sssd.git/src/providers/simple, branch ad_domain_local_groups Unnamed repository; edit this file to name it for gitweb. SIMPLE: Make the DP handlers testable 2016-08-10T14:55:53+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-26T10:13:43+00:00 c777f575b0ec0c48ce3b85ea2c5cc298db02450e To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
To make it possible to call the whole DP handler in the unit test, not
just the evaluator part.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SIMPLE: Fail on any error parsing the access control list 2016-08-10T14:55:53+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-21T11:33:18+00:00 79ac0e8a4840202c3615d6ce6584df3c08efb594 Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.

Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SIMPLE: Do not parse names on startup 2016-08-10T14:55:53+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-21T10:18:01+00:00 d2902de03738a3018445698650d8b974ae3cf230 It's not required to parse names on SSSD startup in the simple access provider. We can instead just parse the name when the access request is processed. Resolves: https://fedorahosted.org/sssd/ticket/3101 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
It's not required to parse names on SSSD startup in the simple access
provider. We can instead just parse the name when the access request is
processed.

Resolves:
https://fedorahosted.org/sssd/ticket/3101

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
DP: rename be_acct_req to dp_id_data 2016-07-15T11:14:12+00:00 Pavel Březina pbrezina@redhat.com 2016-07-14T09:56:26+00:00 3d29430867cf92b2d71afa95abb679711231117c Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SIMPLE: Make the simple access provider work with qualified names 2016-07-07T08:25:21+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-15T09:41:44+00:00 eef359b508b898ae99d2bf292a43f0f295a2ba5e This patch adds a behaviour change to the simple access provider - the simple access list is parsed on the access check itself, which is when the name contexts of all domains have already been established and we are already able to parse the names in the config files with sss_parse_names. We need to support "input names" in the simple access provider because it needs to support flat names which rely on knowing the details about a domain. The simple_access_obtain_filter_lists is intentionally made non-static in order to be called from tests which initialize the name contexts on their own. Reviewed-by: Sumit Bose <sbose@redhat.com> 
This patch adds a behaviour change to the simple access provider - the
simple access list is parsed on the access check itself, which is when
the name contexts of all domains have already been established and we
are already able to parse the names in the config files with
sss_parse_names. We need to support "input names" in the simple access
provider because it needs to support flat names which rely on knowing
the details about a domain.

The simple_access_obtain_filter_lists is intentionally made non-static
in order to be called from tests which initialize the name contexts on
their own.

Reviewed-by: Sumit Bose <sbose@redhat.com>
DP: Switch to new interface 2016-06-20T12:48:47+00:00 Pavel Březina pbrezina@redhat.com 2016-03-29T10:38:25+00:00 dea636af4d1902a081ee891f1b19ee2f8729d759 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Rename dp_backend.h to backend.h 2016-06-20T12:48:46+00:00 Pavel Březina pbrezina@redhat.com 2016-01-20T12:07:23+00:00 cc2d77d5218c188119fa954c856e858cbde76947 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
simple-access-provider: make user grp res more robust 2015-04-28T09:58:53+00:00 Pavel Reichl preichl@redhat.com 2015-04-20T15:33:29+00:00 82a958e6592c4a4078e45b7197bbe4751b70f511 Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
simple-access-provider: break matching allowed users 2014-12-08T09:55:47+00:00 Pavel Reichl preichl@redhat.com 2014-06-04T17:24:08+00:00 958037cf32ea156dfdde426a45ac1d972fe46618 Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Stop matching username with names in simple_allow_users after positive
match.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
simple access provider: non-existing object 2014-12-08T09:55:40+00:00 Pavel Reichl preichl@redhat.com 2014-06-04T16:41:31+00:00 79f128801d598ca57a6acebade01136525a47e00 Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2519

Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>