| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
We require newer libcurl version than is available on rhel6. We don't
ship secrets responder in rhel6 so we just disable its build.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Just to make the tool a little bit nicer and more flexible.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At first, this patch separates curl_easy handle from the multi-handle
processing and makes it encapsulated in custom tcurl_request structure.
This allows us to separate protocol initialization from its asynchonous
logic which gives us the ability to set different options for each
request without over-extending the parameter list.
In this patch we implement options for peer verification for TLS-enabled
protocols and to return response with body and headers together.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing the secrets key, the code tried to protect against malformed keys
or keys that are too short, but it did an error - the UUID stringified
form is 36 bytes long, so the UUID_STR_SIZE is 37 because UUID_STR_SIZE
accounts for the null terminator.
But the code, that was trying to assert that there are two characters after
the UUID string (separator and at least a single character for the name)
didn't take the NULL terminator (which strlen() doesn't return) into
account and ended up rejecting all ccaches whose name is only a single
character.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
We already do the same for groups. If the user does not have UID number
set but does have the POSIX: false attribute set, then we save the user
with zero UID and the non-POSIX flag.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new enumeration cache_req_dom_type. It is a tri-state that
allows the caller to select which domains can be contacted - either only
POSIX, only application domains or any type.
Not all plugins of cache_req have the new parameter added -- only those
that are usable/useful in a non-POSIX environment. For example, it makes
no sense to allow the selection for calls by ID because those are
inherently POSIX-specific. Also, services or netgroups are supported
only coming from POSIX domains.
At the moment, the patch should not change any behaviour as all calls
default to contacting POSIX domains only.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domainResolutionOrder has been introduced in the previous commits and
allows the admin to set up a specific order which the domains will be
resolved during a lookup and with this patch we can take advantage of
this.
In order to have it working a new structure has been added
(struct domain_resolution_order) to the responder context and will be
used by the cache_req to perform the lookups based on this list.
As the ipaDomainResolutionOrder may be set globally on IPA or per View,
SSSD does respect the following precedence order: View > Globally.
The way the list is built is quite simple, basically having the domains
present on ipaDomainResolutionOrder as the first domains (in that
specific order) and then appending the remaining domains to this list.
The final result is a completely flat list with all the domains
respecting the specified order (it's important to remember that the
domains not specified won't follow any specific order, they're just
"random" based on the domains list present in the responder context.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new and small set of tests for these new helper methods that
are going to be used in different parts of the code in the follow-up
patches.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's extend the NSS tests in order to also test looking up users, from
a subdomain, by their short names (non fully qualified names).
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch basically makes the getgrnam_members_subdom(),
getgrnam_mix_dom(), getgrnam_mix_dom_fqdn() and getgrnam_mix_subdom()
more independent of each other.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://pagure.io/SSSD/sssd/issue/3001
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.
Resolves:
https://pagure.io/SSSD/sssd/issue/3337
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
env variable UID is not defined in all shells (eg. dash)
We also need to move invocation of "id -u" before nss_wraper
is enabled otherwise we would get root instead of real user.
=================================== FAILURES ===================================
________________________ test_kcm_mem_init_list_destroy ________________________
Traceback (most recent call last):
File "/home/build/sssd/src/tests/intg/test_kcm.py", line 198, in test_kcm_mem_init_list_destroy
kcm_init_list_destroy(testenv)
File "/home/build/sssd/src/tests/intg/test_kcm.py", line 183, in kcm_init_list_destroy
exp_ccname = testenv.ccname()
File "/home/build/sssd/src/tests/intg/test_kcm.py", line 45, in ccname
my_uid = self.my_uid()
File "/home/build/sssd/src/tests/intg/test_kcm.py", line 41, in my_uid
return int(s_myuid)
ValueError: invalid literal for int() with base 10: ''
And we already use different approach in top level Makefile.am
3488) $(INTGCHECK_CONFIGURE_FLAGS) \
3489) CFLAGS="$$CFLAGS $(AM_CFLAGS) -DKCM_PEER_UID=$$(id -u)"; \
3490) $(MAKE) $(AM_MAKEFLAGS) ; \
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In order to avoid race conditions, we queue requests towards the KCM
responder coming from the same client UID.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Adds a new KCM responder ccache back end that forwards all requests to
sssd-secrets.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
The curl integration must allow us to create containers, therefore we
also add support of the POST HTTP request type.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This patch adds a getlistbycert() call to libsss_nss_idmap to make it on
par with InfoPipe.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add sysdb calls to write and read data for the certificate mapping
library to the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use certificate mapping library if available to lookup a user by
certificate in LDAP.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Store the certificate used to lookup a user as mapped attribute in the
cached user object.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.
Details about mapping and matching rules can be found in the included
man page.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Added new trusted domain section in the
sssd.conf were the search bases for the
trusted domain can be specified.
Resolves:
https://pagure.io/SSSD/sssd/issue/2599
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
In order to test the curl integration code, this patch adds a
command-line tool and tests that it's possible to drive a conversation
with the secrets responder using the tool.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KCM responder reads bytes and writes bytes from a buffer of bytes.
Instead of letting the caller deal with low-level handling using the
SAFEALIGN macros, this patch adds a new iobuf.c module with more
high-level functions.
The core is a iobuf struct that keeps track of the buffer, its total
capacity and a current read or write position.
There are helper function to read or write a generic buffer with a set
length. Later, we will also add convenience functions to read C data
types using the SAFEALIGN macros.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is preparing the field for coming up patches where new lookup
logic will be added.
Taking this into consideration let's move the result manipulation code
into a separate module and focus purely in the lookups logic in the main
module.
Related:
https://pagure.io/sssd/sssd/issue/3001
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Related-to:
https://pagure.io/SSSD/sssd/issue/3317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
Related-to:
https://pagure.io/SSSD/sssd/issue/2668
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a group/users are invalidated from sss_cache, the group/user
information in domain and timestamps cache are inconsistent with
regard to dataExpireTimestamp attribute.
This patch fixes the problem by explicitly invalidating the domain
cache's entry when the timestamp cache entry is invalidated
by sss_cache call. There is one new function:
* sysdb_invalidate_cache_entry()
provided for this purpose and used only in sss_cache utility.
Resolves:
https://fedorahosted.org/sssd/ticket/3164
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there is a problem to execute sssd_secrets then exception
is raised. Test will not continue in parent process because it is
waiting for socket for a second. The child process will continue
in execution of tests because parent process will kill child
in teardown after test execution.
This patch makes starting of secret service more robust
and immediately fail child process when there was a problem to start
sssd_secrets. It also adds few assertions for ensuring that setup passed
as it should.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domain
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to what happened for nss-srv-tests, there were a few kind of
changes required to fix the tests breakage caused by the last commit.
1) For tests including no user, no changes was required.
2) As we call an equivalent to "get by name" command, a name is parsed
with sss_parse_inp and the returned value is now mocked.
3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done
to false after adding the password to the cache, since the code now
contains tevent calls and without it only the first request proceeds
into tevent_loop in test_ev_loop(), as the first finished request sets
done to true.
4) As the user certificate is added as a result of calling
sss_dp_account_recv and the certificate value is read by the certificate
lookup, we have to, in case a certificate lookup callback is set, call
mock_account_recv() for the certificate before going through the
mock_account_recv() for the initgroup.
5) If no logon name is given, then the user is looked by certificates
first. Since there's a matching user, the upcoming lookup by name will
find the user entry. However, since the looked ip data is up to date the
dp response has to be mocked and the second argument of
mock_input_pam_cert() cannot be NULL but must match the user name.
6) Add a new attribute to mock_input_pam_cert() that represents whether
the backend is contacted only once. It's needed because in
test_pam_cert_auth() the backend is contacted first to check whether it
can handle smartcard authenticatiom, but before that there's a lookup.
Since the first mocked reply already adds the certificate to the user
entry, the lookup by certificate will already find the user in the cache
and no second lookup is needed.
Co-Author: Pavel Březina <pbrezina@redhat.com>
Co-Author: Sumit Bose <sbose@redhat.com>
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to store UPN suffixes pointer into the domain structure only if
the domain changed, not when a new domain was created. As an effect, the
enterprise principals flag was not enabled unless a domain changed,
preventing logins with enterprise principals.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the UPN use the same domain name as the configured domain an
unsuccessful lookup by name will already create an entry in the negative
cache. If the lookup by UPN would use the same namespace the lookup will
immediately be finished because there would already be an entry in the
negative cache.
Resolves:
https://pagure.io/SSSD/sssd/issue/3313
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/3270
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This functionality is only enabled in case SSSD is configured with with
--enable-files-domain. If not, the behaviour is as it used to -- SSSD
returns an error, instructing the admin to create a configuration file.
If the option is enabled, a very minimal confdb that only enables the
NSS responder is created. The confdb later adds the implicit files
domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/2229
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Adds tests that exercise the implicit files domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
This is done to make sure that enabling the files domain doesn't break
existing functionality as well as making it possible to even that the
implicit domain, since all integration tests use the same configuration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|