sssd.git - Unnamed repository; edit this file to name it for gitweb.

	Commit message (Collapse)	Author	Age	Files	Lines
...
*	Add backchannel NSS provider query on initgr calls	Simo Sorce	2012-12-05	1	-0/+165
\| \| \| \| \| \| \| \| \|	This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
*	Hook for mmap cache update on initgroup calls	Simo Sorce	2012-12-05	4	-0/+148
\| \| \| \| \|	This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
*	Hook to perform a mmap cache update from sssd_nss	Simo Sorce	2012-12-05	4	-0/+124
\| \| \| \| \|	This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
*	mmap cache: public functions to invalidate records	Simo Sorce	2012-12-05	2	-0/+135
\| \| \| \| \| \|	These functions can be called from the nss responder to invalidate records that have ceased to exist or that need to be refreshed the first time an application needs them.
*	link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread	Timo Aaltonen	2012-12-04	1	-0/+2
\| \| \| \| \| \| \| \|	There used to be an overlinked dependency that's gone now, so to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS. v2: Fix sss_ssh_authorizedkeys linking as well.
*	Use an entry type mask macro to filter entry types	Simo Sorce	2012-12-04	5	-5/+6
\| \| \| \| \|	Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
*	Streamline ipa_account_info handler	Simo Sorce	2012-12-04	1	-74/+55
\| \| \| \| \| \| \| \| \| \|	In particular note that we merge ipa_account_info_netgroups_done() and ipa_account_info_users_done() into a single fucntion called ipa_account_info_done() that handles both cases We also remove the auxiliary function ipa_account_info_complete() that unnecessarily violates the tevent_req style and instead use a new function named ipa_account_info_error_text() to generate error text.
*	Fix tevent_req style for get_netgroup in ipa_id	Simo Sorce	2012-12-04	1	-80/+71
\| \| \| \|	Also do not intermix two tevent_req sequences
*	Fix ipa_subdomain_id names and tevent_req style	Simo Sorce	2012-12-04	3	-52/+36
\|
*	Fix tevent_req style for krb5_auth	Simo Sorce	2012-12-04	4	-371/+334
\| \| \| \| \| \|	No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
*	do not crash when id_provider is not set	Pavel Březina	2012-12-04	1	-0/+6
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1686
*	Missing parameter in DEBUG message.	Michal Zidek	2012-12-04	1	-1/+2
\|
*	Indentation fix	Jakub Hrozek	2012-12-04	1	-5/+2
\|
*	Dereference after null check in sss_idmap_sid_to_unix	Michal Zidek	2012-12-04	1	-1/+5
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1684
*	NSS: Fix netgroup midpoint cache refresh	Jakub Hrozek	2012-12-04	3	-3/+3
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
*	warn user if password is about to expire	Pavel Březina	2012-12-02	1	-3/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
*	IPA: Handle bad results from c-ares lookup	Stephen Gallagher	2012-12-02	1	-1/+11
\| \| \| \| \| \| \| \| \|	In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
*	sudo: print message if old protocol is used	Pavel Březina	2012-12-02	1	-3/+15
\|
*	avoid versioning libsss_sudo	Pavel Březina	2012-12-02	1	-3/+4
\|
*	Monitor quit when not exists no process no stops	Ariel O. Barria	2012-11-28	1	-1/+3
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1669
*	Null pointer dereferenced.	Michal Zidek	2012-11-28	1	-96/+100
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1674
*	Avoid const warnings when deallocating memory	Simo Sorce	2012-11-28	1	-1/+1
\| \| \| \| \| \| \|	In some case we allocate and assign data to a const pointer. When we then try to free it we would get a const warning because talloc_free accepts a void, not a const void pointer. Use discard_const to avoid the warning, it is safe in this case.
*	Avoid duplicating macros	Simo Sorce	2012-11-28	1	-4/+0
\| \| \| \| \|	This macro is already available in util/util.h which is expicitly included in this file.
*	Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."	Simo Sorce	2012-11-28	1	-5/+1
\| \| \| \| \| \| \| \| \|	This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774. This commit doesn't really make sense, we are never accessing freed memory as all we are dealing with is a pointer which is never itsef part of the memory we are freeing (if it were, it would be an error in the caller and we shouldn't mask it in this macro).
*	idmap: Silence DEBUG messages when dealing with built-in SIDs.	Michal Zidek	2012-11-28	6	-80/+125
\| \| \| \| \| \| \| \|	When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
*	Uninitialized pointer read	Michal Zidek	2012-11-28	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1673
*	sss_cache: Small refactor.	Michal Zidek	2012-11-28	3	-58/+72
\| \| \| \| \| \| \|	The logic that checks if sssd_nss is running and then sends SIGHUP to monitor or removes the caches was moved to a function sss_memcache_clear_all() and made public in tools_util.h.
*	TESTS: Test ghosts users in the RFC2307 schema	Jakub Hrozek	2012-11-26	1	-0/+248
\|
*	MEMBEROF: Do not add the ghost attribute to self	Jakub Hrozek	2012-11-26	2	-13/+87
\| \| \| \| \| \| \| \| \| \| \| \|	When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
*	debug: print fatal and critical errors if debug level is unresolved	Michal Zidek	2012-11-26	2	-7/+4
\| \| \| \| \| \| \|	If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors. https://fedorahosted.org/sssd/ticket/1345
*	Save errno before it might be modified.	Simo Sorce	2012-11-26	1	-8/+16
\| \| \| \| \|	The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error.
*	SYSDB: Don't operate with aliases same as name	Ondrej Kos	2012-11-23	1	-0/+6
\| \| \| \| \| \| \|	fixes https://fedorahosted.org/sssd/ticket/1628 When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.
*	LDAP: fix uninitialized variable	Ondrej Kos	2012-11-23	1	-1/+1
\| \| \| \|	initialized variable, was causing build warning
*	Handle compiling FQDN regular expression with old pcre gracefully	Jakub Hrozek	2012-11-22	1	-0/+9
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1661
*	Fix errors reported by rpmlint	Jan Cholasta	2012-11-22	10	-29/+19
\|
*	Use systemd by default on Fedora 16+	Jan Cholasta	2012-11-22	1	-2/+60
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1437
*	MONITOR: Fix off-by-one error in add_string_to_list	Jakub Hrozek	2012-11-21	1	-1/+4
\| \| \| \| \|	We need to allocate num_services+2 - one extra space for the new service and one for NULL.
*	fix SIGSEGV in IPA provider when ldap_sasl_authid is not set	Pavel Březina	2012-11-20	1	-1/+1
\| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
*	LDAP: Only convert direct parents' ghost attribute to member	Jakub Hrozek	2012-11-20	11	-27/+91
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
*	SYSDB: Use the add_string convenience functions for managing ghost user ↵	Jakub Hrozek	2012-11-20	1	-24/+9
\| \| \| \| \| \| \|	attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.
*	BUILD: Temporary workaround for Kerberos build	Stephen Gallagher	2012-11-20	1	-2/+3
\| \| \| \| \| \|	This patch extends the Kerberos version check to support Kerberos version 1.11 alpha and later. It is a temporary measure until we can redesign the configure checks for better granularity.
*	Disable canonicalization during password changes	Sumit Bose	2012-11-19	1	-2/+43
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
*	Fix compare_principal_realm() check	Sumit Bose	2012-11-19	2	-9/+9
\| \| \| \| \|	In case of a short UPN compare_principal_realm() erroneously returns an error.
*	Just use the service name with krb5_get_init_creds_password()	Sumit Bose	2012-11-19	1	-24/+2
\| \| \| \| \| \| \| \| \|	Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
*	LDAP: Make it possible to use full principal in ldap_sasl_authid again	Jakub Hrozek	2012-11-19	2	-4/+21
\|
*	LDAP: Checking the principal should not be considered fatal	Jakub Hrozek	2012-11-19	1	-6/+10
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
*	LDAP: Provide a common sdap_set_sasl_options init function	Jakub Hrozek	2012-11-19	4	-91/+95
\| \| \| \| \|	The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
*	MAN: document the ldap_sasl_realm option	Jakub Hrozek	2012-11-19	1	-0/+13
\| \| \| \|	The option was completely undocumented.
*	Restart services with a delay in case they are restarted too often	Jakub Hrozek	2012-11-19	1	-14/+59
\| \| \| \| \| \| \| \| \| \| \| \|	In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
*	Handle conversion to fully qualified usernames	Simo Sorce	2012-11-19	3	-1/+98
\| \| \| \| \| \| \|	In subdomains we have to use fully qualified usernames. Unfortunately we have no other good option than simply removing caches for users of subdomains. This is because the memberof plugin does not support the rename operation.