sssd.git/src/providers/ipa, branch ad_domain_local_groups Unnamed repository; edit this file to name it for gitweb. dyndns: fix typo and unify ipa with ad debug message when off 2016-08-30T12:30:53+00:00 Pavel Březina pbrezina@redhat.com 2016-08-04T12:10:09+00:00 b3851e86af91dc1aa6e265d5b2e4279b2611ff43 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: Parse qualified names when guessing AD user principal 2016-08-26T19:17:16+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-09T20:08:27+00:00 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9 Most AD users store their UPN in an attribute. If they don't, or the sssd was configured (typically in earlier versions to work around a bug) to not look at the principal attribute, then sssd is supposed to guess the attribute. That currently doesn't work in 1.14, because the username is already qualified and then we also append the realm name to it. We need to parse the simple username from the qualified name first. The issue can be reproduced simply by authenticating as the Administrator account in IPA-AD trust setups. Resolves: https://fedorahosted.org/sssd/ticket/3127 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.

That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.

The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.

Resolves:
https://fedorahosted.org/sssd/ticket/3127

Reviewed-by: Sumit Bose <sbose@redhat.com>
Warn if IP address is used as option for ipa_server/ad_server 2016-08-16T18:21:29+00:00 Justin Stephenson jstephen@redhat.com 2016-08-10T15:27:01+00:00 e915f42093add45a11208e871c9abdf7ab2bfbdc GSSAPI is dependent on DNS with hostnames and we should warn about this. Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
GSSAPI is dependent on DNS with hostnames and we should warn about this.

Resolves:
https://fedorahosted.org/sssd/ticket/2789

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
failover: mark subdomain service with sd_ prefix 2016-08-16T12:39:15+00:00 Pavel Březina pbrezina@redhat.com 2016-06-29T12:58:37+00:00 778f241e78241b0d6b8734148175f8dee804f494 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: Check the return value of sss_parse_internal_fqname 2016-08-08T14:35:15+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-03T16:03:59+00:00 858c7b713bc4cb33e3339949ca43c9fba9f85a65 We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We should fail the request if sss_parse_internal_fqname() fails.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
IPA: Changing of confusing debug message 2016-08-05T11:14:38+00:00 Petr Cech pcech@redhat.com 2016-07-12T08:03:56+00:00 2427b40566cf63880f3650b26a2fee91cb28de24 This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This debug message used to confuse our users. So this patch changes it.
Old version: "Trust direction of %s is %s\n"
New version: "Trust type of [%s]: %s\n"

Resolves:
https://fedorahosted.org/sssd/ticket/3090

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP/IPA: add local email address to aliases 2016-07-29T12:45:00+00:00 Sumit Bose sbose@redhat.com 2016-06-20T14:30:03+00:00 9a310913d696d190db14c625080678db853a33fd Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Adding email-addresses from the local domain to the alias names is
strictly not needed by might help to speed up lookups in the NSS
responder.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: new attribute option ldap_user_email 2016-07-29T12:44:44+00:00 Sumit Bose sbose@redhat.com 2016-06-18T16:24:50+00:00 83a796ec8de4bde65b11cc8032675406950641fa Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: fix lookup by UPN for subdomains 2016-07-29T12:44:38+00:00 Sumit Bose sbose@redhat.com 2016-07-22T15:35:43+00:00 530458a4ef7cd8429d1db2f3dfae92d9c44e38ef Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently the user name used in the extdom exop request is
unconditionally set to the short name. While this is correct for the
general name based lookups it breaks UPN/email based lookups where the
name part after the @-sign might not match to domain name. I guess this
was introduce during the sysdb refactoring.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: expand ghost members of AD groups in server-mode 2016-07-29T12:44:22+00:00 Sumit Bose sbose@redhat.com 2016-07-12T15:09:40+00:00 160ba891ec483c5b7d2a3fcca5bd992fc790efe0 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>