sssd.git/src/providers/ipa, branch reviews Experimental work on SSSD - Systen Security Services Daemon failover: Protect against empty host names 2013-01-02T16:44:09+00:00 Michal Zidek mzidek@redhat.com 2012-10-15T10:21:00+00:00 04759b59e71c78ab23b84d13dd29d9c6dd680adb Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484 
Added new parameter to split_on_separator that allows to skip
empty values.

The whole function was rewritten. Unit test case was added to
check the new implementation.

https://fedorahosted.org/sssd/ticket/1484
Use an entry type mask macro to filter entry types 2012-12-04T11:58:22+00:00 Simo Sorce simo@redhat.com 2012-11-28T03:24:58+00:00 e11c7dc43f4ff9897e37cc0d793f8e1fb3b8453a Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied. 
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
Streamline ipa_account_info handler 2012-12-04T11:58:03+00:00 Simo Sorce simo@redhat.com 2012-12-03T18:52:46+00:00 6ff0d2242fe93d694b81b29ab12289db4859e1dc In particular note that we merge ipa_account_info_netgroups_done() and ipa_account_info_users_done() into a single fucntion called ipa_account_info_done() that handles both cases We also remove the auxiliary function ipa_account_info_complete() that unnecessarily violates the tevent_req style and instead use a new function named ipa_account_info_error_text() to generate error text. 
In particular note that we merge ipa_account_info_netgroups_done()
and ipa_account_info_users_done() into a single fucntion called
ipa_account_info_done() that handles both cases

We also remove the auxiliary function ipa_account_info_complete() that
unnecessarily violates the tevent_req style and instead use a new function
named ipa_account_info_error_text() to generate error text.
Fix tevent_req style for get_netgroup in ipa_id 2012-12-04T11:38:14+00:00 Simo Sorce simo@redhat.com 2012-11-28T03:24:56+00:00 39be7dbfa25a1cae78741a1c6c8c744e8c87e38f Also do not intermix two tevent_req sequences 
Also do not intermix two tevent_req sequences
Fix ipa_subdomain_id names and tevent_req style 2012-12-04T11:38:14+00:00 Simo Sorce simo@redhat.com 2012-11-28T03:24:55+00:00 791abc91fd8b2a7f73511ab8051df1065f9f54b2 






IPA: Handle bad results from c-ares lookup
2012-12-02T20:57:48+00:00

Stephen Gallagher
sgallagh@redhat.com

2012-11-27T20:51:05+00:00

ff5934cbe9c02ca3e3d2a851460339f3126202b7

In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.

This patch adds a log message and sets the count to zero so it is
handled appropriately below.





In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.

This patch adds a log message and sets the count to zero so it is
handled appropriately below.







fix SIGSEGV in IPA provider when ldap_sasl_authid is not set
2012-11-20T22:28:28+00:00

Pavel Březina
pbrezina@redhat.com

2012-11-20T11:43:26+00:00

db15d9fc8252f05d705083b4798a492566284293

https://fedorahosted.org/sssd/ticket/1657

IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.





https://fedorahosted.org/sssd/ticket/1657

IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.







LDAP: Only convert direct parents' ghost attribute to member
2012-11-20T17:02:17+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-11-17T22:55:13+00:00

8455d5ab61184e0d126fc074a9ce6e98391eb909

https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.





https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.







LDAP: Provide a common sdap_set_sasl_options init function
2012-11-19T21:19:29+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-11-19T09:26:18+00:00

e0d861963e10c5aba79ad87f8c48b0ce1bec06ca

The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.





The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.







Do not save HBAC rules in subdomain subtree
2012-11-19T14:11:08+00:00

Sumit Bose
sbose@redhat.com

2012-11-16T20:25:43+00:00

94a66f84bd3c28fcabffeb84c682dccf89d89c2b

Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.

Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.





Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.

Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.