| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Allow option "timeout" for all sevices.
Also remove unused macro CONFDB_SERVICE_TIMEOUT.
Resolves:
https://fedorahosted.org/sssd/ticket/3068
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/confdb/confdb.h:572: warning: argument 'memctx' of command @param
is not found in the argument list of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
src/confdb/confdb.h:592: warning: The following parameters of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
are not documented:
src/lib/idmap/sss_idmap.h:315: warning: argument 's_cv' of command @param
is not found in the argument list of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
src/lib/idmap/sss_idmap.h:94: warning: The following parameters of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
are not documented:
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3.5 CFLAGS contains warning Wsign-compare and file confdb_setup.c
was added to SSSD_TOOLS_OBJ which is required for python3-sss (pysss.so)
src/confdb/confdb_setup.c: In function 'confdb_purge':
src/confdb/confdb_setup.c:95:15: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
for(i=0; i<res->count; i++) {
^
src/confdb/confdb_setup.c: In function 'confdb_init_db':
src/confdb/confdb_setup.c:219:25: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
if (ret <= 0 || ret >= sizeof(timestr)) {
^
cc1: all warnings being treated as errors
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets database will have "subsections", ie sections that are in the
"secrets" namespace and look like this: [secrets/<path>]
This function allows to source any section under secrets/ or under any
arbitrary sub-path.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2247
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
So tools (especially sssctl) may be run even when databases where
removed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our users constantly make the mistake of typing `debug = 9` in the
sssd.conf instead of `debug_level = 9` as would be correct. This
happens frequently-enough that we should just alias it rather than
continue to have people make mistakes.
Resolves:
https://fedorahosted.org/sssd/ticket/2999
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds new option 'neg_cache_locals_timeout' into section
of NSS responder. It allows negative caching of local groups and
users. Default value is 0 which means no caching.
Resolves:
https://fedorahosted.org/sssd/ticket/2928
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch makes SSSD possibly useful "out of the box" by allowing
packagers to provide a default config file located in $LIBDIR/sssd/conf
that will be copied by the monitor to /etc/sssd if no file already
exists in that location. This will make it possible to have SSSD set up
to have distribution-specific default configuration, such as enabling
the proxy provider to cache /etc/passwd (such as in the provided
example in this patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
New name is SSSD_CONFIG_FILE. This is done because we will start to
ship a static default configuration in addition to the runtime
configuration.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2158
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option is an optional one that is run when a sbus ping times out
and before a SIGKILL signal is sent.
It is undocumented by default.
diag_cmd (string):
A command that should be run for diagnostic purpose when an sbus timeout
fails. The option value may contain %p which would be expanded for the
process ID of the process that timed out
Example:
pstack %p
This setting would print the stackstrace of the service whose ping timed out.
Default: not set.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are many calls of umask function with 0177 argument. This patch
add new constant SSS_DFL_UMASK which stands for 0177. So all occurences
of umask(0177) (except responder code) are replaced by constant
SSS_DFL_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only group and user records are cached in memory cache so only timeouts
for those are checked.
Resolves:
https://fedorahosted.org/sssd/ticket/2176
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2773
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Default to config file version 2 if the version
is not specified explicitly.
Ticket:
https://fedorahosted.org/sssd/ticket/2688
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the default ordering logic (lower value wins) to
a correct one that is used by native ldap support. It also adds a new
option sudo_inverse_order to switch to the original SSSD (incorrect)
behaviour if needed.
Resolves:
https://fedorahosted.org/sssd/ticket/2682
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://fedorahosted.org/sssd/ticket/2711
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2553
Can be used as:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.ListByName \
string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Groups \
org.freedesktop.sssd.infopipe.Groups.ListByName \
string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Users \
org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \
string:ipaldap string:r\* uint32:10
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \
/org/freedesktop/sssd/infopipe/Groups \
org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \
string:ipaldap string:r\* uint32:10
By default the wildcard_limit is unset, that is, the request will return
all cached entries that match.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Enable authenticating users from cache even when SSSD is in online mode.
Introduce new option `cached_auth_timeout`.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Instead of complex forest root search methods, establish forest root
during subdomain list update. The subdomain code can then just use the
forest_root pointer.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We need to store the subdomain trust direction in order to recover the
structure after SSSD restart.
The trust direction is a plain uint32_t to avoid leaking the knowledge
about AD trust directions to sysdb while at the same time making it easy
to compare values between sysdb and LDAP and avoid translating the
values.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2569
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
The last parameter (value) in the confdb_set_string
is not modified, so it makes sense to make it const
to avoid unnecessary warnings or casts.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2102
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2370
Adds a option, user to run as, that is specified in the [sssd] section. When
this option is specified, SSSD will run as this user and his private
group. When these are not specified, SSSD will run as the configure-time
user and group (usually root).
Currently all services and providers are started as root. There is a
temporary svc_supported_as_nonroot() function that returns true for a
service if that service runs and was tested as nonroot and false
otherwise. Currently this function always returns false, but will be
amended in future patches.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To let the responders know which view is applied and to make view
handling more efficiently especially when no view is applied/available
two new member are added to the sss_domain_info struct.
view_name is the name of the view if available. has_views is only true
if the client has a specific view applied, i.e. it is false for the case
when there are no views at all (e.g. plain LDAP provider) or the client
has the FreeIPA default view. This allows the responders to easily
bypass any view related code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2358
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If case_sensitivity is set to 'preserving', getXXnam
returns name attribute in the same format as
stored in LDAP.
Fixes:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Part of fix for:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch add possibility to replace whitespace in user and group names with
a specified string. With string "-", sssd will return the same result as
winbind enabled option "winbind normalize names"
Resolves:
https://fedorahosted.org/sssd/ticket/1854
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
