summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
* dyndns: Add checks for NULLMichal Židek2016-07-131-0/+20
| | | | | | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/3076 We segfaulted in this area once. This patch makes the code more defensive and adds some DEBUG messages. Normally the structures are filled in online and/or resolve callbacks. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PROVIDERS: Setting right {u,g}id if unprivilegedPetr Cech2016-07-121-0/+2
| | | | | | | | | | | | | | | be_ctx had talloc_zero() initialized uid and gid which was used in function dp_init(). Therefore back-end was every time started as root and therefore non-root responders could not communicate with back-end due to wrong permission of unix sockets. This patch sets right uid and gid to data-providers if sssd runs as non-root user. Resolves: https://fedorahosted.org/sssd/ticket/3077 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* FO: Set port to NOT_WORKING when trying a next serverJakub Hrozek2016-07-121-1/+1
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3009 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Lookup services by all protocols unless a protocol is specifiedJakub Hrozek2016-07-071-2/+5
| | | | | | | The DP refactoring changed the way we handle strings from sbus. We no longer receive NULL strings, but empty strings instead. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM/KRB5: optional otp and password promptingSumit Bose2016-07-071-3/+82
| | | | | | | | | | Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* fix some 'might be used uninitialized' warningsSumit Bose2016-07-071-0/+5
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Qualify user and group names when saving the sudo usersJakub Hrozek2016-07-071-0/+62
| | | | | | | | | | | | | | | If the sudoUser values we fetch from LDAP correspond to a user or a group name per: http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html then we parse the usernames into (name,domain) tuples and store them qualified. This patch not only makes the sudo provider work with qualified names, but also makes it possible to use qualified names on the LDAP side, allowing for example AD users from different domains to access sudo rules. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Save sudoUser qualified in the cacheJakub Hrozek2016-07-073-20/+35
| | | | | | | When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SELINUX: Parse the internal fqname before using itJakub Hrozek2016-07-071-26/+5
| | | | | | | libselinux uses getpwnam() to retrieve the user data, therefore we qualify the data with sss_output_name() before calling libselinux. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: HBAC evaluator consumes shortnamesJakub Hrozek2016-07-071-10/+28
| | | | | | | | SSSD uses an internal format to store user and group names, but the libhbac_ipa library uses only short names. Un-qualify the names before passing them on to the HBAC evaluator. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: make get_object_from_cache() aware of UPN searchesSumit Bose2016-07-073-7/+38
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing user name to homedir_ctxSumit Bose2016-07-071-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: expand name in ipa_add_ad_memberships_get_next()Sumit Bose2016-07-071-1/+13
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use internal fqname format instead of parsing NSS namesJakub Hrozek2016-07-073-67/+147
| | | | | | | | Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: No need to separately qualify subdomain users anymoreJakub Hrozek2016-07-071-11/+2
| | | | | | | All usernames across SSSD are stored in the same manner, so there's no need to create per-domain names anymore. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Use shortname when expanding the user template in Kerberos ccacheJakub Hrozek2016-07-071-4/+4
| | | | | | | | Creating the username part of the ccache file is an output operation, it makes sense to use sss_output_name() there which parses the name out of the internal qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Rely on sysdb names for the renewal taskJakub Hrozek2016-07-071-18/+6
| | | | | | | The domain name is part of the domain name, so we can parse it from there instead of relying on DN components. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Rely on internal fqname when constructing UPNsJakub Hrozek2016-07-071-10/+9
| | | | | | | | Because internally, we use the same name for all users and groups regardless of the domain they belong to, we can parse the username from the qualified name in a simpler manner. Reviewed-by: Sumit Bose <sbose@redhat.com>
* PROXY: Use fully qualified names internallyJakub Hrozek2016-07-072-43/+137
| | | | | | Only user shortnames to interact with the system. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: fix typoSumit Bose2016-07-071-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: The access control filter just needs the plain usernameJakub Hrozek2016-07-071-3/+2
| | | | | | | The LDAP access control code uses shortnames to construct an LDAP filter. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Delete cache entry if not found by UPNJakub Hrozek2016-07-071-0/+19
| | | | | | | | | Previously, the user account was only looked by name when the LDAP provider didn't match any entry on the server side. This patch removes the entry from the cache with the matching function, either by name or by UPN. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use FQDNs when saving incomplete groupsJakub Hrozek2016-07-071-4/+4
| | | | | | | Even incomplete groups must be stored using the internal name format instead of whatever we receive from LDAP. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use fqdns during nested RFC2307 initgroupsJakub Hrozek2016-07-071-19/+3
| | | | | | | | All user and group names are already qualified at this point, so let's remove the special case that stored users from trusted domains qualified. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb namesJakub Hrozek2016-07-072-6/+6
| | | | | | Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Add a utility function to return a list of qualified namesJakub Hrozek2016-07-072-5/+5
| | | | | | | | Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Convert RFC2307 member attribute values to FQDN-style ghostnames ↵Jakub Hrozek2016-07-071-2/+12
| | | | | | | | | | before acting on them Ghostnames must be qualified as well, same as all other name attributes across SSSD. The ghost names are used by the NSS responder during getgr* output and the domain name parsed from the name is used in the output. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: save users with FQDNJakub Hrozek2016-07-071-4/+38
| | | | | | | The username we receive from LDAP is short name. Convert it to a qualified name before saving the user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use shortname for LDAP queriesJakub Hrozek2016-07-072-29/+103
| | | | | | | | | | When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Rename DP filter value from name to filter_valueJakub Hrozek2016-07-073-63/+66
| | | | | | | filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: expand_homedir_template manages usernames internallyJakub Hrozek2016-07-072-13/+3
| | | | | | | | | expand_homedir_template() can be considered an outward-facing interface, therefore the function and its input structure will accept the internal name format and parse it internally into a username and domain component. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SIMPLE: Make the simple access provider work with qualified namesJakub Hrozek2016-07-071-19/+19
| | | | | | | | | | | | | | | | This patch adds a behaviour change to the simple access provider - the simple access list is parsed on the access check itself, which is when the name contexts of all domains have already been established and we are already able to parse the names in the config files with sss_parse_names. We need to support "input names" in the simple access provider because it needs to support flat names which rely on knowing the details about a domain. The simple_access_obtain_filter_lists is intentionally made non-static in order to be called from tests which initialize the name contexts on their own. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Store SID members during AD initgroups with a qualified nameMichal Zidek2016-07-071-1/+6
| | | | | | | | This is to be consistent with how we name groups normally. We rename the groupnames when resolving the groups by ID anyway, but if we fail to do so, at least be consistent. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Save user and group aliases qualifiedMichal Zidek2016-07-075-8/+30
| | | | | | | When saving users or groups, qualify their names. Otherwise (currently netgroups), store a plain username. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Search functions don't need to construct per-domain namesJakub Hrozek2016-07-072-19/+4
| | | | | | | The names are all internally qualified already, no need to distinguish between subdomain users and main domain users. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA/AD: globally set krb5 canonicalization flagSumit Bose2016-07-062-3/+11
| | | | | | | | | | | If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Change the default rfc2307 autofs attribute mappingsJakub Hrozek2016-07-062-4/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2858 The default attribute mappings we used to have: ldap_autofs_map_object_class automountMap ldap_autofs_map_name ou ldap_autofs_entry_object_class automount ldap_autofs_entry_key cn ldap_autofs_entry_value automountInformation Was wrong. Instead, this patch switches to: ldap_autofs_map_object_class nisMap ldap_autofs_map_name nisMapName ldap_autofs_entry_object_class nisObject ldap_autofs_entry_key cn ldap_autofs_entry_value nisMapEntry Which are attributes that are available with servers running the default rfc2307 schema. In addition, this patch adds a syslog and DEBUG message that warns administrators to double-check their configuration. We don't warn when the autofs provider is set to AD, because that one is already correct. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Fix uninitialized pointer read (UNINIT)Lukas Slebodnik2016-07-041-1/+1
| | | | | | | | | | | | | | | | We try to release sdap_handle in the function sdap_cli_connect_recv. Therefore we might try to release memory which does not belong to us due to uninitialized pointer. 2070 if (gsh) { 6. read_parm: Reading a parameter value. 2071 if (*gsh) { 2072 talloc_zfree(*gsh); 2073 } Found by Coverity Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
* Downcast to errno_t after tevent_req_is_errorLukas Slebodnik2016-06-291-5/+15
| | | | | | | | | | | | | Functions tevent_req_is_error and _tevent_req_error use type uint64_t for error code. SSSD uses errno_t which is an alias for int. Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR can return 0 due to implicit down casting from uint64_t -> int. This patch makes down casting explicit and returns EINVAL if result of downcasting is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: Provide domain and failover statusPavel Březina2016-06-271-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Add org.freedesktop.sssd.DataProvider.FailoverPavel Březina2016-06-278-24/+163
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Add org.freedesktop.sssd.DataProvider.BackendPavel Březina2016-06-276-0/+141
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Add function to get be_ctx directly from dp_clientPavel Březina2016-06-273-3/+12
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SBUS: Add string helper macrosPavel Březina2016-06-272-2/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Shortcut looking up for group members soonerJakub Hrozek2016-06-231-10/+53
| | | | | | | | | | | | | | | | This patch is a performance enhancement. When looking for entries to refresh, we always looked up all members in the cache, even if we ended up dereferencing the whole group. If we are about to try dereference, it makes sense to shortcut the lookups after the dereference threshold is reached. In that case, the split_members function returns a special error code and the caller just dereferences the whole group. Only if dereference fails, we fall back to looking up all members so that we can look them up one-by-one. Also adds an integration test to make sure the dereference code works. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: ignore non-KVP lines if possibleMichal Židek2016-06-221-1/+60
| | | | | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2751 Non-KVP break GPO processing. They are used for values we are not interested in so it is safe to ignore them. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DP: Move be_req_acct and remove discard_constPavel Březina2016-06-203-16/+4
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* RESPONDER: New interface for client registrationPavel Březina2016-06-202-38/+0
| | | | | | | | | | | | | | | | This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DP: Switch to new interfacePavel Březina2016-06-2067-8314/+8084
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DP: Add callback for backward compatibilityPavel Březina2016-06-203-0/+147
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>