| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3055
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In the ssh keys a leading 0 is added to the bignums of the RSA modulus
and exponent if the leading bit is set to avoid the interpretation as a
negative number.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Currently cert_verify_opts is only initialized when there is an option
in the config file. This might cause issues later when the struct is
accessed. Since parse_cert_verify_opts() can already handle an empty
option the additional check is not needed at all.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The DP refactoring changed the way we handle strings from sbus. We no
longer receive NULL strings, but empty strings instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2247
Explain configuration merging in sssd.conf
man page.
Signed-off-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
https://fedorahosted.org/sssd/ticket/2269
sssctl sconfig-check command allows to
call SSSD config file validators on
demand.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Separate logic to fill errobj so that
the errors can be printed by the caller.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.
Resolves https://fedorahosted.org/sssd/ticket/2988
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Allows to upgrade the cache using the sssctl tool, which might be useful
e.g. in RPM %post scripts.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we want to use the sssctl tool during upgrade, we need to amend
the tools initialization code to not error out if sysdb can't be
instantiated, but rather return errno and let the tool handle the error.
Each tool command now has a 'allowed errno' the command is able to
handle. In this patch iteration, only a single errno can be handled and
only the upgrade command is able to do so.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
and override objects
Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The next sysdb upgrade will be changing memberUid and memberOf
attributes as well. To avoid chanding the memberof module just because
of an upgrade, add a environment variable that disabled the memberof
plugin altogether when set.
The variable will be set at the beginning of the upgrade and unset
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When the cache is upgraded, we want to avoid upgrading the timestamps
cache, because it was only introduced recently in Beta, so it doesn't
make senes to write complex code to change the format.
This patch rather removes the cache during upgrade, it will be recreated
with later lookups anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes several issues introduced during the recent sysdb
upgrade:
1) The upgrade code often accesses sysdb->ldb, but at this point,
the ldb pointer might not be initialized yet. As a kind of an ugly,
yet functional workaround, we pass in the ldb pointer that we
received from the caller as part of the sysdb structure.
2) the version that sysdb_domain_cache_upgrade() returns is not a
talloc pointer, so the upgrade was crashing when we tried to steal
it.
3) the ldb pointer sysdb_cache_connect() returns was kept allocated
on the tmp_ctx. We need to steal it instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We decide on whether to upgrade or not based on a pointer value, not a
boolean. This pointer points to a structure that the upgrade invoker
(typically the monitor) can use to fill auxilary data the sysdb upgrade
has no means of instantiating.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
The timestamp cache tests look into ldb to check the timestamps. This
patch converts the lookups to qualified names to make sure the lookups
actually match.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
The conversion to sysdb made several functions obsolete. Remove them.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Previously, the sss_parse_name function was used. That function is meant
to parse SSSD input, mainly in responders, not internal object names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
For users and groups, convert the input name to the qualified format.
Resolves:
https://fedorahosted.org/sssd/ticket/3059
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Parses the internal sysdb names and puts them on the bus using the
sss_output_name() helper. Previously, the raw sysdb names were used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the sudoUser values we fetch from LDAP correspond to a user or a
group name per:
http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html
then we parse the usernames into (name,domain) tuples and store them
qualified.
This patch not only makes the sudo provider work with qualified names,
but also makes it possible to use qualified names on the LDAP side,
allowing for example AD users from different domains to access sudo
rules.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
When converting from the native IPA schema to the sysdb sudo schema,
qualify sudoUser attributes that contain user and group names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
name.name is the input name. Since cache_req is an internal interface,
we need to return the sysdb name instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
libselinux uses getpwnam() to retrieve the user data, therefore we
qualify the data with sss_output_name() before calling libselinux.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
SSSD uses an internal format to store user and group names, but the
libhbac_ipa library uses only short names. Un-qualify the names before
passing them on to the HBAC evaluator.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Parsing the extdom plugin output is an "input" operation from the point
of the IPA provider, so we need to parse the name and conversely,
internally use only the qualified name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
sysdb_add_group_member_overrides
Because all users and groups are stored the same way in sysdb, we can
avoid parsing and unparsing the name with NSS functions and instead just
grab the name from the FQDN in the cache.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
All usernames across SSSD are stored in the same manner, so there's no
need to create per-domain names anymore.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Creating the username part of the ccache file is an output operation, it
makes sense to use sss_output_name() there which parses the name out of
the internal qualified name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
The domain name is part of the domain name, so we can parse it from
there instead of relying on DN components.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Because internally, we use the same name for all users and groups
regardless of the domain they belong to, we can parse the username from
the qualified name in a simpler manner.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Use sss_create_internal_fqname for internal cache lookups. Because the
object's existence is verified using getpw* and getgr*, we keep using
sss_tc_fqname there, just to feed the NSS interface the expected
qualified or unqualified name format.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Same as all other tools.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
instead for users and groups
All users and groups are now stored in the cache using the same format,
so we can use that one instead of creating a domain-specific name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
No need to export functions that are only used internally.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Normally we convert the names from short to internal format on input.
For the local domain tools, we can consider the sss_sync_ops an input
interface, to avoid having to convert the name in each tool and
interface separately.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
Only user shortnames to interact with the system.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|