summaryrefslogtreecommitdiffstats
path: root/src/responder
Commit message (Collapse)AuthorAgeFilesLines
...
* RESPONDER: Removing ncache from pam_ctxPetr Cech2016-05-113-18/+8
| | | | | | This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing ncache from pac_ctxPetr Cech2016-05-113-14/+1
| | | | | | This patch switches ncache from pac_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing ncache from ifp_ctxPetr Cech2016-05-115-23/+13
| | | | | | This patch switches ncache from ifp_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing ncache from nss_ctxPetr Cech2016-05-115-60/+40
| | | | | | This patch switches ncache from nss_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDERS: Negcache in resp_ctx preparingPetr Cech2016-05-112-0/+49
| | | | | | Preparation for initialization of negative cache in common responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from nss responderPetr Cech2016-05-114-9/+5
| | | | | | | | | | Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from ifp repsonderPetr Cech2016-05-113-16/+4
| | | | | | | | | | | Timeout of negative cache is handled by context of negative cache itself. This patch removes neg_timeout parameter from ifp_ctx and from ifp_user_get_attr_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from sudo resp.Petr Cech2016-05-112-10/+0
| | | | | | | | | | Timout of negative cache is handled by context of negative cache. So this parameter is not needed now. Resolves: https://fedorahosted.org/sssd/ticket/2137 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from pac_ctxPetr Cech2016-05-112-11/+0
| | | | | | | | | | It removes neg_timeout parameter from pac responder. Timeout is handled by internall structure of negative cache. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* RESPONDER: Removing neg_timeout from pam responderPetr Cech2016-05-1110-75/+28
| | | | | | | | | | | | It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NEGCACHE: Adding getter for timeoutPetr Cech2016-05-112-0/+7
| | | | | | | | | | It adds new function to negative cache API: * int sss_ncache_get_timeout(struct sss_nc_ctx *ctx); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NEGCACHE: Removing timeout from sss_ncache_check_*Petr Cech2016-05-116-118/+86
| | | | | | | | | | | | | | | | It removes timeout parameter from check functions of negative cache. Timeout is set ny init function and it is handled internally. API change: * int sss_ncache_check_...(struct sss_nc_ctx *ctx, int ttl, <----- timeout vanished struct sss_domain_info *dom, ...); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NEGCACHE: Adding timeout to struct sss_nc_ctxPetr Cech2016-05-119-7/+64
| | | | | | | | | | | | | | | | | | | It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Internal: Rename CONFDB_DEFAULT_CONFIG_FILEStephen Gallagher2016-05-111-4/+4
| | | | | | | | New name is SSSD_CONFIG_FILE. This is done because we will start to ship a static default configuration in addition to the runtime configuration. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Do not crash on invalid arguments to GetUserAttrJakub Hrozek2016-05-101-2/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AUTOFS: Removing of redudant debug messagePetr Cech2016-04-281-7/+1
| | | | | | | | | | Debug message has been doubled. At a low level, we have a very accurate debug messsage with description of situation (in confdb_get_int()). At higher level we informe about the fatal crash, if it happend. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NEGCACHE: Removing of condition for ttl = -1Petr Cech2016-04-201-6/+0
| | | | | | | | | If ttl = -1 then function sss_ncache_check_str() returns EEXIST without checking negcache. This behaviour is out of logic. We use ttl = 0 for permanent caching. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: convert get_sudorules to teventPavel Březina2016-04-193-410/+443
| | | | | | | | | | There was a lot of confusion with different error codes and where to call sudosrv_cmd_done to finish the client request. Converting it whole to tevent makes it much more simpler to read and follow the request logic. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: do not use tevent when parsing queryPavel Březina2016-04-194-118/+45
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: use cache_req for initgroupsPavel Březina2016-04-194-401/+47
| | | | | | | | | | | This is just blind code change, the next patch will improve it so for example we don't do initgroups during query-parsing phase. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sudo: remove unused structure sudo_dp_requestPavel Březina2016-04-191-5/+0
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAC: only save PAC blob into the cacheSumit Bose2016-04-134-1428/+87
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Responders: Fix client destructorSimo Sorce2016-03-171-4/+7
| | | | | | | | | | | | | | | | To close a socket associated to an fd event we must set the close function of the event and not associate a destructor to a parent context. Otherwise the destructor will close() the socket before the fd event is freed, and this may cause invalid calls on a closed file descriptor to poll/epoll/etc. Discovered by looking at strace output. Resolves: https://fedorahosted.org/sssd/ticket/2973 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* cache_req: remove old commentPavel Březina2016-03-141-5/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: rename cache_req_input to cache_reqPavel Březina2016-03-141-209/+203
| | | | | | The input part has no longer meaning. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: hide input and pass parameters in structPavel Březina2016-03-143-244/+308
| | | | | | This way it makes it a lot easier to add new parameters. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: add SID lookupsPavel Březina2016-03-143-15/+111
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2848 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: improve debuggingPavel Březina2016-03-144-50/+149
| | | | | | | | | Each debug message is matched to a specific request, this way it will be easier to follow the request flow especially when paralel request are running. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
* cache_req: rename debug_fqn to debugobjPavel Březina2016-03-141-20/+22
| | | | | | It is not always a name. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: break cache_req_input_create into more functionsPavel Březina2016-03-141-23/+46
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: fix typo in debug messagePavel Březina2016-03-141-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: bring together search parametersPavel Březina2016-03-141-59/+59
| | | | | | | This way it is more clear that the string parameters should not be misued when adding a new one. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Move a DEBUG message so that it's less confusingJakub Hrozek2016-03-081-2/+4
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Fix typos reported by lintianLukas Slebodnik2016-02-233-3/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM: Pass account lockout status and display messagePavel Reichl2016-02-171-8/+23
| | | | | | | | | Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Just return NULL if tevent_req_create() failsSumit Bose2016-02-113-6/+3
| | | | | | | | | In general we just return NULL if tevent_req_create() fails because there is nothing we can do with the request anyway. Especially tevent_req_error() should not be called because it tries to dereference req. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Fix memory leak netgroupPavel Reichl2016-02-041-12/+29
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2865 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: do not lookup views if possiblePavel Březina2016-01-281-6/+84
| | | | | | | | | | This is needed for LOCAL view but also creates a shortcut for server side overrides. Resolves: https://fedorahosted.org/sssd/ticket/2849 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* cache_req: simplify cache_req_cache_check()Pavel Březina2016-01-281-31/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Util: Improve code to get connection credentialsSimo Sorce2016-01-283-34/+54
| | | | | | | | | | Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* NSS: do not skip cache check for netgoupsMichal Židek2016-01-211-24/+23
| | | | | | | | | | | | | | | | | When refresh_expired_interval was not zero, the NSS responder only refreshed netgroup cache using background periodic task and ignored SYSDB_CACHE_EXPIRE attribute. With this behaviour it was impossible to get new netgroup from remote server even after sss_cache tool was used to expire existing entry in the cache. Resolves: https://fedorahosted.org/sssd/ticket/2912 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: add gnome-screensaver to list of allowed servicesSumit Bose2016-01-201-1/+1
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2925 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: allow to skip default options for child processesSumit Bose2016-01-191-1/+1
| | | | | | | | | | | | | Currently the SSSD default options like e.g. --debug-level are added unconditionally to the command line options of a child process when started with the child helper functions. If a binary from a different source should be started as a child by SSSD those options might not be known or used differently. This patch adds an option to exec_child_ex() which allows to skip the default options and only add specific options. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: enable ocsp checksSumit Bose2015-11-264-9/+52
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam-srv-tests: Add UT for cached 'online' auth.Pavel Reichl2015-11-122-1/+6
| | | | | | | | | Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* cache_req: check all domains for lookups by certificateSumit Bose2015-11-111-3/+4
| | | | | | | Like lookup by ID or by UPN the match for lookups by certificate can be found in any domain and all sub-domains must be included in the search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IFP: Skip non-POSIX groups properlyJakub Hrozek2015-11-111-2/+4
| | | | | | | | | | | When ifp_users_user_get_groups is called, for example via GetAll and the list of groups contains a non-POSIX group, we skip an array member, resulting in random memory being passed to the caller. Resolves: https://fedorahosted.org/sssd/ticket/2863 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* cache_req: Fix warning -WshadowLukas Slebodnik2015-11-101-4/+4
| | | | | | | | src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name': src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration /usr/include/unistd.h:528: warning: shadowed declaration is here Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: fix a use-after-free issueSumit Bose2015-11-041-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While handling well-known SIDs a debug statement tries to access memory that is already freed. This can be seen with the following output from valgrind. ==17600== Invalid read of size 4 ==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530) ==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634) ==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140) ==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653) ==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd ==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057) ==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581) ==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93) ==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382) ==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== The patch contains a change to the unit tests which frees the memory in the wrapper for sss_cmd_done() too. This allows to detect this kind of issue in the unit tests as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Refactor some conditionsMichal Židek2015-10-232-4/+4
| | | | | | | | Conditions with get_next_domain were a little confusing for coverity (but also for developers' eyes). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-23 20:37:10 +0000