| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 676bf6dda60776d9db79dad1c2506c0e57bb5503)
|
| |
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9e6f8d1c66b4b3543bab67d807bd26f1d6256c75)
|
| |
|
|
|
|
|
| |
To avoid collisions when we want to work with them elsewhere in the code.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f7ea0b1d46197275c87bdc73a6e38a6fd7f855ee)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 50310d617e25abf118fbd867cbdc0fbc866277b5)
|
| |
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2796
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Striker Leggette <striker@redhat.com>
(cherry picked from commit 773153893431bb9344259ba161d57e97f359678c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function get_object_from_cache() does not handle services.
This patch adds quick shortcut to avoid sending an LDAP query
to cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2747
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 565e6d91814884054ec0dc4d770804d7bf472d3f)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2787
We already mention SSS_NSS_USE_MEMCACHE in sssd(8)
but it makes sense to note it in sssd.conf(5)
together with the memcache_timeout.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a3d9b7eea4a92a57b274e1c9df6108e916f823c8)
|
| |
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2830
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1e6ad2b73851049197c7756787d14c78f64e1128)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1632
Adds the possibility to configure:
autofs_provider = ad
The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is
different (at the moment) from using autofs_provider=ldap with
ldap_schema=ad.
Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 03b859510dc13a13a456ca4aa94c0561a0e9684c)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f20c082881ba287c5de415b983c1e54fee987b4b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2866
If the LDAP connection is still established when the client moves
offline, we rely on the search timeout to find out the client is
offline. The override search used the enum timeout defaults to 60 seconds.
That caused too long delays in going offline.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit a687f4473bf305bc2ccb075cd93154c9d661b638)
|
| |
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2868
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit e182d98a391b5f6d3562e442748254cdbcef0b81)
|
| |
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2868
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit d432482627dc6dd67d44df4f1debcc21448fd6e5)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 544a20de7667f05c1a406c4dea0706b0ab507430)
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently the first certificate was selected and if it was not valid
p11_child just returned an error. With this patch the validity is
checked first and the first valid certificate is selected.
Resolves https://fedorahosted.org/sssd/ticket/2801
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d0de7701d44c7a75210a9cb04634913ce3a94bfb)
|
| |
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5484044ea7bb632b915f706685fce509f6eacc48)
|
| |
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1352cf0d037c21eb6245fed17f1e6596ea3a3ccd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3be9e26dcd169d44ae105f1b8a0674464c700b77)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the user name of a AD user is overridden with the name itself in an
IPA override object SSSD adds this name twice to the alias list causing
an ldb error when trying to write the user object to the cache. As a
result the user is not available.
This patch makes sure that there are no duplicated alias names.
Resolves https://fedorahosted.org/sssd/ticket/2874
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There were warnings on 32 bit architecture related to 64bit integer constants.
/home/build/sssd/src/tests/sbus_codegen_tests.c:257:
warning: integer constant is too large for ‘long’ type
/home/build/sssd/src/tests/sbus_codegen_tests.c:259:
warning: integer constant is too large for ‘long’ type
INT${N}_C(value) are defined in the standard c99
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 8dc21698c4ed699801d2b6f9135b3d6cb8512917)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a new integration test for local view overrides.
Regression tests for: #2790, #2757 and #2802.
Resolves:
https://fedorahosted.org/sssd/ticket/2732
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
(based on commit 8d1dcb6af723f2968410c4b088d06d63d02b4fea)
(based on commit fed2fdded1060d24bd721fe3fe16034567a7e284)
(based on commit 3569ade3eaf9bf13c522d228019da228de55398a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a bunch of LDAP tests.
* Adding/removing a user/group/membership with rfc2307(bis) schema.
* The effect of override_homedir option.
* The effect of fallback_homedir option.
* The effect of override_shell option.
* The effect of shell_fallback option.
* The effect of default_shell option.
* The effect of vetoed_shells option.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit c20811708e584b49ef12ffe1950d71356604bd3b)
|
| |
|
|
|
|
|
|
|
| |
libdbus abort()s when a string argument is not valid UTF-8. Since the
arguments sometimes come from untrusted sources, it's better to check
the string validity explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 6b01dae732eedee808f32a9cdd4b5656a9f839c4)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2861
Messages passed from Data Provider to responder must be valid UTF-8
strings. Because providers might not be completely under our control,
we need to check if the messages we receive are valid UTF-8 and if they
are not, use a fallback.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e8ae3af6724164048a85c374ea8045a368a2d34e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2861
All back end requests were using pam_strerror() to print additional info
about why request failed. Since pam_strerror() returns localized message
and we don't know the locale beforehand, this message failed to be
transferred through D-Bus, resulting in a crash.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8bc6bc6d87127d615f7a81d7151cb46007feff63)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 06d4c022874d4f12d70e79c3c749d52fe020dad6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds groups_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 16212bbb2aaa55d0587515e72c0018479ae51be9)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We need little more in backroung of responder_cache_req tests. There
will be tests which will use three test groups. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5928fcbb57b92bfd18ad15aaaf4a5e1ab8dabe61)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds group_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fe6dd669d1e8606862879127f92c177bb7fdc1bd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated
after filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with
two users. One is stored before filter request creation and the second
user is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
users are stored after filter request creation. So filter returns two
users.
This patch adds users_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a6a5a08a357d2adbb653b81bacc602ca3543c4c4)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds function are_values_in_array() to common test code. And
there is tc_are_values_in_array macro defined which is usefull for
talloc allocated values and arrays.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6ae53d7b54ec2ece9fb51ed92c097f5ba8f9d849)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We need little more in background of responder_cache_req tests. There
will be tests which will use three test users. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c4d4fe1603420fe8f3d256a3a446974699563ff3)
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch only defines constant TEST_USER_PREFIX. So code will be more
redeable.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b0e8c1802557645e2ff6a88c54c520b0f0ff9ebb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with two
users. One is stored before filter request creation and the second user
is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two users
are stored after filter request creation. So filter returns two users.
This patch adds user_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit da79bee1472a06b89be2df903fb0bd8ce600c610)
|
| |
|
|
|
|
|
|
| |
This debug message is mostly a left over from development and doesn't
give us any useful information. It is just annoying in the logs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 499b60f44ecf7124e1906157bd4fca141f48e8d9)
|
| |
|
|
|
|
|
|
|
|
| |
Extend PAM responder unit test to check 'online' cached authentication.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 4b12be504e20173e0629835818e4db6a9617a9a4)
|
| |
|
|
|
|
|
|
|
|
|
| |
Split pam_test_setup() so domain and pam parameters can be easily set
distinctly for each test.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6411cd6074688762f793de8f1dddeffcb3a71d02)
|
| |
|
|
|
|
|
|
|
|
| |
It is not necessary to invalidate memory cache before removing
them. The sssd_client can handle it without any problem.
This reverts commit eabc1732ef91548616a699b7e9f8d30e5e7b8dd3.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 782d39e3916d16b8dbba6ae97aca1db2f3c35d76)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Long living clients should be able to reinitialize
memory cache which was removed but it not initialized.
This patch also remove workaround in test_local_domain.py
Test for:
https://fedorahosted.org/sssd/ticket/2726
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit b28f5fb097e06a97a45e0ae348e506d9d1432cc8)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2726
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit c269ca2669706bddb25c5938b50277b0c0a94ea4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the memory cache was not initialized and there was a failure in
initialisation of memory cache context (e.g. memory cache file
does not exist) then mc_context had to be destroyed to release
resources.
However the count of active threads in sss_cli_mc_ctx is already higher
than zero because current thread is working wih the mc_context.
But this counter was zero-ed with memset in sss_nss_mc_destroy_ctx
due to issue with initialisation of memory cache.
Then we have to decrease counter of active thread in function
sss_nss_mc_get_ctx because initialisation of mc failed.
And the result of this decrement is underflow of counter.
Related to:
https://fedorahosted.org/sssd/ticket/2726
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit d4ff84434265dc959098ccfd4e8cd5d61d9052c9)
|
| |
|
|
|
|
|
|
| |
Like lookup by ID or by UPN the match for lookups by certificate can be
found in any domain and all sub-domains must be included in the search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 04aed439cc058413e2331e9bfbe598cc563c2c7b)
|
| |
|
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 356eef72675cde4dc5627c1e2f1a01846ec6eb1d)
|
| |
|
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit f4bcfcb1b91bfa6a568c4c99c2b3d16cd86090c6)
|
| |
|
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 20a2be57d764f58c4a6532310331e26a3273ada8)
|
| |
|
|
|
|
|
|
| |
If leak_check_setup is not called then global_talloc_context
was not initialized and check_leaks_pop(global_talloc_context) will fail.
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 9c62d6619b87f1255ef6515280a20552fca9d925)
|
| |
|
|
|
|
|
|
|
| |
If we are already requested used then we needn't to call
setreeuid(), setresgid(). But we forgot to relase local
struct sss_creds *ssc, which is used for returnig saved credentials.
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 5455da4f944145239295a2d8344f1a7602b4454d)
|
