summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* wipmemberof_default_viewSumit Bose2016-07-133-4/+94
|
* tests: add test_sss_idmap_calculate_range()Sumit Bose2016-07-131-0/+38
|
* ipa_resolve_user_list_get_user_step fixSumit Bose2016-07-131-2/+14
|
* IPA: expand ghost members of AD groups in server-modeSumit Bose2016-07-131-1/+80
|
* IPA: make ipa_resolve_user_list_{send|recv} publicSumit Bose2016-07-132-2/+10
|
* memberOf: use defaultOverrideName if availableSumit Bose2016-07-131-11/+22
|
* sssctl: improve readability of a conditionPavel Březina2016-07-131-4/+4
| | | | Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
* sssctl: move filter creation to separate functionPavel Březina2016-07-131-35/+46
| | | | Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
* dyndns: Add checks for NULLMichal Židek2016-07-131-0/+20
| | | | | | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/3076 We segfaulted in this area once. This patch makes the code more defensive and adds some DEBUG messages. Normally the structures are filled in online and/or resolve callbacks. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* config: Add config_file_version to schemaMichal Židek2016-07-123-0/+3
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* config: Allow timeout for all sevicesMichal Židek2016-07-123-2/+8
| | | | | | | | | | Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PROVIDERS: Setting right {u,g}id if unprivilegedPetr Cech2016-07-121-0/+2
| | | | | | | | | | | | | | | be_ctx had talloc_zero() initialized uid and gid which was used in function dp_init(). Therefore back-end was every time started as root and therefore non-root responders could not communicate with back-end due to wrong permission of unix sockets. This patch sets right uid and gid to data-providers if sssd runs as non-root user. Resolves: https://fedorahosted.org/sssd/ticket/3077 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sysdb-tests: Fix cast from pointer to integerLukas Slebodnik2016-07-121-1/+1
| | | | | | | | | | | | | | | src/tests/sysdb-tests.c: In function 'test_sysdb_memberof_close_loop': src/tests/sysdb-tests.c:2740:5: warning: passing argument 1 of '_ck_assert_msg' makes integer from pointer without a cast [enabled by default] fail_unless(data->attrlist[0], "talloc_array failed."); ^ In file included from src/tests/sysdb-tests.c:23:0: /usr/include/check.h:237:16: note: expected 'int' but argument is of type 'const char *' void CK_EXPORT _ck_assert_msg (int result, const char *file, ^ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* config: Fix user_attributesMichal Židek2016-07-123-2/+3
| | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* config: override_space is monitor's optionMichal Židek2016-07-124-4/+5
| | | | | | | | | | We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TOOLS: Prevent dereference of null pointerLukas Slebodnik2016-07-121-35/+28
| | | | | | | | | | VAR_CHECK is called with (var, EOK, ...) EOK would be returned in case of "var != EOK" and output argument _attrs would not be initialized. Therefore there could be dereference of null pointer after calling function usermod_build_attrs. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* nss-srv-tests: Fix prototype of wrapped ncache functionsLukas Slebodnik2016-07-121-16/+12
| | | | | | | | | | The argument ttl was recently removed from negative cache functions (sss_ncache_check_user, sss_ncache_check_uid, sss_ncache_check_sid, sss_ncache_check_cert) but it was not removed from wrapped versions in nss-srv-tests. It caused a crash on machine with big endian and when configure wih --coverage. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* views: allow override added for non-default views at runtimeSumit Bose2016-07-121-8/+18
| | | | | | | | | | | | | | Currently a new override for a non-default view cannot be displayed at run-time. It even does not only require a restart but the view must be un-applied and applied again to make the changes visible. This patch fixes this and makes non-default view behave like the default view where the data from a newly added override are displayed after the cached entry of the related object is expired. Resolves https://fedorahosted.org/sssd/ticket/3092 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: Update description of sssctlDan Lavu2016-07-121-7/+6
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssctl: Fix warning maybe-uninitializedLukas Slebodnik2016-07-121-5/+9
| | | | | | | | | | | | | | | | | | | | | It looks like some special gcc optimalisation and special case may cause to have unitialized output argument _dom when return code is EOK src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’: src/tools/sssctl/sssctl_cache.c:491:8: error: ‘dom’ may be used uninitialized in this function [-Werror=maybe-uninitialized] if (dom == NULL) { ^ src/tools/sssctl/sssctl_cache.c:447:15: error: ‘entry’ may be used uninitialized in this function [-Werror=maybe-uninitialized] *_entry = talloc_steal(mem_ctx, entry); ^~~~~~~~~~~~ src/tools/sssctl/sssctl_cache.c:412:25: note: ‘entry’ was declared here struct sysdb_attrs *entry; ^~~~~ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_hbac: Fix documentation for hbac_enable_debugLukas Slebodnik2016-07-121-2/+2
| | | | | | src/lib/ipa_hbac/ipa_hbac.h:68: warning: expected whitespace after [ command Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* doxygen: Fix path to header file ipa_hbac.hLukas Slebodnik2016-07-121-1/+1
| | | | | | | | Warning: tag INPUT: input source `src/providers/ipa/ipa_hbac.h' does not exist warning: source src/providers/ipa/ipa_hbac.h is not a readable file or directory... skipping. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sssctl: Fix format string for size_tLukas Slebodnik2016-07-121-1/+1
| | | | | | | | | | | | | src/tools/sssctl/sssctl_config.c: In function 'sssctl_config_check': src/tools/sssctl/sssctl_config.c:93:14: warning: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'size_t {aka unsigned int}' [-Wformat=] printf(_("Issues identified by validators: %lu\n"), num_errors); ^ src/tools/sssctl/sssctl_config.c:93:12: note: in expansion of macro '_' printf(_("Issues identified by validators: %lu\n"), num_errors); ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: Set port to NOT_WORKING when trying a next serverJakub Hrozek2016-07-121-1/+1
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3009 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssctl: config-check access check reportMichal Židek2016-07-111-1/+2
| | | | | | | Improve output when access check error is detected by sssctl config-check command. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssctl: Fix error handling after memory allocation failureLukas Slebodnik2016-07-111-1/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Fixing DB updatePetr Cech2016-07-111-3/+19
| | | | | | | | | | | | | | Functions sysdb_user_base_dn() and sysdb_group_base_dn() expect that struct sss_domain_info contains pointer to struct sysdb_ctx. This is not true in case of sysdb_upgrade functions. This patch fixes the situation and revert code to the state before 12a000c8c7c07259e438fb1e992134bdd07d9a30 commit. Resolves: https://fedorahosted.org/sssd/ticket/3023 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* Updating the version for the 1.14.1 releaseJakub Hrozek2016-07-071-1/+1
|
* Updating the version for the 1.14.0 releaseJakub Hrozek2016-07-071-1/+1
|
* Updating the translations for the 1.14.0 releaseJakub Hrozek2016-07-0740-9786/+11335
|
* sssctl: manual pagePavel Březina2016-07-074-1/+72
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3055 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* cert_to_ssh_key: properly add leading 0 to bignumsSumit Bose2016-07-071-8/+24
| | | | | | | | In the ssh keys a leading 0 is added to the bignums of the RSA modulus and exponent if the leading bit is set to avoid the interpretation as a negative number. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSH-CERT: always initialize cert_verify_optsSumit Bose2016-07-071-8/+6
| | | | | | | | | Currently cert_verify_opts is only initialized when there is an option in the config file. This might cause issues later when the struct is accessed. Since parse_cert_verify_opts() can already handle an empty option the additional check is not needed at all. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* CONFIGURE: Inform about optional build dependenciesLukas Slebodnik2016-07-072-4/+8
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Lookup services by all protocols unless a protocol is specifiedJakub Hrozek2016-07-071-2/+5
| | | | | | | The DP refactoring changed the way we handle strings from sbus. We no longer receive NULL strings, but empty strings instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
* MAN: Config file mergingMichal Židek2016-07-071-0/+39
| | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2247 Explain configuration merging in sssd.conf man page. Signed-off-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com>
* sssctl: Add config-check commandMichal Židek2016-07-075-2/+145
| | | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2269 sssctl sconfig-check command allows to call SSSD config file validators on demand. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_ini: Small refacoring of sss_ini_call_validatorsMichal Židek2016-07-072-11/+146
| | | | | | | Separate logic to fill errobj so that the errors can be printed by the caller. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix packet size calculation in sss_packet_newNikolai Kondrashov2016-07-071-1/+1
| | | | | | | | Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM/KRB5: optional otp and password promptingSumit Bose2016-07-074-5/+101
| | | | | | | | | | Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* fix some 'might be used uninitialized' warningsSumit Bose2016-07-072-0/+7
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SUDO: Add more low-level tracing messagesJakub Hrozek2016-07-071-3/+10
| | | | | | | Just adds more debugging messages that are handy in seeing what gets passed between sudo responder and client. Reviewed-by: Sumit Bose <sbose@redhat.com>
* sudo: solve problems with fully qualified namesPavel Březina2016-07-074-169/+378
| | | | | | | | | | | | | | | | | | | | | | | | | | | sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TOOLS: Add the upgrade-cache commandJakub Hrozek2016-07-073-0/+35
| | | | | | | Allows to upgrade the cache using the sssctl tool, which might be useful e.g. in RPM %post scripts. Reviewed-by: Sumit Bose <sbose@redhat.com>
* TOOLS: Some tools command might not need initialization to succeedJakub Hrozek2016-07-074-38/+66
| | | | | | | | | | | | Since we want to use the sssctl tool during upgrade, we need to amend the tools initialization code to not error out if sysdb can't be instantiated, but rather return errno and let the tool handle the error. Each tool command now has a 'allowed errno' the command is able to handle. In this patch iteration, only a single errno can be handled and only the upgrade command is able to do so. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: qualify_attr: create new attribute only onceSumit Bose2016-07-071-3/+8
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules ↵Jakub Hrozek2016-07-075-3/+604
| | | | | | | | | | and override objects Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. Reviewed-by: Sumit Bose <sbose@redhat.com>
* MEMBEROF: Allow bypassing memberof during upgradeJakub Hrozek2016-07-071-0/+5
| | | | | | | | | | | | The next sysdb upgrade will be changing memberUid and memberOf attributes as well. To avoid chanding the memberof module just because of an upgrade, add a environment variable that disabled the memberof plugin altogether when set. The variable will be set at the beginning of the upgrade and unset later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Remove the timestamps cache on updateJakub Hrozek2016-07-071-3/+30
| | | | | | | | | | | When the cache is upgraded, we want to avoid upgrading the timestamps cache, because it was only introduced recently in Beta, so it doesn't make senes to write complex code to change the format. This patch rather removes the cache during upgrade, it will be recreated with later lookups anyway. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Fix small issues during db upgradeJakub Hrozek2016-07-071-1/+3
| | | | | | | | | | | | | | | | | | This patch fixes several issues introduced during the recent sysdb upgrade: 1) The upgrade code often accesses sysdb->ldb, but at this point, the ldb pointer might not be initialized yet. As a kind of an ugly, yet functional workaround, we pass in the ldb pointer that we received from the caller as part of the sysdb structure. 2) the version that sysdb_domain_cache_upgrade() returns is not a talloc pointer, so the upgrade was crashing when we tried to steal it. 3) the ldb pointer sysdb_cache_connect() returns was kept allocated on the tmp_ctx. We need to steal it instead. Reviewed-by: Sumit Bose <sbose@redhat.com>