| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It removes timeout parameter from check functions of negative cache.
Timeout is set ny init function and it is handled internally.
API change:
* int sss_ncache_check_...(struct sss_nc_ctx *ctx,
int ttl, <----- timeout vanished
struct sss_domain_info *dom,
...);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It adds timeout of negative cache to handling
struct sss_nc_ctx.
There is one change in API of negatice cache:
* int sss_ncache_init(TALLOC_CTX *memctx,
uint32_t timeout, <----- new
struct sss_nc_ctx **_ctx);
There is also one new function in common/responder:
* errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb,
uint32_t *ncache_timeout);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3010
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch makes SSSD possibly useful "out of the box" by allowing
packagers to provide a default config file located in $LIBDIR/sssd/conf
that will be copied by the monitor to /etc/sssd if no file already
exists in that location. This will make it possible to have SSSD set up
to have distribution-specific default configuration, such as enabling
the proxy provider to cache /etc/passwd (such as in the provided
example in this patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
New name is SSSD_CONFIG_FILE. This is done because we will start to
ship a static default configuration in addition to the runtime
configuration.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a precursor to supporting a static default configuration file.
We need to be able to copy the default into the mutable location if the
infopipe is asked to modify it.
This patch opens both the source and destination files together in order
to avoid time-of-check/time-of-use bugs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In most cases when sbus request parsing finishes, the request is handled
internally and a reply is sent to the caller. However, in handlers that
are parsed and handled completely manually, we might want to be notified
about this case so that the called of sbus_request_parse_or_finish()
aborts the request and doesn't proceed with using the sbus request which
is already freed internally in sbus_request_parse_or_finish().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
The PubkeyAgent option is not supported for some time and references to
it should be removed from our man pages.
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Ubuntu systems use "unity" as their screen-locker. Without this in the
defaults, people often get locked out of their machines when the screen
locks.
Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
There were duplicaton of mock_rctx().
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Debug message has been doubled.
At a low level, we have a very accurate debug messsage with description
of situation (in confdb_get_int()). At higher level we informe about
the fatal crash, if it happend.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
As suggested by Rob in
https://fedorahosted.org/sssd/ticket/1907#comment:2
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name
lookup is the last step in the subdomain lookup request. In case of an
error the request should be finished and no previous step should be
called again.
Resolves https://fedorahosted.org/sssd/ticket/2993
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Most linux distribution create local users from UID 1000.
We used similar UID space in sssd but it might caused
issues in add remove tests becuase sssd in cwrap enviroment
run in the same PID space. If sssd try to remove user
with uid 1001 it will fail because the local user with the same UID
is active and sssd does not remove active users.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds new functionality to sss_cach for invalidation of given
sudo rule or all sudo rules.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Refactor of sss_cache tool.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
There are tests functions of sysdb_sudo_rules.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If ttl = -1 then function sss_ncache_check_str() returns EEXIST without
checking negcache. This behaviour is out of logic.
We use ttl = 0 for permanent caching.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
There were sss_ncache_*_uid() functions instead of
sss_ncache_*_gid() functions.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There was a lot of confusion with different error codes
and where to call sudosrv_cmd_done to finish the client
request. Converting it whole to tevent makes it much
more simpler to read and follow the request logic.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is just blind code change, the next patch will improve it so
for example we don't do initgroups during query-parsing phase.
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
During a pre-authentication request there are always messages like:
... [krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
... [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.
This patch removes them.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error: NULL_RETURNS (CWE-476): [#def31]
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964:
returned_null: "ipa_sudo_conv_lookup" returns null.
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:149:9:
return_null: Explicitly returning null.
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964:
var_assigned: Assigning: "cmdgroup" = null return value
from "ipa_sudo_conv_lookup".
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:966:
dereference: Dereferencing a null pointer "cmdgroup".
# 964| cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn);
# 965|
# 966|-> ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded,
# 967| false, discard_const(&values));
# 968| if (ret != EOK) {
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.
Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.
Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
uninit_use: Using uninitialized value "count".
# 696| SUDORULE_SUBDIR, attrs,
# 697| &count, &msgs);
# 698|-> if (ret == ENOENT || count == 0) {
# 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
# 700| ret = EOK;
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was a compile time warning if building with NSS crypto
libraries.
src/tests/cmocka/test_ad_common.c: In function ‘main’:
src/tests/cmocka/test_ad_common.c:873:5: error: implicit declaration of function ‘nspr_nss_cleanu’ [-Werror=implicit-function-declaration]
nspr_nss_cleanup();
^~~~~~~~~~~~~~~~
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
| |
This is done to make sure the memberof module does not leak memory.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
structure be_ptask_sync_ctx was not released anywhere when
be_ptask_create_sync was used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Test for users with fully-qualified and mixed-cased names are added.
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DNs of existing objects can not be generate reliable because the use of
fully qualified names and upper and lower cases in names has to be
considered. The most reliable way to get the DN is to search the object
and take the DN from the result.
Resolves:
https://fedorahosted.org/sssd/ticket/2989
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2158
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If there is a recently attached PAC blob in the cached user entry the
PAC data is used to update the group memberships data of the user. If
there is no PAC attached or if it is too old the other configured
methods will be used.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
The group-processing is moved out to make it reusable.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Make sdap_ad_tokengroups_get_posix_members() and
sdap_ad_resolve_sids_send() reusable.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
