summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* WIP: PAC respondersubdomainsSumit Bose2012-06-087-177/+703
|
* sss_idmap: fix typoSumit Bose2012-06-021-1/+1
|
* sss_idmap: add support for samba struct dom_sidSumit Bose2012-05-246-2/+461
| | | | | | | | | The samba ndr libraries use struct dom_sid to handle SIDs. Since there is no public samba library which offers conversion from other representations, e.g. as string, this is addded to libsss_idmap. There is only a compile-time dependency to the samba header files to check if struct dom_sid has the expected format. There is no run-time dependency to any samba library.
* Temporarily add support for IPA_SID_OLDJan Zeleny2012-05-221-1/+21
| | | | | This patch should not go to upstream master, it's only for development purposes.
* IPA subdomains - ask for information about master domainJan Zeleny2012-05-228-17/+361
| | | | | | | The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
* Detect subdomain request in IPA auth providerJan Zeleny2012-05-221-4/+13
|
* Accept be_req instead of be_ctx in krb5 auth providerJan Zeleny2012-05-226-35/+83
|
* Build pac responder in example spec fileSumit Bose2012-05-221-0/+4
|
* Add krb5 authdata plugin to send the pacSumit Bose2012-05-225-0/+500
|
* Add server-side pac supportSumit Bose2012-05-223-1/+598
|
* Add pac support to clientSumit Bose2012-05-223-7/+46
|
* Add infrastructure for pac responderSumit Bose2012-05-226-1/+341
|
* Add configure option to build pac responderSumit Bose2012-05-222-0/+35
|
* NSS: Expire in-memory netgroup cache before the nowait timeoutStephen Gallagher2012-05-161-1/+9
| | | | | | | | The fact that we were keeping it in memory for the full duration of the cache timeout meant that we would never reap the benefits of the midpoint cache refresh. https://fedorahosted.org/sssd/ticket/1340
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-162-2/+2
|
* RPM: Allow running 'make rpms' on RHEL 5 machinesStephen Gallagher2012-05-151-5/+7
| | | | | | | | | | Our previous detection for this was flawed, because the %{rhel} macro did not exist on the version of RPM shipped with RHEL 5, but it worked when building for RHEL 5 through mock. This new patch relies on grepping /etc/redhat-release for the version information. https://fedorahosted.org/sssd/ticket/1206
* Use sized_string correctly in FQDN domainsJakub Hrozek2012-05-151-2/+2
|
* NSS: keep a pointer to body after body is reallocatedJakub Hrozek2012-05-151-0/+3
|
* Fix libsss_hbac library versionSumit Bose2012-05-141-1/+1
|
* Rename struct dom_sid to struct sss_dom_sidSumit Bose2012-05-145-32/+32
| | | | | To avoid conflicts with struct dom_sid used by samba the sss_ prefix is added to the struct used by libsss_idmap.
* Fixed two minor memory leaksJan Zeleny2012-05-142-2/+6
|
* Fix typos in message and man pages.Yuri Chornoivan2012-05-143-4/+4
|
* Potential NULL dereference in proxy providerAriel Barria2012-05-141-1/+1
|
* Bumping version ton 1.8.92 for beta 2 developmentStephen Gallagher2012-05-111-1/+1
|
* Bumping version to 1.8.91 for 1.9.0 beta 1 releaseStephen Gallagher2012-05-111-1/+1
|
* Updating translations for 1.9.0 beta 1 releaseStephen Gallagher2012-05-1128-11714/+22049
|
* build: resolve link failureJan Engelhardt2012-05-111-0/+1
| | | | | | | | | | | libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make[2]: *** [sssd_be] Error 1 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* SYSDB: Handle user and group renames betterJakub Hrozek2012-05-112-7/+182
| | | | | | | | | | | | Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.
* Bad check for id_provider=local and access_provider=permitAriel Barria2012-05-112-2/+2
| | | | | | documentation-access_provider Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* sysdb: return proper error code from sysdb_sudo_purge_allJakub Hrozek2012-05-101-1/+1
|
* Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek2012-05-101-1/+57
| | | | https://fedorahosted.org/sssd/ticket/949
* subdomains: Fix error handling in Data ProviderJakub Hrozek2012-05-101-19/+37
| | | | | The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.
* Send the correct enumeration requestJakub Hrozek2012-05-101-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1329
* LDAP: Handle very large Active Directory groupsStephen Gallagher2012-05-106-45/+273
| | | | | | | | | | | | | Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
* LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher2012-05-1017-39/+62
| | | | | | | This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
* SYSDB: Add better error logging to sysdb_set_entry_attr()Stephen Gallagher2012-05-101-2/+8
|
* NSS: Add default_shell optionStephen Gallagher2012-05-097-1/+33
| | | | | | | This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289
* NSS: Add fallback_homedir optionStephen Gallagher2012-05-099-6/+68
| | | | | | | | This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250
* Try all KDCs when getting TGT for LDAPJakub Hrozek2012-05-091-15/+18
| | | | | | | | When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
* Clearer documentation for use_fully_qualified_namesStef Walter2012-05-091-0/+5
| | | | * Previously only the side effect was described.
* Only reset kpasswd server status when performing a chpass operationJakub Hrozek2012-05-071-2/+3
| | | | https://fedorahosted.org/sssd/ticket/1316
* krb5 locator: Do not leak addrinfoJakub Hrozek2012-05-071-0/+2
|
* Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek2012-05-071-4/+9
| | | | | | | | | | | | Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
* Kerberos locator: Include the correct krb5.h header fileJakub Hrozek2012-05-072-2/+14
| | | | https://fedorahosted.org/sssd/ticket/1325
* Fix typo in debug messagePavel Březina2012-05-071-1/+1
|
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-074-0/+181
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-072-2/+4
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-042-3/+8
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* SSSDConfigAPI: Fix missing option in testsStephen Gallagher2012-05-041-0/+2
|
* Modify behavior of pam_pwd_expiration_warningJan Zeleny2012-05-049-52/+119
| | | | | | | | | | | | | | | | | | New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
generated by cgit (git 2.34.1) at 2024-05-07 13:47:10 +0000