| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
The conversion to sysdb made several functions obsolete. Remove them.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the sudoUser values we fetch from LDAP correspond to a user or a
group name per:
http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html
then we parse the usernames into (name,domain) tuples and store them
qualified.
This patch not only makes the sudo provider work with qualified names,
but also makes it possible to use qualified names on the LDAP side,
allowing for example AD users from different domains to access sudo
rules.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Adds a convenience function that will help reduce the amount of code
duplication in the responders. All responders need to parse the username
from the internal format, lower-case the name, if the domain is
case-insensitive and then replace spaces if the responder is configured
to do so.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Adds a convenience wrapper around sss_create_fqname that qualifies a
list of names into the format used internally in sssd.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Add function to create internal fqname in format
shortname@domname where domain portion is lowercased.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Add lightweight function to parse internal fqname format
(shortname@domain). This function does not require the
sss_names to be initialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
With this mode we can add socket activated services and have systemd
pre exec sssd to genrate the configuration file w/o starting the whole
sssd if not necessary.
https://fedorahosted.org/sssd/ticket/2243
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The watchdog uses a kernel timer to issue a signal to the process.
It checks if the ticker is not being reset by the main event loop, which
would indicate that the process got stuck.
At the same time it sets a tevent timer to clear the watchdog ticker, so
that the watchdog handler is kept happy.
If the watchdog detects that the timer event failed to reset the watchdog for
three times in a row then the process is killed.
Normally the monitor will detect the child terminated and will rescheduled it.
Related:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions tevent_req_is_error and _tevent_req_error
use type uint64_t for error code.
SSSD uses errno_t which is an alias for int.
Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR
can return 0 due to implicit down casting from uint64_t -> int.
This patch makes down casting explicit and returns EINVAL
if result of downcasting is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3006
The handling of open pipes in failure cases was suboptimal. Moreover,
the faulty logic was copied all over the place. This patch introduces
helper macros to:
- initialize the pipe endpoints to -1
- close an open pipe fd and set it to -1 afterwards
- close both ends unless already closed
These macros are used in the child handling code.
The patch also uses child_io_destructor in the p11_child code for safer
fd handling.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This function is not used anywhere and const char ** suits better
in my use case (next patch) so I just changed the function.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are many calls of umask function with 0177 argument. This patch
add new constant SSS_DFL_UMASK which stands for 0177. So all occurences
of umask(0177) (except responder code) are replaced by constant
SSS_DFL_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The regression was caused by changing default domain regex
for ldap provider in ticket #2717
Resolves:
https://fedorahosted.org/sssd/ticket/2772
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Related:
https://fedorahosted.org/sssd/ticket/2553
In order to support wildcard request, we need to introduce an optionally
relaxed version of sss_filter_sanitize that allows to select which
characters are exempt from sanitizing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make updating the subdomain list a two-step process.
Therefore we need to make sure that update_subdomains() is the only
interface towards the SSSD that changes the subdomain list.
Move the new_subdomain() function to sysdb_subdomains.c and only make it
available through a private header so it's usable by unit tests.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to store the subdomain trust direction in order to recover the
structure after SSSD restart.
The trust direction is a plain uint32_t to avoid leaking the knowledge
about AD trust directions to sysdb while at the same time making it easy
to compare values between sysdb and LDAP and avoid translating the
values.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2624
Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.
Adds talloc dependency to libsss_semanage.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although in the initial processing SSSD treats the binary value right at
some point it mainly assumes that it is a string. Depending on the value
this might end up with the correct binary value stored in the cache but
in most cases there will be only a broken entry in the cache.
This patch converts the binary value into a string representation which
is described in [MS-DTYP] and stores the result in the cache.
Resolves https://fedorahosted.org/sssd/ticket/2588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
New utility function *sss_utc_to_time_t* to convert GeneralizedTime to
unix time.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
The responder and child_common modules each had their own
implementation. Unify it instead and add a unit test.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
With this new parameter the directory where Kerberos configuration
snippets are created can be specified.
Fixes https://fedorahosted.org/sssd/ticket/2473
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Currently views and overrides were only available for sub-domains, this
patch enables the lookup for the configured domains as well.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need a custom function that would convert a numeric or string input
into uid_t. The function will be used to drop privileges in servers and
also in the PAC and IFP responders.
Includes a unit test to test all code that changed as well as a fix for
a misnamed attribute in the csv_to_uid_list function synopsis.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We need to chown the log files before dropping root to make sure they
are usable by the SSSD user. Unfortunately, we can't just rely on
passing the fd opened by root, because we need to be also able to rotate
the log files.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Adds new command line options --uid and --gid to all SSSD servers,
making it possible to switch to another user ID if needed.
So far all code still runs as root.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
| |
mlsrange parameter will be needed in IPA provider
and probably at some point in the tools as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
These functions will be reused by IPA provider.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_search_user_override_by_name() and
sysdb_search_group_override_by_name() search for overrides in the given
view.
sysdb_add_overrides_to_object() adds the data from the override object
to the original object and makes them available for further processing.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We used to only generate the [capaths] section on the IPA server itself,
when running in a trusted setup. But we also found out that the capaths
are often required to make SSO fully work, so it's better to always
generate them.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for several other SSSD processes to run as a non-root user, we
need to move the functions to become another user to a shared space in
our source tree.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Just moves code around. There should be a way to use the server.c module
without linking the monitor code.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_public_domains option is a list of numerical UIDs or user names
that are trusted.
pam_public_domains option is a list of domains accessible even for
untrusted users.
Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|