summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* Utilize attribute exclusion in LDAP initgroupsJan Zeleny2012-05-311-3/+33
| | | | | | | | | | Previous patch added the possibility to exclude some attributes from a map when building an attribute list to be sent to server. The original reason for this functionality is the code handling LDAP initgroups. In this code, there is no need to fetch members of groups in question. This can save some performance since the list of members can be pretty long in some cases. This case apllies only to RFC2307 and generic RFC2307bis, it doesn't apply for IPA schema.
* Add support for filtering atributesJan Zeleny2012-05-3117-41/+70
| | | | | This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
* added DEBUG messages to krb5_child and ldap_childNick Guay2012-05-312-3/+19
|
* Ghost members - various small changesJan Zeleny2012-05-311-1/+1
|
* Ghost members - removed sdap_check_aliases()Jan Zeleny2012-05-314-127/+0
| | | | | | | This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
* Ghost members - support in proxy providerJan Zeleny2012-05-311-6/+8
|
* Ghost members - support in LDAP providerJan Zeleny2012-05-311-186/+286
| | | | | | | | | | | | | | | | | | | | The original approach was to store name and original DN in an object in sysdb. When later referenced as member of a group, it was retrieved by its original DN and the correct information about its sysdb DN was stored in the group object which referenced it. The new approach doesn't use fake user objects, therefore this information has to be reached differently when constructing group memberships. The approach is to store all users to a hash table where original DN is used as the key and username as value. When constructing group memberships, the name is retrieved from this hash table instead of sysdb. This hash table is constructed when retrieving user objects from LDAP server - if the user is not present in sysdb, it is automatically stored in the hash table. Another situation is for rfc2307. Because there is no nesting there, we can construct the SYSDB_GHOST attribute directly and therefore don't need a hash table of ghost users.
* Fixed issue in SELinux user mapsJan Zeleny2012-05-221-0/+2
| | | | | | There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* Warn to syslog when dereference requests failAriel Barria2012-05-221-2/+2
|
* Simple implementation of Netscape password warning expiration controlJoshua Roys2012-05-221-22/+74
|
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-162-2/+2
|
* Fixed two minor memory leaksJan Zeleny2012-05-142-2/+6
|
* Potential NULL dereference in proxy providerAriel Barria2012-05-141-1/+1
|
* Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek2012-05-101-1/+57
| | | | https://fedorahosted.org/sssd/ticket/949
* subdomains: Fix error handling in Data ProviderJakub Hrozek2012-05-101-19/+37
| | | | | The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.
* LDAP: Handle very large Active Directory groupsStephen Gallagher2012-05-105-45/+271
| | | | | | | | | | | | | Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
* LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher2012-05-1017-39/+62
| | | | | | | This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-05-091-15/+18
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek2012-05-071-4/+9
| | | | | | | | | | | | Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-072-0/+36
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-071-1/+3
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-042-3/+8
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-042-16/+57
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
* LDAP: Add support for enumeration of ID-mapped users and groupsStephen Gallagher2012-05-031-31/+102
|
* LDAP: Treat groups with unmappable SIDs as non-POSIX groupsStephen Gallagher2012-05-031-9/+12
|
* LDAP: Add helper function to map IDsStephen Gallagher2012-05-035-119/+81
| | | | | This function will also auto-create a new ID map if the domain has not been seen previously.
* LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵Stephen Gallagher2012-05-032-0/+16
| | | | entries
* LDAP: Add helper routine to convert LDAP blob to SID stringStephen Gallagher2012-05-035-68/+195
|
* LDAP: Map the user's primaryGroupIDStephen Gallagher2012-05-034-12/+69
|
* LDAP: Enable looking up id-mapped groups by GIDStephen Gallagher2012-05-031-2/+45
|
* LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher2012-05-032-29/+125
|
* LDAP: Enable looking up id-mapped users by UIDStephen Gallagher2012-05-031-6/+43
|
* LDAP: Allow automatically-provisioning a domain and rangeStephen Gallagher2012-05-031-3/+43
| | | | | | | | If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well.
* LDAP: Add routine to extract domain SID from an object SIDStephen Gallagher2012-05-032-0/+49
| | | | Also makes the domain prefix macros from sss_idmap public.
* LDAP: Allow setting a default domain for id-mapping slice 0Stephen Gallagher2012-05-034-0/+42
|
* LDAP: Add autorid compatibility modeStephen Gallagher2012-05-034-8/+17
|
* LDAP: Enable looking up ID-mapped users by nameStephen Gallagher2012-05-032-9/+55
|
* LDAP: Initialize ID mapping when configuredStephen Gallagher2012-05-032-0/+10
|
* LDAP: Add ID mapping range settingsStephen Gallagher2012-05-033-0/+9
|
* LDAP: Add helper routines for ID-mappingStephen Gallagher2012-05-032-0/+334
|
* LDAP: Add id-mapping optionStephen Gallagher2012-05-033-0/+3
|
* LDAP: Add objectSID config optionStephen Gallagher2012-05-033-0/+10
|
* Read sysdb attribute name, not LDAP attribute map nameJakub Hrozek2012-05-031-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1320
* SSH: Add dp_get_host_send to common responder codeJakub Hrozek2012-05-033-30/+24
| | | | | | | | Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176
* Rename split_service_name_filterJakub Hrozek2012-05-031-16/+16
| | | | | The function was used outside services code which was confusing due to its name. This patch renames it to sound more netrual.
* IPA: Check return valuesJakub Hrozek2012-05-032-2/+12
|
* PROXY: return correct return codesJakub Hrozek2012-05-031-7/+9
| | | | | We were reporting on the value of "status" instead of "ret'. We also didn't set ret to EOK in cases group contained no members.
* DP: return correct error message when subdomains back end target is not ↵Jakub Hrozek2012-05-021-1/+1
| | | | | | configured The done handler uses the value of status, not ret.
generated by cgit (git 2.34.1) at 2024-09-25 10:42:08 +0000