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Warn if IP address is used as option for ipa_server/ad_serverJustin Stephenson2016-08-162-0/+18
| | | | | | | | | GSSAPI is dependent on DNS with hostnames and we should warn about this. Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Remove old data provider interfacePavel Březina2016-08-165-237/+4
| | | | | | | | | Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PROXY: Do not abuse data provider interfacePavel Březina2016-08-168-185/+284
| | | | | | | | We want to use custom interface for proxy provider so we do not abuse the data provider one. This way we gain more control over it and we can remove the old interface entirely. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sssctl: print active server and server listPavel Březina2016-08-168-10/+415
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3069 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* failover: mark subdomain service with sd_ prefixPavel Březina2016-08-162-4/+18
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sbus: add sbus_request_reply_error()Pavel Březina2016-08-161-8/+3
| | | | | | | | | | | | | This simplifies error handling in sbus requests since we avoid creating DBusError and checking for NULL manually. It removes few lines of code. This patch does not replace all calls to sbus_request_fail_and_finish since sometimes it is desirable to create the error manualy. But it replaces it in most recent places. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* gpo: gPCMachineExtensionNames with just whitespacesMichal Židek2016-08-111-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3114 We failed GPO procesing if the gPCMachineExtensionNames attribute contained just whitespaces. This coused failures in some server settings. Comment from Alexander Bokovoy quoting: You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when processing gPCMachineExtensionNames, "Group Policy processing terminates at the first <CSE GUIDn> out of sequence." Since ' ' (space only) does not fall into defined syntax for gPCMachineExtensionNames, this Group Policy processing is stopped and its CSE GUIDs are set to 'empty list'. Because of the 3.2.5.1.10 'Extension Protocol Sequences' language ------------------------------------------------------------------------ The Group Policy client MUST evaluate the subset of the abstract element Filtered GPO list separately for each Group Policy extension by including in the subset only those GPOs whose gPCUserExtensionNames (for user policy mode) or gPCMachineExtensionNames (for computer policy mode) attributes contain CSE GUID that correspond to the Group Policy extension. If the CSE GUID corresponding to the Group Policy extension is present in Extension List, it is invoked using the Implementation Identifier field. Applicability is determined as specified in section 3.2.1.5. The Group Policy Registry Extension MUST always execute first. All other applicable Group Policy extensions in the Extension List MUST be loaded and executed in Extension List order. A failure in any Group Policy extension sequence MUST NOT affect the execution of other Group Policy extensions. ------------------------------------------------------------------------- I think we can practically treat wrong content of gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the GPO to pass through the Filtered GPO list. Thus, the GPO would be ignored. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SIMPLE: Make the DP handlers testableJakub Hrozek2016-08-102-2/+46
| | | | | | | To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SIMPLE: Fail on any error parsing the access control listJakub Hrozek2016-08-101-1/+4
| | | | | | | | | | | Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SIMPLE: Do not parse names on startupJakub Hrozek2016-08-101-7/+0
| | | | | | | | | | | It's not required to parse names on SSSD startup in the simple access provider. We can instead just parse the name when the access request is processed. Resolves: https://fedorahosted.org/sssd/ticket/3101 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DP: Initialize D-Bus as soon as possiblePavel Březina2016-08-092-11/+23
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3111 Reviewed-by: Petr Cech <pcech@redhat.com>
* IPA: Check the return value of sss_parse_internal_fqnameJakub Hrozek2016-08-081-0/+8
| | | | | | We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Fixing wrong pam error code for passwdPetr Cech2016-08-081-0/+5
| | | | | | | This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109
* LDAP: Fix Dereference after NULL checkLukas Slebodnik2016-08-081-1/+1
| | | | | | | | | | | The commit dc30c60f166ad9adc63a47a1013508a71624ac87 changed the logic in NULL check - if (protocol) { + if (protocol == NULL) { Found by Coverity: Reviewed-by: Petr Čech <pcech@redhat.com>
* SDAP: Don't log an op failure when no users are foundFabiano Fidêncio2016-08-051-3/+6
| | | | | | | | | | | | | | | When no users are found during the search users process, just log (at TRACEL_ALL level) that zero users were retrieve and avoid logging (at OP_FAILURE level) that a failure has occurred, which may end up misleading admins, giving them the impression that something wrong has happened. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/3089 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PROVIDER: Conversion empty string from D-Bus to NULLPetr Cech2016-08-052-4/+4
| | | | | | | | | | This patch fixes the issue with empty string recieving from D-Bus. Data providers obtains NULL. So this is simple conversin. Resolves: https://fedorahosted.org/sssd/ticket/3084 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Revert "LDAP: Lookup services by all protocols unless a protocol is specified"Petr Cech2016-08-051-5/+2
| | | | | | This reverts commit aa58e216c1f794bd335151f19e79adbb3ddf4c73. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Changing of confusing debug messagePetr Cech2016-08-052-3/+6
| | | | | | | | | | | This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: sysdb_search_users does not set users_count for failuresLukas Slebodnik2016-08-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | ==32577== Conditional jump or move depends on uninitialised value(s) ==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556) ==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625) ==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298) ==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130) ==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688) ==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578) ==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353) ==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197) ==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911) ==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114) ==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533) ==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637) ==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140) ==32577== by 0x529DD02: server_loop (server.c:702) ==32577== by 0x110951: main (data_provider_be.c:587) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: sanitize member name before using in filterLukas Slebodnik2016-08-051-1/+10
| | | | | | | | | | | | | | | It caused an errors. (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectclass=user)(nameAlias=t(u)ser@ldap)) (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x0080): Error: 5 (Input/output error) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use FQDN when linking parent LDAP groupsJakub Hrozek2016-08-041-1/+1
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3093 Because we compare the list of LDAP names with the list of sysdb names, we need to qualify the list of LDAP names before running the diff. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* LDAP: Changing of confusing debug messagePetr Cech2016-08-021-1/+1
| | | | | | | | | This debug message used to confuse our customer. So this patch changes it. Resolves: https://fedorahosted.org/sssd/ticket/3091 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* LDAP: Fix storing initgroups for users with no supplementary groupsJakub Hrozek2016-08-021-14/+18
| | | | | | | If there are no supplementary groups, we tried to qualify a NULL pointer to an array which resulted in an error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SDAP: add enterprise principal strings for user searchesSumit Bose2016-07-294-4/+48
| | | | | | | | | | Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: add special handling for IPA Kerberos enterprise principal stringsSumit Bose2016-07-291-0/+17
| | | | | | | | | | Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To allow searches with the plain alias 'name@alt.realm' the returned value is converted before it is saved to the cache. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP/IPA: add local email address to aliasesSumit Bose2016-07-292-0/+71
| | | | | | | | Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: include email in UPN searchesSumit Bose2016-07-292-10/+40
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: new attribute option ldap_user_emailSumit Bose2016-07-294-0/+6
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: allow multiple user principalsSumit Bose2016-07-291-14/+18
| | | | | | | | | | In general a user can have multiple principals and recent IPA version added support to defined multiple principals. With this patch SSSD does not only store the first but all principals read by LDAP from a server. Resolves https://fedorahosted.org/sssd/ticket/2958 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: fix lookup by UPN for subdomainsSumit Bose2016-07-291-4/+12
| | | | | | | | | | Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: expand ghost members of AD groups in server-modeSumit Bose2016-07-291-1/+78
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make ipa_resolve_user_list_{send|recv} public and allow AD usersSumit Bose2016-07-292-4/+24
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: replace ad_get_client_site_parse_ndr() with netlogon_get_domain_info()Sumit Bose2016-07-251-120/+33
| | | | | | | | | | | | netlogon_get_domain_info() does not fail if only the site is missing in the CLDAP ping respond. If the site is not available a Global Catalog can still be looked up with the forest name. Only if the forest name is missing as well we fall back to the configured domain name. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: netlogon_get_domain_info() allow missing arguments and empty resultsSumit Bose2016-07-254-51/+65
| | | | | | | | | | | netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: avoid memory leak in netlogon_get_domain_info() and make it publicSumit Bose2016-07-252-9/+26
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Amend debug messages after failure of unlinkLukas Slebodnik2016-07-251-2/+3
| | | | | | | | Some messages did not have errno or name of problematic file. There was also improper use of negative value. The function strerror was called with -1 instead of errno Reviewed-by: Petr Čech <pcech@redhat.com>
* IPA: enable enterprise principals if server supports themSumit Bose2016-07-181-0/+86
| | | | | | | | | If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add ipa_init_get_krb5_auth_ctx()Sumit Bose2016-07-182-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 06:15:33 +0000