summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nss: use negative cache for sid-by-id requestswip-viewsSumit Bose2015-07-221-0/+55
|
* negcache: allow domain name for UID and GIDSumit Bose2015-07-227-49/+82
|
* IPA: Remove MPG groups if getgrgid was called before getpw()Jakub Hrozek2015-07-221-2/+29
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup.
* UPN sub-domain fixSumit Bose2015-07-173-28/+63
|
* WIP: p11-kit version of p11_childSumit Bose2015-07-171-0/+120
|
* ssh: generate public keys from certificateSumit Bose2015-07-1710-11/+259
| | | | Resolves: https://fedorahosted.org/sssd/ticket/2711
* pam_sss: add sc supportSumit Bose2015-07-172-1/+95
|
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-1714-39/+1372
|
* authok: add support for Smart Card related authtokensSumit Bose2015-07-174-0/+187
|
* pack_message_v3: allow empty nameSumit Bose2015-07-171-3/+4
|
* Add NSS version of p11_childSumit Bose2015-07-172-1/+658
|
* utils: add NSS version of cert utilsSumit Bose2015-07-175-6/+243
|
* sysdb_set_entry_attr: dump attributes and values on errorSumit Bose2015-07-171-0/+11
|
* Add alternatives support for libwbclientSumit Bose2015-07-171-0/+21
|
* Update few debug messagesLukas Slebodnik2015-07-172-5/+7
| | | | | | | | | It reduces a noise caused by canonicalization of non-existing user. Resolves: https://fedorahosted.org/sssd/ticket/2678 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-163-41/+62
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use NSCD path in execl()Jakub Hrozek2015-07-151-1/+1
| | | | | | | | | | man execl says: The first argument, by convention, should point to the filename associated with the file being executed. We used just 'nscd' instead. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Return right data provider error codeLukas Slebodnik2015-07-151-1/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2719 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IFP: Add wildcard requestsJakub Hrozek2015-07-157-0/+472
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-1511-2/+39
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_lookup_type enumJakub Hrozek2015-07-156-33/+73
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use sdap_get_and_parse_generic_/_recvJakub Hrozek2015-07-152-8/+8
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Using the new request sdap_get_and_parse_generic_send is a separate commit so that we can audit where the function is used during a code review. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_get_and_parse_generic_sendJakub Hrozek2015-07-152-35/+136
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 So far we had a simple sdap_get_generic_send() request that uses the right defaults around the low-level sdap_get_generic_ext_send() request and calls the parser. This patch adds also sdap_get_and_parse_generic_send() that exposes all options that sdap_get_generic_ext_send() offers but also calls the parser. In this patch the function is not used at all. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Fetch users and groups using wildcardsJakub Hrozek2015-07-152-2/+51
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-153-3/+39
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* cache_req: Extend cache_req with wildcard lookupsJakub Hrozek2015-07-153-15/+579
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds two new functions to the cache_req API: - cache_req_user_by_filter_send - cache_req_group_by_filter_send These functions can be used to retrieve users or groups that match a specified filter. Also renames a variable to avoid constant confusion -- the variable is only used for debug output. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUPJakub Hrozek2015-07-154-1/+23
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Add functions to look up multiple entries including name and custom ↵Jakub Hrozek2015-07-153-19/+631
| | | | | | | | | | | | | | | | | | | filter Related: https://fedorahosted.org/sssd/ticket/2553 Adds new sysdb function: - sysdb_enumpwent_filter - sysdb_enumpwent_filter_with_views - sysdb_enumgrent_filter - sysdb_enumgrent_filter_with_views These are similar to enumeration functions, but optionally allow to specify a filter to be applied on user/group names. Also an additional custom filter can be applied. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* tests: Move N_ELEMENTS definition to tests/common.hJakub Hrozek2015-07-154-9/+2
| | | | | | Avoids code duplication Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test common: sss_dp_get_account_recv() fix assignmentSumit Bose2015-07-141-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Updating the version for 1.13.1 developmentJakub Hrozek2015-07-061-1/+1
|
* Updating the version for the 1.13.0 releaseJakub Hrozek2015-07-061-1/+1
|
* Updating the translations for the 1.13.0 releaseJakub Hrozek2015-07-0638-7772/+6764
|
* PAM: Only cache first-factorJakub Hrozek2015-07-061-1/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Minor code improvementsPavel Reichl2015-07-064-4/+3
| | | | | | | | pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: authenticate agains cachePavel Reichl2015-07-068-8/+261
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: new attribute lastOnlineAuthWithCurrentTokenPavel Reichl2015-07-062-0/+67
| | | | | | | | | | | | | | Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Add and use krb5_auth_queue_send to queue requests by defaultJakub Hrozek2015-07-068-54/+587
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>
* tests: Reduce duplication with new function test_ev_doneJakub Hrozek2015-07-065-15/+16
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_client: Re-check memcache after acquiring the lockLukas Slebodnik2015-07-032-0/+106
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_client: Use unique lock for memory cacheLukas Slebodnik2015-07-033-4/+26
| | | | | | | | | | | | Previously the sma lock was used as for communication with responder. However it would cause a deadlock in case of re-checking memcache after acquiring the lock and before communication with responder.. Required by: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_cache: Clear also initgroups fast cacheLukas Slebodnik2015-07-031-0/+10
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_client: Use initgr mmap cache in client codeLukas Slebodnik2015-07-034-1/+193
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* nss: Invalidate entry in initgr mmap cacheLukas Slebodnik2015-07-031-0/+32
| | | | | | | | | | If user is removed from sysdb cache then it should be also removed from initgroups memory cache. Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* mmap_cache: Invalidate entry in right memory cacheLukas Slebodnik2015-07-031-8/+25
| | | | | | | | | If group was not found in nss_cmd_getgrnam_search then we tied to invalidate entry in memory cache. But function delete_entry_from_memory cache only invalidated in passwd memory cache. Reviewed-by: Michal Židek <mzidek@redhat.com>
* nss: Store entries in responder to initgr mmap cacheLukas Slebodnik2015-07-036-4/+124
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>
* test_ipa_subdomains_server: Fix build with --coverageLukas Slebodnik2015-07-022-0/+7
| | | | | | | | | | | It seems that gcc did some optimization and used execve instead of execle when the code was instrumented for coverage analysis. So the exec* function was not wrapped and it tried to call real binary ipa-getkeytab Reviewed-by: Michal Židek <mzidek@redhat.com>
* MONITOR: Do not report missing file as fatal in monitor_config_fileMichal Židek2015-07-021-5/+5
| | | | | | | resolv.conf can be missing during boot. This is not fatal and we will check for its existence later. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MONITOR: Poll for resolv.conf if not available during bootMichal Židek2015-07-021-2/+36
| | | | | | | | | | If resolv.conf is not available when SSSD is starting, check for its existence later. Ticket: https://fedorahosted.org/sssd/ticket/2590 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* views: Add is_default_view helper functionMichal Židek2015-07-026-22/+22
| | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-24 11:59:36 +0000