sssd.git/src/db, branch prompting Unnamed repository; edit this file to name it for gitweb. SYSDB: Add new funtions into sysdb_sudo 2016-04-20T18:26:40+00:00 Petr Cech pcech@redhat.com 2016-02-24T14:12:41+00:00 e2d26e97d62f06f65e8228b28746471cc5f73fe5 This patch adds two new functions into public API of sysdb_sudo: * sysdb_search_sudo_rules * sysdb_set_sudo_rule_attr Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr

Resolves:
https://fedorahosted.org/sssd/ticket/2081

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SYSDB_SUDO: Remove useless test 2016-04-18T16:15:38+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-04-13T19:44:37+00:00 aeb3cef10158a1c621d58c6d982e53569e40c6c0 The function sysdb_search_custom cannot return EOK and together set output argument count to zero. This case is already handled in function sysdb_search_entry which is used inside sysdb_search_custom. Such useless test can just cause read of unitialized variable in case of other errors returned from sysdb_search_custom. Error: UNINIT (CWE-457): [#def1] sssd-1.13.4/src/db/sysdb_sudo.c:678: var_decl: Declaring variable "count" without initializer. sssd-1.13.4/src/db/sysdb_sudo.c:698: uninit_use: Using uninitialized value "count". # 696| SUDORULE_SUBDIR, attrs, # 697| &count, &msgs); # 698|-> if (ret == ENOENT || count == 0) { # 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n"); # 700| ret = EOK; Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.

Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.

Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
    var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
    uninit_use: Using uninitialized value "count".
 #  696|                                 SUDORULE_SUBDIR, attrs,
 #  697|                                 &count, &msgs);
 #  698|->     if (ret == ENOENT || count == 0) {
 #  699|           DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
 #  700|           ret = EOK;

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
PAC: only save PAC blob into the cache 2016-04-13T08:43:19+00:00 Sumit Bose sbose@redhat.com 2016-02-08T14:01:19+00:00 d0d7de66c9494621c1bc12384e41e5e38a77fbeb Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves https://fedorahosted.org/sssd/ticket/2158

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA SUDO: download externalUser attribute 2016-03-09T14:24:43+00:00 Pavel Březina pbrezina@redhat.com 2016-03-01T13:00:26+00:00 991c9f47fcb24704b880f60ab8ee77cfda056e2c This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This allows configuration with id_provider = proxy
and sudo_provider = ipa when someone needs to fetch
rules for local users.

https://fedorahosted.org/sssd/ticket/2972

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sdap: improve filtering of multiple results in GC lookups 2016-03-01T16:01:39+00:00 Sumit Bose sbose@redhat.com 2016-01-22T17:14:45+00:00 5ff7a765434ed0b4d37564ade26d7761d06f81c3 The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.

Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).

This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.

Resolves https://fedorahosted.org/sssd/ticket/2961

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
remove user certificate if not found on the server 2016-03-01T15:38:52+00:00 Pavel Březina pbrezina@redhat.com 2016-02-23T10:02:42+00:00 659232f194f83ec7c450ce89c3fd41e4e74409f2 If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com> 
If the user is not found by cert lookup when the user is already
cached, two things may happen:
1) cert was removed from the user object
2) user was removed

Instead of issuing another cert lookup we will just remove cert
attribute from the cache not touching the expiration timestamp so
the user may be updated later when needed.

Resolves:
https://fedorahosted.org/sssd/ticket/2934

Reviewed-by: Sumit Bose <sbose@redhat.com>
Add a new option ldap_group_external_member 2016-02-24T13:05:16+00:00 Jakub Hrozek jhrozek@redhat.com 2016-01-25T15:03:23+00:00 3cf7fdfcaedb986f42a6640e26aa057007b64045 Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Required for:
    https://fedorahosted.org/sssd/ticket/2522

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add support for ipaSudoRunAsExt* attributes 2016-01-19T13:34:02+00:00 Pavel Březina pbrezina@redhat.com 2016-01-18T11:15:47+00:00 a7d2b4f157194c14bc4a40c74f6416b82befa460 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add ipasudocmd mapping 2016-01-19T13:33:30+00:00 Pavel Březina pbrezina@redhat.com 2015-12-02T14:02:39+00:00 cc7766c8456653ab5d7dedbf432cb1711a905804 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add ipasudocmdgrp mapping 2016-01-19T13:33:28+00:00 Pavel Březina pbrezina@redhat.com 2015-12-02T13:48:18+00:00 ed8650be18af26b7bf389e1246f7e8cdb363f829 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>