summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove unused member of be_reqJan Zeleny2012-07-271-3/+0
|
* Move SELinux processing from session to account PAM stackJan Zeleny2012-07-272-0/+33
| | | | | | | | | | | | | | The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
* Renamed session provider to selinux providerJan Zeleny2012-07-276-56/+54
|
* Always free request in data provider PAM callbackJan Zeleny2012-07-271-2/+3
| | | | In case of error the request wasn't freed and the callback just ended.
* Provide counter of possible matches in SELinux IPA providerJan Zeleny2012-07-251-6/+6
| | | | | | The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.
* Fix linking of HBAC rules and SELinux user mapsJan Zeleny2012-07-251-0/+13
| | | | | | | Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
* Remove ipa_selinux_map_merge()Jan Zeleny2012-07-253-55/+0
| | | | | This function is no longer necessary since sysdb interface for copying elements has been implemented.
* Added some DEBUG statements into SELinux related codeJan Zeleny2012-07-231-4/+14
|
* sdap_sudo.c: add missing end of line in few debug messagesPavel Březina2012-07-231-3/+3
|
* AD: Fix defaults for krb5_canonicalizeStephen Gallagher2012-07-181-2/+2
| | | | | | The AD provider cannot function with canonicalization because of a bug in Active Directory rendering it unable to complete a password-change while canonicalization is enabled.
* Fix uninitialized valuesNick Guay2012-07-186-14/+14
| | | | https://fedorahosted.org/sssd/ticket/1379
* IPA: Return and save all SELinux rules in the providerJakub Hrozek2012-07-181-47/+27
| | | | https://fedorahosted.org/sssd/ticket/1421
* IPA: Download defaults even if there are no SELinux mappingsJakub Hrozek2012-07-181-60/+59
| | | | | We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults.
* Modify priority evaluation in SELinux user mapsJan Zeleny2012-07-181-2/+34
| | | | | | | | | | | | | | | | | | | The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
* LDAP: Properly cast type for MINSSF valueJan Vcelak2012-07-181-11/+9
|
* Fixed wrong number in shadowLastChangeJan Zeleny2012-07-161-1/+2
| | | | | The attribute is supposed to contain number of days since the epoch, not the number of seconds.
* AD: Add missing DP option terminatorStephen Gallagher2012-07-161-1/+2
|
* Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek2012-07-101-3/+3
|
* Print based on pointer contents not addressJakub Hrozek2012-07-101-1/+3
|
* Remove dead code in ipa_subdomains_handler_done()Sumit Bose2012-07-101-1/+1
| | | | Fixes https://fedorahosted.org/sssd/ticket/1410
* Fix incorrect error-checkStephen Gallagher2012-07-091-1/+1
| | | | Coverity #12770
* Fix uninitialized memcpy errorStephen Gallagher2012-07-091-0/+2
| | | | Coverity #12784
* Fix potential NULL-dereferenceStephen Gallagher2012-07-091-1/+3
| | | | Coverity #12797
* Fix uninitialized variableStephen Gallagher2012-07-091-0/+1
| | | | Coverity #12802
* heimdal: use sss_krb5_princ_realm to access realmRambaldi2012-07-091-4/+11
|
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter2012-07-062-36/+0
| | | | | | | | * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
* AD: Force case-insensitive operation in AD providerStephen Gallagher2012-07-061-0/+18
|
* AD: use krb5_keytab for validation and GSSAPIStephen Gallagher2012-07-063-3/+12
| | | | | | This simplifies configuration by eliminating the need to specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is not located at /etc/krb5.keytab
* AD: Add AD access-control providerStephen Gallagher2012-07-064-1/+188
| | | | | This patch adds support for checking whether a user is expired or disabled in AD.
* AD: Add AD auth and chpass providersStephen Gallagher2012-07-064-1/+159
| | | | | | These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
* AD: Add AD identity providerStephen Gallagher2012-07-066-0/+1165
| | | | | | This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.
* LDAP: Rename user and group maps for ADStephen Gallagher2012-07-062-4/+4
| | | | This will eliminate ambiguity for the AD provider
* KRB5: Create a common init routine for krb5_child optionsStephen Gallagher2012-07-064-98/+135
| | | | | This will reduce code duplication between the krb5, ipa and ad providers
* KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher2012-07-064-15/+17
| | | | | | | | | | | | | | | | This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
* KRB5: Some logging enhancements for krb5_childStephen Gallagher2012-07-061-6/+13
|
* Fix crash when interface doesn't have an addressStef Walter2012-07-061-0/+3
| | | | * This is similar to the code in ipa_dyndns_update_send()
* LDAP: Print extended failure message for SASL bindStephen Gallagher2012-07-021-2/+14
|
* IPA: Don't hang onto memory longer than necessaryStephen Gallagher2012-07-021-0/+1
| | | | | This request and attached memory would be freed at the end of access-check processing, but it's a waste to keep it around.
* Fix segfault when sudo is not configured.Simo Sorce2012-06-301-1/+2
| | | | | Sudo support is optional, when it is not configured sudorules_map is not initialized and dereferencing it will cause a segmentation fault.
* KRB5: Initialize the credential cache type properlyStephen Gallagher2012-06-291-0/+11
| | | | | | | | | We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
* sudo ldap provider: support autoconfiguration of IP addressesPavel Březina2012-06-291-1/+179
| | | | | sudoHost attribute may contain IPv4 or IPv6 host/network address. This patch adds support for autoconfiguration of these information.
* sudo ldap provider: do per-host updatesPavel Březina2012-06-291-3/+160
| | | | Add host information to LDAP filters.
* sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as staticPavel Březina2012-06-291-2/+2
|
* sudo ldap provider: load host filter configuration on initPavel Březina2012-06-295-5/+185
| | | | | | | We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).
* sudo: add host info optionsPavel Březina2012-06-293-0/+15
| | | | | | | | | | Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
* sudo ldap provider: pass sudo_ctx instead of id_ctxPavel Březina2012-06-293-45/+73
| | | | | I had to create a new context structure to store additional information such as ip addresses and hostnames.
* sdap_sudo.c: move _recv after _donePavel Březina2012-06-291-45/+45
|
* sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()Pavel Březina2012-06-291-3/+14
|
* sudo: clean upPavel Březina2012-06-292-9/+2
|
* sudo ldap provider: notify responder when an expired rule has been deletedPavel Březina2012-06-291-11/+76
| | | | | | | | | | | | | | | | When an expired rule is not present on the server server during specific rule refresh, the provider will notify the sudo responder that it has been deleted. Because there is a high probability that some other rules were deleted from the server as well, we want to remove them from sysdb as soon as possible. Once the responder is notified, it will schedule an out of band full refresh. This is issued by responder, because we already have a mechanism that prohibits creation of similar request (i.e. once the OOB full refresh is scheduled, there won't be another). The notification is done by returning: DP error = DP_ERR_OK, error = ENOENT
generated by cgit (git 2.34.1) at 2024-05-05 03:47:30 +0000