| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
The 'dom' pointer points to domain of the main object being saved. In
case of group, dom points to the domain where the group resides. But
when saving members, each members might be from a different domain, so we
need to find every member's domain based on the attributes.
Also don't use Yoda style in conditions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since ghost entries might not be properly removed on the IPA server
(https://fedorahosted.org/sssd/ticket/2567) chances are that during
extdom group lookups a single user is returned multiple time. This patch
removes the duplicates before trying to write the data to the cache.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far only for initgroups requests the IPA group memberships where
resolved for AD users and due to
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
overridden by other request. But it turned out that the originalMemberOf
attributes related to the IPA group memberships can be overridden by
user lookups. Since the originalMemberOf attribute is important in the
HBAC evaluation this patch makes sure that the originalMemberOf
attribute is not removed but updated during user lookups.
Related to https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Override AD site found during DNS discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a user is a member is a group in a different sub-domain, e.g with
universal groups in AD, the ghost attribute might not be properly
removed from the group object if the user is resolved. The reason is
that only groups from the domain of the user were search for ghost
attributes. This patch increases the search-base to all sub-domains of
the configured SSSD domain.
Resolves https://fedorahosted.org/sssd/ticket/2567
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This function assumes that the last component of the object path
is an object name. It will return the part unescaped.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
These functions are quite general thus they may be part
of sbus interface.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We used three different names to express handler data:
- pvt
- instace_data
- handler_data
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Bring back org.freedesktop.DBus.Properties with support of
multiple interfaces on single object path.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This commit brings back support of Introspectable interface and
enables support of multiple interfaces there. It also refactors
the old code so the generator and introspect xml format especially
is more readable.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This function acquires list of all interfaces that are supported on
given object path. It is a preparation for Introspect interface.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Object path is heavily used in implementation of methods from
interfaces that are supported on whole subtrees. Although it
can be obtained from a D-Bus message, it is nice to have it
accessible directly.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the old message handler which is replaced
with a new one that supports multiple interfaces registered
on single object path.
A hash table is used to store registered object paths and their
interfaces. When an entry or the table itself is destroyed,
registered object path is unregistered through delete callback.
It temporarily removes support of Introspect and Properties
standard D-Bus interfaces and disables unit tests of those
interfaces. The support is brought back by following patches.
Resolves:
https://fedorahosted.org/sssd/ticket/2339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use 'path/*' instead of 'path*' since it better describes what
we are actually doing i.e. registering a message handler for a
subtree.
Although D-Bus fallback will invoke a message handler for both
'path' and 'path/subtree' object paths it does not make usually
sence to support the same interfaces for both parent and it
children.
This commit also renames related functions to better describe
what are they doing.
Note: the tilda in comments is used to suppress -Wcomment warning
Preparation for:
https://fedorahosted.org/sssd/ticket/2339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is done to better distinguish between connection code and interface
stuff. It will help with orientation and thus simplify next changes.
Preparation for:
https://fedorahosted.org/sssd/ticket/2339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename sbus_conn_add_interface() to sbus_conn_register_iface()
and remove sbus_new_interface() calls since it is just one more
unnecessary call outside the sbus code.
The function sbus_new_interface() is made static and used
directly in sbus_conn_register_iface().
The name was chosen to better describe what the function is
doing. That it registers an interface on a given object path.
The same interface can be used with different paths so it is
not really about adding an interface.
Preparation for:
https://fedorahosted.org/sssd/ticket/2339
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When adding a user sysdb internally adds a value to SYSDB_GIDNUM for
mpg domain which might cause conflicts with the one we added to users
git GID overrides. With this patch the override GID is added after the
user is created but in the same transaction
Releted to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
IPA HBAC evaluation relies on the original values for DN and memberOf
attributes.
Resolves https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
The two loops in fill_orig were almost identical.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY
type keytab and not at the end a simple copy into a MEMORY type keytab
will revert the order of the keytab entries. Since e.g. the sssd_krb5
man page give hints about where to add entries into keytab files to help
SSSD to find a right entry we have to keep the order when coping a
keytab into a MEMORY type keytab. This patch fixes this by doing a
second copy to retain the original order.
Resolves https://fedorahosted.org/sssd/ticket/2557
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2548
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The option description should hint that enabling this option may have a
positive effect on access control, especially with large groups.
See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example
where ignoring the group members helped.
Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
The responder and child_common modules each had their own
implementation. Unify it instead and add a unit test.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Not used anymore after previous patch.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
ldap_child was the only child process that used child_cleanup instead of
the common child_io_destructor. Unify the implementation to use the
common function instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
The module wasn't tested properly, which made it harder to patch it
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Two functions were only used internally, makes no sense to keep them in the
child_common module API.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
PID may be greater than 0xffff thus we remove this check but it is
supposed to be in range of uint32.
There are also some improvements to get more information from
assertions.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Example of warning:
src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body]
src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The indentation is automatically in resulting man page. It isn't necessary to
add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map
examples.
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
|
| |
Previously, we were only handling KRB5KRB_AP_ERR_SKEW
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Two places in sysdb_gpo.c were searching for the GPO result object while
the only difference was the attributes searched for. Remove this
duplication and make the search function static as it's not used outside
the module.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
Currently ipa_resolve_user_list_send() only looks up the related user
objects but do not check for overrides. This patch tries to fix this.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
