| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Adds a convenience wrapper around sss_create_fqname that qualifies a
list of names into the format used internally in sssd.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Add function to create internal fqname in format
shortname@domname where domain portion is lowercased.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add lightweight function to parse internal fqname format
(shortname@domain). This function does not require the
sss_names to be initialized.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Function entry_has_objectclass is not used just
for users.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to the documentation in localauth_plugin.h "aname will be
considered authorized if at least one module returns 0 and all other
modules return KRB5_PLUGIN_NO_HANDLE." So it is safe to always return
KRB5_PLUGIN_NO_HANDLE because a different plugin has to return 0 to
allow access to the given principal.
Resolves https://fedorahosted.org/sssd/ticket/2788
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2788
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Passing address of unsigned to the output argument size_t causes
access out of boundaries for type unsigned and and wrong data
on big endian. It looks like functions sysdb_search_ts_{users,groups}
need to store results in structure ldb_result anyway for further processing.
Therefore it will be better to convert output arguments
size_t* + ldb_message*** into structure ldb_result and avoid using
additional helper variable with type size_t before each invocation
of these functions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sysdb_search_groups expects pointer to size_t as an output
argument msgs_count. However, struct ldb_result has type unsigned for element
count. The size of unsigned is lower then size of size_t on some platforms.
Therefore we should not cast to pointer to size_t if we want to write
count of messages into struct ldb_result -> count.
The valgrind did not detect write out of boundary for the element count
because it is the 1st element in structure ldb_result. It didn't cause any
problem on little endian because the most significant part of size_t was
properly stored to type unsigned.
We firstly store to output argument _msgs_count and then to output argument
_msgs in the function sysdb_cache_search_entry therefore element msgs was not
damaged and contained correct data.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3066
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2858
The default attribute mappings we used to have:
ldap_autofs_map_object_class automountMap
ldap_autofs_map_name ou
ldap_autofs_entry_object_class automount
ldap_autofs_entry_key cn
ldap_autofs_entry_value automountInformation
Was wrong. Instead, this patch switches to:
ldap_autofs_map_object_class nisMap
ldap_autofs_map_name nisMapName
ldap_autofs_entry_object_class nisObject
ldap_autofs_entry_key cn
ldap_autofs_entry_value nisMapEntry
Which are attributes that are available with servers running the default
rfc2307 schema. In addition, this patch adds a syslog and DEBUG message
that warns administrators to double-check their configuration.
We don't warn when the autofs provider is set to AD, because that one
is already correct.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Docbook documentatin for the programlisting elemnt says:
Description:
A ProgramListing is a verbatim environment for program source
or source fragment listings. ProgramListings are often placed
in Examples or Figures so that they can be cross-referenced
from the text.
Processing Expectations:
Formatted as a displayed block. This element is displayed
"verbatim"; whitespace and linebreaks within this element
are significant. ProgramListings are usually displayed
in a fixed width font.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/confdb/confdb.h:572: warning: argument 'memctx' of command @param
is not found in the argument list of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
src/confdb/confdb.h:592: warning: The following parameters of
confdb_get_sub_sections(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
const char *section, char ***sections, int *num_sections)
are not documented:
src/lib/idmap/sss_idmap.h:315: warning: argument 's_cv' of command @param
is not found in the argument list of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
src/lib/idmap/sss_idmap.h:94: warning: The following parameters of
sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx,
const char *domain_name, const char *domain_sid,
struct sss_idmap_range *range, const char *range_id, uint32_t rid,
bool external_mapping, idmap_store_cb cb, void *pvt)
are not documented:
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We try to release sdap_handle in the function sdap_cli_connect_recv.
Therefore we might try to release memory which does not belong to us
due to uninitialized pointer.
2070 if (gsh) {
6. read_parm: Reading a parameter value.
2071 if (*gsh) {
2072 talloc_zfree(*gsh);
2073 }
Found by Coverity
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
sss_cache -E can invalidate sudo rules since sssd 1.14 alpha.
Related to:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3.5 CFLAGS contains warning Wsign-compare and file confdb_setup.c
was added to SSSD_TOOLS_OBJ which is required for python3-sss (pysss.so)
src/confdb/confdb_setup.c: In function 'confdb_purge':
src/confdb/confdb_setup.c:95:15: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
for(i=0; i<res->count; i++) {
^
src/confdb/confdb_setup.c: In function 'confdb_init_db':
src/confdb/confdb_setup.c:219:25: error: comparison between signed and unsigned
integer expressions [-Werror=sign-compare]
if (ret <= 0 || ret >= sizeof(timestr)) {
^
cc1: all warnings being treated as errors
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Configuration file snippets must end with suffix
.conf. We wrongly allowed any suffixes that begin
with .conf (for example .conf.back).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older versions of gcc does not like initialisation of struct sigevent
because the first member of structure is union (sigval_t)
src/util/util_watchdog.c: In function 'setup_watchdog':
src/util/util_watchdog.c:77:12:
warning: missing braces around initializer [-Wmissing-braces]
struct sigevent sev = { 0 };
^
src/util/util_watchdog.c:77:12:
warning: (near initialization for 'sev.sigev_value') [-Wmissing-braces]
src/util/util_watchdog.c:77:12:
warning: initialization makes integer from pointer without a cast
src/util/util_watchdog.c:77:12:
warning: (near initialization for 'sev.sigev_value.sival_int')
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
body->length has type size_t and not long unsigned.
size_t does not have the same size on 64 bit and 32 bit platform
src/responder/secrets/providers.c: In function 'sec_http_reply_with_body':
src/responder/secrets/providers.c:204:25: error: format '%lu' expects argument
of type 'long unsigned int', but argument 6 has type
'size_t {aka unsigned int}' [-Werror=format=]
"HTTP/1.1 %d %s\r\n"
"Content-Type: %s\r\n"
"Content-Length: %lu\r\n"
^
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| | |
|
| |
|
|
| |
Reviewed-by: N/A, one-liner before release
|
| |
|
|
|
|
|
|
|
|
| |
With this mode we can add socket activated services and have systemd
pre exec sssd to genrate the configuration file w/o starting the whole
sssd if not necessary.
https://fedorahosted.org/sssd/ticket/2243
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The protocol requires a user to creat a container efore trying to store
an entry in it. Do the same in the local provider so that no surprises
arise when admins route request to a remote storage server.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Properly handle and enforce ithe presence of the content-type header
in the local and proxy providers to conform to the Custoida protocol.
Avoids different behavior between the local provider and a remote server
that may cause developers to have an application working against the
local storage and then fail when the administrator configures a remote
storage.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Generates a master key file if it doesn't exist and encrypts secrets
using the master key contained in the file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Some platforms (like Debian), don't ship http-parser-strict at all, but
only the non-strict variant. Fall back to the non-strict library if the
strict variant is not found.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider dependencies
Related:
https://fedorahosted.org/sssd/ticket/2913
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets database will have "subsections", ie sections that are in the
"secrets" namespace and look like this: [secrets/<path>]
This function allows to source any section under secrets/ or under any
arbitrary sub-path.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Now thast services use an internal watchdog we do not need pings anymore,
this will cut down the chatter and allow more flexible process management,
for example socket activation and exit-on-idle.
Resolves:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This allows the services to self monitor.
Related:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The watchdog uses a kernel timer to issue a signal to the process.
It checks if the ticker is not being reset by the main event loop, which
would indicate that the process got stuck.
At the same time it sets a tevent timer to clear the watchdog ticker, so
that the watchdog handler is kept happy.
If the watchdog detects that the timer event failed to reset the watchdog for
three times in a row then the process is killed.
Normally the monitor will detect the child terminated and will rescheduled it.
Related:
https://fedorahosted.org/sssd/ticket/2921
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The macro AM_COND_IF must be called after AM_CONDITIONAL
Otherwise it will consider that condition is true.
As a result of this the header file config.h had defined
macro HAVE_SYSTEMD on all platforms
Our macro AM_CHECK_SYSTEMD was removed becuase it was needed
in src/external/systemd.m4 and should not be invoked later
in configure.ac
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Functions tevent_req_is_error and _tevent_req_error
use type uint64_t for error code.
SSSD uses errno_t which is an alias for int.
Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR
can return 0 due to implicit down casting from uint64_t -> int.
This patch makes down casting explicit and returns EINVAL
if result of downcasting is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though the connect() man page says waiting on a non-blocking connect
should be done by checking for writability, we need to check also for
readability. Otherwise it slightly break offline mode.
Changing password in offline mode is not supported by sssd
and error message "System is offline, password change not possible"
is printed. However without TEVENT_FD_READ for connect it takes much longer
when sssd finds out that it cannot connect to a server. It fails after
expiration of timeout (6 seconds). But meanwhile "passwd user" finished
without logging the offline message.
With TEVENT_FD_READ, connect fails much faster
with errno 113/No route to host.
The change was introduced in the commit
e05d3f5872263aadfbc2f6a2a8c9735219922387
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Function strerror does not expect negative values.
There should be errno.
[sssd_async_connect_done] (0x0020):
connect failed [-1][Unknown error 18446744073709551615].
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2247
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
