sssd.git/src/responder/sudo, branch certificate_mapping Unnamed repository; edit this file to name it for gitweb. SUDO: Make Sudo responder socket-activatable 2017-01-23T17:46:37+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-17T00:03:13+00:00 f37e795cd16310759dc9741c1ab1323b287a9101 As part of the effort of making all responder socket-activatable, let's make Sudo responder ready for this by providing its systemd's units. In case the administrators want to use Sudo responder taking advantage of socket-activation they will need to enable sssd-sudo.socket and after a restart of the sssd service, the Sudo socket will be ready waiting for any activity in order to start the Sudo responder. Also, the Sudo responder must be removed from the services line on sssd.conf. The Sudo responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
As part of the effort of making all responder socket-activatable, let's
make Sudo responder ready for this by providing its systemd's units.

In case the administrators want to use Sudo responder taking advantage
of socket-activation they will need to enable sssd-sudo.socket and
after a restart of the sssd service, the Sudo socket will be ready
waiting for any activity in order to start the Sudo responder. Also,
the Sudo responder must be removed from the services line on sssd.conf.

The Sudo responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.

Related:
https://fedorahosted.org/sssd/ticket/2243

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
cache_req: encapsulate output data into structure 2016-12-19T22:22:54+00:00 Pavel Březina pbrezina@redhat.com 2016-10-14T10:15:50+00:00 b206e1abb7f6ea373d12537b3338552aed6b656d In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
In enumeration calls we want to get objects from all domains, not
only from the first matched domain. We move the cache search result
into a structure that contains combination of domain and ldb_result.

This is preparation for enumeration support inside cache_req.

Resolves:
https://fedorahosted.org/sssd/ticket/3151

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
MONITOR: Remove unused shutDown sbus method 2016-11-09T12:32:32+00:00 Jakub Hrozek jhrozek@redhat.com 2016-11-07T11:39:08+00:00 fd25e68446ae86135489edb0823607b394f4ec40 The shutDown method has not been used or set for a long time. Trim the internal interface by removing all references to this internal method. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The shutDown method has not been used or set for a long time. Trim the
internal interface by removing all references to this internal method.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
MONITOR: Remove deprecated pong sbus method 2016-11-09T12:32:27+00:00 Jakub Hrozek jhrozek@redhat.com 2016-11-07T11:37:22+00:00 ab792150c97bd6eba1f8cd46653f41a0c64fd765 The pong method is deprecated since we started using the watchdog. Since this is dead code, it makes sense to just remove it. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The pong method is deprecated since we started using the watchdog. Since
this is dead code, it makes sense to just remove it.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
cache_req: switch to new code 2016-10-20T07:56:38+00:00 Pavel Březina pbrezina@redhat.com 2016-10-03T11:05:54+00:00 4169fb26ea2ff93c19ecdad6e09382732ea5deeb This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch switch the old switch-based cache req code to
the new plugin-based.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DP: Remove old data provider interface 2016-08-16T12:54:50+00:00 Pavel Březina pbrezina@redhat.com 2016-07-19T12:24:16+00:00 04e870d99e72aa3160bdb6ab05d986fb4005c3ed Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reverse data provider interface is moved to a better location in
NSS responder. All responders now can have an sbus interface
defined per data provider connection. The unused old data provider
interface is removed.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
fix some 'might be used uninitialized' warnings 2016-07-07T08:30:32+00:00 Sumit Bose sbose@redhat.com 2016-07-05T11:22:05+00:00 c88b63b2dd82f7111abc00d93fa8db2707487572 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SUDO: Add more low-level tracing messages 2016-07-07T08:30:29+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-02T13:41:28+00:00 573e86dc3156e481ce53d39ac901da2e99cfa0ca Just adds more debugging messages that are handy in seeing what gets passed between sudo responder and client. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.

Reviewed-by: Sumit Bose <sbose@redhat.com>
sudo: solve problems with fully qualified names 2016-07-07T08:30:26+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 61913b8f0d1ba54d82640500d7486fac5f72b030 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Responders: Make the client context more generic 2016-06-29T19:46:03+00:00 Simo Sorce simo@redhat.com 2016-01-08T22:51:06+00:00 4f3a9d837a55b49448eca3c713c85a406207e523 This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.

This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.

Resolves:
https://fedorahosted.org/sssd/ticket/2918

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>