| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Prevent segfault if vetoed_shells are specified without allowed_shells
https://fedorahosted.org/sssd/ticket/954
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/951
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/916
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/928
|
|
|
|
|
|
|
|
|
|
| |
If a pam or nss module is dlcolse()d and unloaded we were leaking
the file descriptor used to communicate to sssd in the process.
Make sure the fucntion used to close the socket file descriptor is
called on dlclose()
Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for python HBAC bindings
These changes were proposed during a review:
* Change the signature of str_concat_sequence() to const char *
* use a getsetter for HbacRule.enabled to allow string true/false and
integer 1/0 in addition to bool
* fix a minor memory leak (HbacRequest.rule_name)
* remove overzealous discard consts
Fix python HBAC bindings for python <= 2.4
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
Remove dead code from python HBAC bindings
https://fedorahosted.org/sssd/ticket/935
Handle allocation error in python HBAC bindings
https://fedorahosted.org/sssd/ticket/934
HBAC rule validation Python bindings
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/940
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/911
|
|
|
|
|
|
|
| |
ares_query does not take search or domain directives from
/etc/resolv.conf into account
https://fedorahosted.org/sssd/ticket/922
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/915
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sockaddr_storage to sdap_service
Add sdap_call_conn_cb() to call add connection callback directly
Use name based URI instead of IP address based URIs
Use ldap_init_fd() instead of ldap_initialize() if available
Do not access state after tevent_req_done() is called.
Call ldap_install_tls() on ldaps connections
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new resolv_hostent data structure and utility functions
Resolve hosts by name from files into resolv_hostent
Resolve hosts by name from DNS into resolv_hostent
Switch resolver to using resolv_hostent and honor TTL
Conflicts:
src/providers/fail_over.c
Provide TTL structure names for c-ares < 1.7
https://fedorahosted.org/sssd/ticket/898
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
|
| |
|
| |
|
|
|
|
|
|
|
| |
It is not safe to check pwdAttribute to see if server side password
policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is
present the bind response we can assume that there is a server side
password policy.
|
|
|
|
|
|
|
|
| |
Added sysdb_attrs_get_bool() function
Non-posix group processing - sysdb changes
Non-posix group processing - ldap provider and nss responder
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new option to override primary GID number
https://fedorahosted.org/sssd/ticket/742
Add a new option to override home directory value
https://fedorahosted.org/sssd/ticket/551
Add new options to override shell value
https://fedorahosted.org/sssd/ticket/742
Conflicts:
src/conf_macros.m4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add utility function to return IP address as string
Add a utility function to escape IPv6 address for use in URIs
Use escaped IP addresses in LDAP provider
Escape IPv6 IP addresses in the IPA provider
https://fedorahosted.org/sssd/ticket/880
Fix bad merge
We merged in a patch, but missed that it missed a dependency added
by another earlier patch.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Previously, we only generated it when performing a password change,
but this didn't play nicely with kpasswd.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/867
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
select is limited to fd numbers up to 1024, we need to use poll() here
to avoid causing memory corruption in the calling process.
Fixes: https://fedorahosted.org/sssd/ticket/861
|
|
|
|
|
|
|
|
|
| |
A previous patch changed a talloc_steal() into a talloc_move(). Now it
is not enough to change the parent memory context with talloc_steal to
give back the data, but it has to be assigned back too.
Additionally this patch uses the missing pam data as an indication that
a renewal request for this data is currently running.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not throw a DP error when failing to delete a nonexistent entity
Add debug logging to the negative cache
Fix a regression with the negative cache in multi-domain configurations
Fix regression where nonexistent entries were never added to the negative cache
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memberof: fix calculation of replaced members
We were skipping the check on the next value in the added list when a match
was found for the currentr value being checked.
memberof: free delete operation apyload once done
Large memberof delete operations can cause quite a number of searches
and the results are attached to a delop operation structure.
Make sure we free this payload once the operation is done and these
results are not used anymore so that we get a smaller total memory footprint.
|
|
|
|
|
| |
Now that gecos can come from either the 'gecos' or 'cn' attributes,
we need to ensure that we never remove it from the cache.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The failover code is not strictly in charge of resolving. Its main
function is to provide a server to connect to for a service.
It is legal, although not currently used, to have a server that has no
name (server->common == NULL). In this case, no resolving should be done
and it is assumed that the failover user, which are the SSSD back ends
in our case, would perform any resolving out of band, perhaps using the
user_data attribute of fo_server structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were not fully compliant with section 5.3 of RFC 2307 which
states:
An account's GECOS field is preferably determined by a value of the
gecos attribute. If no gecos attribute exists, the value of the cn
attribute MUST be used. (The existence of the gecos attribute allows
information embedded in the GECOS field, such as a user's telephone
number, to be returned to the client without overloading the cn
attribute. It also accommodates directories where the common name
does not contain the user's full name.)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the loop ran through at least one
sdap_process_missing_member_2307() call and errored out later, we
were not canceling the transaction.
RFC2307: Ignore zero-length member names in group lookups
Mark transaction as done when cancelled
Fix typo in sdap_nested_group_process_step
|
| |
|
|
|
|
|
|
|
|
|
| |
sss_obfuscate: abort on ctrl+c
There is a python bug (http://bugs.python.org/issue11236) where
getpass.getpass() does not throw KeyboardInterrupt on ctrl+c. This
workaround is the closest we can get: if we detect the control
character in the string that we read, we'll cancel.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't crash if we get a multivalued name without an origDN
Coverity 10740 and 10739
Don't crash on error if _name parameter unspecified
Coverity 10738
Check result of talloc_strdup() properly
Coverity 10737
|