sssd.git/src, branch jhrozek_sysdb_fqdn Unnamed repository; edit this file to name it for gitweb. expand name in ipa_add_ad_memberships_get_next() 2016-07-06T18:45:39+00:00 Sumit Bose sbose@redhat.com 2016-07-05T13:16:42+00:00 31e86e284383594be9eb34a37c9d07296a50675d 






PAM/KRB5: optional otp and password prompting
2016-07-06T18:28:11+00:00

Sumit Bose
sbose@redhat.com

2016-05-26T11:20:59+00:00

f36b15d2b55e28a8aa5da501a34815d2ad52295b

Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.

Resolves https://fedorahosted.org/sssd/ticket/2988





Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.

Resolves https://fedorahosted.org/sssd/ticket/2988







LDAP: fix typo
2016-07-06T15:40:23+00:00

Sumit Bose
sbose@redhat.com

2016-07-05T12:35:26+00:00

f92bc7441184b7a75cd01abc49d4fb42cd08de11












fix some 'might be used uninitialized' warnings
2016-07-06T15:40:23+00:00

Sumit Bose
sbose@redhat.com

2016-07-05T11:22:05+00:00

93ecd802eb27a55d45fdffb4118ecb86355426e8

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







SUDO: Add more low-level tracing messages
2016-07-06T15:40:23+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-07-02T13:41:28+00:00

b79f28075ada8e0e5d4ba3446f77394968716002

Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.





Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.







sudo: solve problems with fully qualified names
2016-07-06T15:40:23+00:00

Pavel Březina
pbrezina@redhat.com

2016-05-26T09:37:30+00:00

98a85bf0b2334c45a60c5bc10042e5abdeff3f98

sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







TOOLS: Add the upgrade-cache command
2016-07-06T15:40:22+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-07-01T11:27:17+00:00

f3c5bf50bb0a95c5bf4b6386a898944f68183afb

Allows to upgrade the cache using the sssctl tool, which might be useful
e.g. in RPM %post scripts.





Allows to upgrade the cache using the sssctl tool, which might be useful
e.g. in RPM %post scripts.







TOOLS: Some tools command might not need initialization to succeed
2016-07-06T15:40:22+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-07-01T11:26:38+00:00

7ebcdb9f4e755eab412a96a79df4357b4b8e54e0

Since we want to use the sssctl tool during upgrade, we need to amend
the tools initialization code to not error out if sysdb can't be
instantiated, but rather return errno and let the tool handle the error.

Each tool command now has a 'allowed errno' the command is able to
handle. In this patch iteration, only a single errno can be handled and
only the upgrade command is able to do so.





Since we want to use the sssctl tool during upgrade, we need to amend
the tools initialization code to not error out if sysdb can't be
instantiated, but rather return errno and let the tool handle the error.

Each tool command now has a 'allowed errno' the command is able to
handle. In this patch iteration, only a single errno can be handled and
only the upgrade command is able to do so.







SYSDB: qualify_attr: create new attribute only once
2016-07-06T15:40:22+00:00

Sumit Bose
sbose@redhat.com

2016-07-05T13:53:39+00:00

85bb0c2ace68edbf148df6670a86e33f83696f16

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects
2016-07-06T15:40:22+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-07-05T10:44:09+00:00

3612c827757821622daa51ebb9841699b9b07272

Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.





Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.