summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Use GC for AD initgroup requestsHEADmasterSumit Bose2014-03-061-6/+15
|
* IPA: Do not save intermediate data to sysdbJakub Hrozek2014-03-051-28/+28
|
* ipa-server-mode: use lower-case user name for home dirSumit Bose2014-03-031-1/+10
| | | | | | | In older IPA server versions where the AD users where looked up by winbind the user name component of the home directory path was always lower case. This still holds for IPA clients as well. To avoid regression this patch makes the user name component lower case as well.
* IPA: check ranges for collisions before saving themSumit Bose2014-02-261-20/+64
| | | | | | Fixes https://fedorahosted.org/sssd/ticket/2253 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: refactor idmap code and add testSumit Bose2014-02-262-147/+108
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix DEBUG message formattingJakub Hrozek2014-02-251-1/+1
|
* IPA: Don't fail if apply_subdomain_homedir returns ENOENTJakub Hrozek2014-02-201-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Don't call tevent_req_post outside _sendJakub Hrozek2014-02-201-1/+0
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: default krb5_fast_principal to host/$client@$realmPavel Březina2014-02-171-3/+5
| | | | | | | | If krb5_fast_principal is not set in sssd.conf it was set to host/$client, KRB5 default realm was used which doesn't have to be the same as realm used for IPA, thus authentication failed when using FAST. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* IPA: Default to krb5_use_fast=tryJakub Hrozek2014-02-132-1/+28
| | | | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-02-1211-154/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-1225-758/+758
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-121-1/+1
| | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: support for subdomain_homedirPavel Reichl2014-02-051-0/+190
| | | | | | | Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-291-3/+5
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-091-1/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* IPA: fix for recent AD group membership changesSumit Bose2014-01-081-0/+2
|
* Add new option ldap_group_typeSumit Bose2013-12-191-0/+1
|
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-191-21/+6
|
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-091-2/+6
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* Remove unused parameter from ipa_save_netgroupLukas Slebodnik2013-11-271-2/+1
|
* Remove unused parameter from sss_selinux_extract_userLukas Slebodnik2013-11-271-1/+1
|
* SYSDB: Drop redundant sysdb_ctx parameter from sysdb.cMichal Zidek2013-11-153-9/+5
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)Michal Zidek2013-11-159-19/+17
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)Michal Zidek2013-11-152-5/+4
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_ssh moduleMichal Zidek2013-11-151-4/+2
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_search moduleMichal Zidek2013-11-151-2/+1
|
* SYSDB: Drop the sysdb_ctx parameter from SELinux functionsJakub Hrozek2013-11-151-7/+6
|
* Merge ipa_selinux_common.c and ipa_selinux.cJakub Hrozek2013-11-153-110/+46
| | | | | Moved unused functions and merged ipa_selinux_common.c into ipa_selinux.c
* Add ldap_autofs_map_master_name optionCove Schneider2013-11-121-0/+1
|
* ipa: destroy cleanup task when subdomain is removedPavel Březina2013-10-251-0/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-251-0/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-251-3/+4
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-2/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* IPA: add trusted domains with missing idrangeSumit Bose2013-10-251-0/+137
| | | | | | | | | | If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-1/+1
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* subdomains: first destroy ptask then remove sdomPavel Březina2013-10-241-3/+3
| | | | | be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
* IPA: add callback to reset subdomain timeoutsSumit Bose2013-10-221-0/+23
| | | | Fixes https://fedorahosted.org/sssd/ticket/2030
* IPA: Do not enable IPA sites in server modeJakub Hrozek2013-10-221-17/+20
| | | | | When running in IPA server mode, the IPA sites should be ignored and the SSSD should only connect to the local server.
* IPA: Remove unused memory context.Lukas Slebodnik2013-10-221-3/+1
| | | | | Parameter mem_ctx was unused in static function get_password_migration_flag_recv
* IPA server mode: properly initialize ext_groupsSumit Bose2013-10-161-1/+2
|
* Do not return DP_ERR_FATAL in case of successSumit Bose2013-09-271-1/+5
|
* ipa_server_mode: write capaths to krb5 include fileSumit Bose2013-09-271-1/+3
| | | | | | | | | | | | If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093
* IPA: store forest name for forest member domainsSumit Bose2013-09-271-1/+86
| | | | | In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.
* IPA: Ignore dns_discovery_domain in server modeJakub Hrozek2013-09-261-0/+36
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
* Include header file in implementation module.Lukas Slebodnik2013-09-243-0/+3
| | | | | Declarations of public functions was in header files, but header files was not included in implementation file.
* LDAP: sdap_id_setup_tasks accepts a custom enum requestJakub Hrozek2013-09-181-1/+3
| | | | AD provider will override the default with its own.
* util: add sss_idmap_talloc[_free]Pavel Březina2013-09-171-14/+3
| | | | Remove code duplication.
generated by cgit (git 2.34.1) at 2026-01-02 04:41:56 +0000