| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing the secrets key, the code tried to protect against malformed keys
or keys that are too short, but it did an error - the UUID stringified
form is 36 bytes long, so the UUID_STR_SIZE is 37 because UUID_STR_SIZE
accounts for the null terminator.
But the code, that was trying to assert that there are two characters after
the UUID string (separator and at least a single character for the name)
didn't take the NULL terminator (which strlen() doesn't return) into
account and ended up rejecting all ccaches whose name is only a single
character.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new enumeration cache_req_dom_type. It is a tri-state that
allows the caller to select which domains can be contacted - either only
POSIX, only application domains or any type.
Not all plugins of cache_req have the new parameter added -- only those
that are usable/useful in a non-POSIX environment. For example, it makes
no sense to allow the selection for calls by ID because those are
inherently POSIX-specific. Also, services or netgroups are supported
only coming from POSIX domains.
At the moment, the patch should not change any behaviour as all calls
default to contacting POSIX domains only.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domainResolutionOrder has been introduced in the previous commits and
allows the admin to set up a specific order which the domains will be
resolved during a lookup and with this patch we can take advantage of
this.
In order to have it working a new structure has been added
(struct domain_resolution_order) to the responder context and will be
used by the cache_req to perform the lookups based on this list.
As the ipaDomainResolutionOrder may be set globally on IPA or per View,
SSSD does respect the following precedence order: View > Globally.
The way the list is built is quite simple, basically having the domains
present on ipaDomainResolutionOrder as the first domains (in that
specific order) and then appending the remaining domains to this list.
The final result is a completely flat list with all the domains
respecting the specified order (it's important to remember that the
domains not specified won't follow any specific order, they're just
"random" based on the domains list present in the responder context.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new and small set of tests for these new helper methods that
are going to be used in different parts of the code in the follow-up
patches.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Let's extend the NSS tests in order to also test looking up users, from
a subdomain, by their short names (non fully qualified names).
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch basically makes the getgrnam_members_subdom(),
getgrnam_mix_dom(), getgrnam_mix_dom_fqdn() and getgrnam_mix_subdom()
more independent of each other.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3001
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3337
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In order to avoid race conditions, we queue requests towards the KCM
responder coming from the same client UID.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds a new KCM responder ccache back end that forwards all requests to
sssd-secrets.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a getlistbycert() call to libsss_nss_idmap to make it on
par with InfoPipe.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add sysdb calls to write and read data for the certificate mapping
library to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use certificate mapping library if available to lookup a user by
certificate in LDAP.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Store the certificate used to lookup a user as mapped attribute in the
cached user object.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.
Details about mapping and matching rules can be found in the included
man page.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KCM responder reads bytes and writes bytes from a buffer of bytes.
Instead of letting the caller deal with low-level handling using the
SAFEALIGN macros, this patch adds a new iobuf.c module with more
high-level functions.
The core is a iobuf struct that keeps track of the buffer, its total
capacity and a current read or write position.
There are helper function to read or write a generic buffer with a set
length. Later, we will also add convenience functions to read C data
types using the SAFEALIGN macros.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Related-to:
https://pagure.io/SSSD/sssd/issue/2668
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to what happened for nss-srv-tests, there were a few kind of
changes required to fix the tests breakage caused by the last commit.
1) For tests including no user, no changes was required.
2) As we call an equivalent to "get by name" command, a name is parsed
with sss_parse_inp and the returned value is now mocked.
3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done
to false after adding the password to the cache, since the code now
contains tevent calls and without it only the first request proceeds
into tevent_loop in test_ev_loop(), as the first finished request sets
done to true.
4) As the user certificate is added as a result of calling
sss_dp_account_recv and the certificate value is read by the certificate
lookup, we have to, in case a certificate lookup callback is set, call
mock_account_recv() for the certificate before going through the
mock_account_recv() for the initgroup.
5) If no logon name is given, then the user is looked by certificates
first. Since there's a matching user, the upcoming lookup by name will
find the user entry. However, since the looked ip data is up to date the
dp response has to be mocked and the second argument of
mock_input_pam_cert() cannot be NULL but must match the user name.
6) Add a new attribute to mock_input_pam_cert() that represents whether
the backend is contacted only once. It's needed because in
test_pam_cert_auth() the backend is contacted first to check whether it
can handle smartcard authenticatiom, but before that there's a lookup.
Since the first mocked reply already adds the certificate to the user
entry, the lookup by certificate will already find the user in the cache
and no second lookup is needed.
Co-Author: Pavel Březina <pbrezina@redhat.com>
Co-Author: Sumit Bose <sbose@redhat.com>
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We used to store UPN suffixes pointer into the domain structure only if
the domain changed, not when a new domain was created. As an effect, the
enterprise principals flag was not enabled unless a domain changed,
preventing logins with enterprise principals.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the UPN use the same domain name as the configured domain an
unsuccessful lookup by name will already create an entry in the negative
cache. If the lookup by UPN would use the same namespace the lookup will
immediately be finished because there would already be an entry in the
negative cache.
Resolves:
https://pagure.io/SSSD/sssd/issue/3313
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3270
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The blobs contains beside the PIN the name of the PKCS#11 module and the
token name where the certificate of the user was found and the key id.
Those data will be used e.g. by the pkinit module to make sure them
right certificate is used.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a reusable module for watching files using the Linux-specific
inotify(7) interface. Adds the possibility to watch the file's parent
directory as well to make it possible to watch moves into the directory
and allow watching file that doesn't exist at the time the watch is
created.
This interface is needed to implement the files provider, so this commit
is related to:
https://fedorahosted.org/sssd/ticket/2228
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Adds a negative cache API to reset negatively cached users and groups.
This will be used when the files back end finishes enumeration to make
sure all results are available.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This will allow to use cache req even for object that do not use
account request such as hosts.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It is not always desirable to consider default_domain from configuration
but expect none instead. For example when we search host certificates.
This is currently not used in this patch since host lookups parse
name directly with sss_parse_name but it will be used in the next
patch.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch provides tests for core logic of
sdap_search_initgr_user_in_batch() function. This function replaces
old approach with sysdb_try_to_find_expected_dn() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function create_multidom_test_ctx() prepares test environment for
multidomains. This patch enables setting of different params for
each domain.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add test to ensure conflict entries return ENOENT
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some caller might not be interested in some of the values wbcLookupSid()
returns and just pass NULL. Currently 'net ads user info' does this
because it is not interested in the domain. wbcLookupSid() should handle
this gracefully.
Resolves:
https://fedorahosted.org/sssd/ticket/3273
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were few type of changes that were require for tests to work:
1) When calling "get by name" commands, a name is parsed with
sss_parse_inp. Returned value is now mocked.
2) When calling "get by upn" commands, a name is parsed with
sss_parse_inp and negative cache is not hit in the first run
since cache_req knows it may be upn since it is not equal
to any known domain. Returned value of sss_parse_inp is now
mocked to return ERR_DOMAIN_NOT_FOUND and negative cache hits
are checked to be 0.
3) Lookups by certificate or sid do not require name parsing so
those have separate mock functions.
4) Sometime the test fail since different number of mocked functions
is called due to changes in the code. Where possible, will_return_always()
is used, otherwise number of mocked values was fixed.
5) In SID by name lookups, we set nss_test_ctx->tctx->done to false on
the beggining of for cycle, since the code now contains tevent calls
and withough it only a first request proceed into tevent_loop in
test_ev_loop() because the first finished request sets it to true.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally sss_cmd_send_empty() called also sss_cmd_done() to send
an empty reply packet to the cliant where as sss_cmd_send_error()
did not invoke this call and required the caller to call it manually.
For this reason, a possible error in users_find_by_cert_done() was not
send to the caller.
This patch unifies the usage of those two functions in a way that both
of them only creates the reply packet but do not send it. Another
sss_cmd_done() call is required to send the reply.
Because sss_cmd_done() is now always called, unit tests needed to be
changed to always mock a value for __wrap_sss_cmd_done.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In enumeration calls we want to get objects from all domains, not
only from the first matched domain. We move the cache search result
into a structure that contains combination of domain and ldb_result.
This is preparation for enumeration support inside cache_req.
Resolves:
https://fedorahosted.org/sssd/ticket/3151
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Global names context is used to parse AD well known SIDs and names
into its opposite. This patch moves definition of this parameter
from nss responder into common responder context so it can be
used also by other responders.
This change will be use to enable looking up well known SIDs and
names directly in cache_req.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We covered diference between case sensitive and case insensitive
domains. If domain is case insensitive we add lowercase form of
sudoUser to local sysdb cache.
Resolves:
https://fedorahosted.org/sssd/ticket/3203
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cases where the domain name in sssd.conf does not match the AD
domain, our previous matching process wouldn't match. This patch
augments the matching as follows:
- the search base is known to sysdb_try_to_find_expected_dn and is
expected to be non-NULL
- the existing matching is ran first
- during the search base, matching, all the non-DC components are
stripped from the search base to 'canonicalize' the search base
- if only a single entry that matches with a non-DC DN component
(matching with a DC component would mean the DN comes from a
different domain) then this entry is a match and is returned
Resolves:
https://fedorahosted.org/sssd/ticket/3199
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.
Resolves https://fedorahosted.org/sssd/ticket/2296
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This patch switch the old switch-based cache req code to
the new plugin-based.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
