| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.
Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).
This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.
Resolves https://fedorahosted.org/sssd/ticket/2961
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Recent get_next_domain refactoring enabled
us to use it also for disabled domains.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Ticket:
https://fedorahosted.org/sssd/ticket/2641
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
| |
Instead of complex forest root search methods, establish forest root
during subdomain list update. The subdomain code can then just use the
forest_root pointer.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adding realm to both master domain and subdomain will make it easier to
set and select forest roots. Even master domains can be forest members,
it's preferable to avoid special-casing as much as possible.
Includes a unit test.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to make updating the subdomain list a two-step process.
Therefore we need to make sure that update_subdomains() is the only
interface towards the SSSD that changes the subdomain list.
Move the new_subdomain() function to sysdb_subdomains.c and only make it
available through a private header so it's usable by unit tests.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We need to store the subdomain trust direction in order to recover the
structure after SSSD restart.
The trust direction is a plain uint32_t to avoid leaking the knowledge
about AD trust directions to sysdb while at the same time making it easy
to compare values between sysdb and LDAP and avoid translating the
values.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
The information about view is read from the cache and added to the
domain structs accordingly.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2160
|
| |
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
| |
|
|
|
| |
The enumerate flag will be read from the cache for subdomains and
the domain object will be created accordingly.
|
| | |
|
| |
|
|
| |
The parameter was not used at all.
|
| | |
|
| |
|
|
|
| |
The mpg flag will be read from the cache for subdomains and the domain
object will be created accordingly.
|
| |
|
|
|
|
| |
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
| |
|
|
|
| |
struct sss_domain_info is always used to represent domains now.
Adjust tests accordingly.
|
| |
|
|
| |
Replaces sysdb_add_subdomain_attributes and is a public sysdb interface.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Now that the sysdb context does not contain anymore domain related data
we can simply stop creating faxe sysdb context and just reference the
parent context.
|
| |
|
|
| |
Finally remove this upside-down dependency.
|
| |
|
|
|
| |
A sysdb contains now multiple domains, but the mpg property is a
property of a specific domain not of the underlying database.
|
| | |
|
| |
|
|
| |
Also remove sysdb_delete_domgroup()
|
| |
|
|
| |
Also remove sysdb_delete_domuser()
|
| |
|
|
| |
Also remove sysdb_store_domgroup()
|
| |
|
|
| |
Also remove sysdb_store_domuser()
|
| |
|
|
| |
Also remove unused sysdb_search_domgroup_by_gid()
|
| |
|
|
| |
Also remove unused sysdb_search_domgroup_by_name()
|
| |
|
|
| |
Also remove unused sysdb_search_domuser_by_uid()
|
| |
|
|
| |
Also remove unused sysdb_search_domuser_by_name()
|
| |
|
|
|
|
| |
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore
fqnames proper value in subdomains, by testing for a parent domain being
present or not.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
| |
|
|
| |
This will be used later for setting domain_realm mappings in krb5.conf
|
| |
|
|
|
|
| |
The debuf message was trying to print the number of returned entries, but no
integer was provided.
Return ENOENT as the error for when there are no entries, not EINVAL.
|
| | |
|
| | |
|
| | |
|
