summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* SYSDB: Allow passing a context to sysdb upgrade functionsJakub Hrozek2016-07-074-21/+50
| | | | | | | | | We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Remove useless parameter from sysdb_init()Jakub Hrozek2016-07-075-8/+6
| | | | | | | The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Convert the tests to use qualified names for ldb lookupsJakub Hrozek2016-07-073-46/+65
| | | | | | | | The timestamp cache tests look into ldb to check the timestamps. This patch converts the lookups to qualified names to make sure the lookups actually match. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Remove unused functionsJakub Hrozek2016-07-075-239/+0
| | | | | | The conversion to sysdb made several functions obsolete. Remove them. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Parse internal fqnames in find_domain_by_object_nameJakub Hrozek2016-07-071-2/+2
| | | | | | | Previously, the sss_parse_name function was used. That function is meant to parse SSSD input, mainly in responders, not internal object names. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TOOLS: sssctl: Work with trusted usersJakub Hrozek2016-07-071-22/+115
| | | | | | | | | For users and groups, convert the input name to the qualified format. Resolves: https://fedorahosted.org/sssd/ticket/3059 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IFP: Amend the InfoPipe responder for fqdnsJakub Hrozek2016-07-075-22/+204
| | | | | | | Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Qualify user and group names when saving the sudo usersJakub Hrozek2016-07-073-0/+96
| | | | | | | | | | | | | | | If the sudoUser values we fetch from LDAP correspond to a user or a group name per: http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html then we parse the usernames into (name,domain) tuples and store them qualified. This patch not only makes the sudo provider work with qualified names, but also makes it possible to use qualified names on the LDAP side, allowing for example AD users from different domains to access sudo rules. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Save sudoUser qualified in the cacheJakub Hrozek2016-07-073-20/+35
| | | | | | | When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose <sbose@redhat.com>
* RESPONDERS: Return the sysdb name from cache_reqJakub Hrozek2016-07-072-3/+3
| | | | | | | name.name is the input name. Since cache_req is an internal interface, we need to return the sysdb name instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SELINUX: Parse the internal fqname before using itJakub Hrozek2016-07-071-26/+5
| | | | | | | libselinux uses getpwnam() to retrieve the user data, therefore we qualify the data with sss_output_name() before calling libselinux. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: HBAC evaluator consumes shortnamesJakub Hrozek2016-07-071-10/+28
| | | | | | | | SSSD uses an internal format to store user and group names, but the libhbac_ipa library uses only short names. Un-qualify the names before passing them on to the HBAC evaluator. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: make get_object_from_cache() aware of UPN searchesSumit Bose2016-07-073-7/+38
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing user name to homedir_ctxSumit Bose2016-07-071-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: expand name in ipa_add_ad_memberships_get_next()Sumit Bose2016-07-071-1/+13
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use internal fqname format instead of parsing NSS namesJakub Hrozek2016-07-073-67/+147
| | | | | | | | Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Construct internal fqnames, not NSS names in ↵Jakub Hrozek2016-07-071-7/+7
| | | | | | | | | | sysdb_add_group_member_overrides Because all users and groups are stored the same way in sysdb, we can avoid parsing and unparsing the name with NSS functions and instead just grab the name from the FQDN in the cache. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: No need to separately qualify subdomain users anymoreJakub Hrozek2016-07-071-11/+2
| | | | | | | All usernames across SSSD are stored in the same manner, so there's no need to create per-domain names anymore. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Use shortname when expanding the user template in Kerberos ccacheJakub Hrozek2016-07-072-6/+10
| | | | | | | | Creating the username part of the ccache file is an output operation, it makes sense to use sss_output_name() there which parses the name out of the internal qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Rely on sysdb names for the renewal taskJakub Hrozek2016-07-071-18/+6
| | | | | | | The domain name is part of the domain name, so we can parse it from there instead of relying on DN components. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Rely on internal fqname when constructing UPNsJakub Hrozek2016-07-071-10/+9
| | | | | | | | Because internally, we use the same name for all users and groups regardless of the domain they belong to, we can parse the username from the qualified name in a simpler manner. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SSS_OVERRIDE: Fixes for fully qualified namesJakub Hrozek2016-07-072-62/+87
| | | | | | | | | Use sss_create_internal_fqname for internal cache lookups. Because the object's existence is verified using getpw* and getgr*, we keep using sss_tc_fqname there, just to feed the NSS interface the expected qualified or unqualified name format. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SSS_SEED: Use FQDN for accessing sysdbJakub Hrozek2016-07-071-15/+9
| | | | | | Same as all other tools. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SSS_CACHE: Don't use sss_get_domain_name, but create the internal fqname ↵Jakub Hrozek2016-07-071-12/+23
| | | | | | | | | instead for users and groups All users and groups are now stored in the cache using the same format, so we can use that one instead of creating a domain-specific name. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SSS_CACHE: Make internal functions staticJakub Hrozek2016-07-071-4/+8
| | | | | | No need to export functions that are only used internally. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TOOLS: Make the local domain operate on FQDNsJakub Hrozek2016-07-072-14/+75
| | | | | | | | | Normally we convert the names from short to internal format on input. For the local domain tools, we can consider the sss_sync_ops an input interface, to avoid having to convert the name in each tool and interface separately. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PROXY: Use fully qualified names internallyJakub Hrozek2016-07-072-43/+137
| | | | | | Only user shortnames to interact with the system. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: fix typoSumit Bose2016-07-071-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: The access control filter just needs the plain usernameJakub Hrozek2016-07-071-3/+2
| | | | | | | The LDAP access control code uses shortnames to construct an LDAP filter. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Delete cache entry if not found by UPNJakub Hrozek2016-07-071-0/+19
| | | | | | | | | Previously, the user account was only looked by name when the LDAP provider didn't match any entry on the server side. This patch removes the entry from the cache with the matching function, either by name or by UPN. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use FQDNs when saving incomplete groupsJakub Hrozek2016-07-071-4/+4
| | | | | | | Even incomplete groups must be stored using the internal name format instead of whatever we receive from LDAP. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use fqdns during nested RFC2307 initgroupsJakub Hrozek2016-07-071-19/+3
| | | | | | | | All user and group names are already qualified at this point, so let's remove the special case that stored users from trusted domains qualified. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb namesJakub Hrozek2016-07-072-6/+6
| | | | | | Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Add a utility function to return a list of qualified namesJakub Hrozek2016-07-074-14/+49
| | | | | | | | Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Convert RFC2307 member attribute values to FQDN-style ghostnames ↵Jakub Hrozek2016-07-071-2/+12
| | | | | | | | | | before acting on them Ghostnames must be qualified as well, same as all other name attributes across SSSD. The ghost names are used by the NSS responder during getgr* output and the domain name parsed from the name is used in the output. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: save users with FQDNJakub Hrozek2016-07-071-4/+38
| | | | | | | The username we receive from LDAP is short name. Convert it to a qualified name before saving the user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use shortname for LDAP queriesJakub Hrozek2016-07-072-29/+103
| | | | | | | | | | When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Rename DP filter value from name to filter_valueJakub Hrozek2016-07-073-63/+66
| | | | | | | filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SSH: Use a qualified name for user searches in the SSH responderJakub Hrozek2016-07-072-2/+10
| | | | | | | The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Use qualified names internally in the PAM responderJakub Hrozek2016-07-074-48/+114
| | | | | | | The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Start fixing the PAM responder tests for fully qualified names in sysdbMichal Zidek2016-07-071-11/+21
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS; orig_name does not need to be expanded to sysdb formatSumit Bose2016-07-071-21/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Fix domain for UPN based lookupsSumit Bose2016-07-071-0/+29
| | | | | | | Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Fix NSS responder to cope with fully-qualified usernamesJakub Hrozek2016-07-073-922/+1093
| | | | | | | | | | | | | | | | | | | | | | | | Adds a utility function sized_output_name() which wraps the output_name() function and returns the sized_struct structure. This function is used when formatting the output name for the client, but also when saving/deleting the memory cache entries. Its sister function sized_member_name() is very similar, but infers the domain name from memberuid or ghost attribute. Because all names internally are used in the same format, the logic to append domain or format the usename for output in the fill_XXX() family of functions is much simpler. In general, adding a domain suffix no longer relies in the domain being a subdomain, but only the dom->fqnames The parse_member() function was removed because it is no longer required. The nss test was amended to store names in the internal fqdn format on input and checks for either shortnames or qualified names with the right format created using sss_tc_fqname() on output. Reviewed-by: Sumit Bose <sbose@redhat.com>
* NCACHE: Store FQDNs internaly, check for shortnames in filesJakub Hrozek2016-07-074-59/+216
| | | | | | | | When storing users and groups by their name in the negative cache, store them fully qualfied so that the responder only has to track the name in the internal format once the input is converted. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TESTS: Start fixing the NSS test for fully qualified names in sysdbMichal Zidek2016-07-071-61/+130
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: Fix the nested group tests to cope with FQDNsJakub Hrozek2016-07-072-67/+156
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: expand_homedir_template manages usernames internallyJakub Hrozek2016-07-076-27/+41
| | | | | | | | | expand_homedir_template() can be considered an outward-facing interface, therefore the function and its input structure will accept the internal name format and parse it internally into a username and domain component. Reviewed-by: Sumit Bose <sbose@redhat.com>
* RESPONDER: Add a helper function sss_resp_create_fqnameJakub Hrozek2016-07-072-0/+50
| | | | | | | | | | | | | When looking up entries in the responders that have not been yet converted to the cache_req API, we need to perform some common operations all the time. These include converting the name to the right case, reverse-replacing whitespace and converting the name to the qualified format for that domain. This patch adds a function that performs these steps to avoid code duplication. Reviewed-by: Sumit Bose <sbose@redhat.com>
* RESPONDER: Use fqnames for cache_req lookups of users and groupsJakub Hrozek2016-07-072-77/+200
| | | | | | | When looking up users or groups by name, qualify the name into the internal format before the lookup. Reviewed-by: Sumit Bose <sbose@redhat.com>