sssd.git/src/providers/ldap, branch err_facility

Convert sdap_access to new error codes

2013-03-13T18:39:50+00:00

Also simplify sdap_access_send to avoid completely fake _send() routines.

Use common error facility instead of sdap_result

2013-03-13T18:39:50+00:00

Simplifies and consolidates error reporting for ldap authentication paths.

Adds 3 new error codes:
    ERR_CHPASS_DENIED  - Used when password constraints deny password changes
    ERR_ACCOUNT_EXPIRED  - Account is expired
    ERR_PASSWORD_EXPIRED  - Password is expired

Fixed typo in debug message.

2013-03-07T12:47:22+00:00

C compiler did not complain, because "index" is function defined
in header file

Check the return value of sysdb_search_services

2013-03-05T16:36:21+00:00

sdap_fill_memberships: continue if a member is not foud in sysdb

2013-02-26T23:22:29+00:00

https://fedorahosted.org/sssd/ticket/1755

sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:

If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.

The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,

sysdb: try dealing with binary-content attributes

2013-02-26T16:16:58+00:00

https://fedorahosted.org/sssd/ticket/1818

I have here a LDAP user entry which has this attribute

	loginAllowedTimeMap::
	 AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA

In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)

Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.

The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.

LDAP: Check for authtok validity

2013-02-11T15:16:16+00:00

The default authtok type in the LDAP provider (unlike the new IPA and AD
providers) is "password". This oddity dates back to when password was
the only supported authtok type in the SSSD, so configuration specifying
only the password and bind DN was valid.

We need to check the authtok validity as well before attempting to use
it.

Add realm info to sss_domain_info

2013-02-10T21:08:46+00:00

nested groups: fix group lookup hangs if member dn is incorrect

2013-01-28T16:28:53+00:00

https://fedorahosted.org/sssd/ticket/1783

When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.

Add be_req_get_data() helper funciton.

2013-01-21T21:17:34+00:00

In preparation for making struct be_req opaque.