sssd.git/src/responder/pac, branch reviews Experimental work on SSSD - Systen Security Services Daemon RESPONDERS: Create a common file with service names and versions 2012-12-18T16:25:34+00:00 Jakub Hrozek jhrozek@redhat.com 2012-12-15T15:24:25+00:00 e880949305cee3aca79441fe6113a9d79e7c98f2 The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/ 
The monitor sends calls different sbus methods to different responders.
Instead of including headers of the particular responders directly in
monitor, which breaks layering a little, create a common header file
that will be included from src/responder/common/
PAC: check the return value of diff_git_lists 2012-12-10T18:22:33+00:00 Jakub Hrozek jhrozek@redhat.com 2012-12-10T02:08:15+00:00 73cb66e832191041aeb31da5f2d88bf60580b5fa 






LDAP: Only convert direct parents' ghost attribute to member
2012-11-20T17:02:17+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-11-17T22:55:13+00:00

8455d5ab61184e0d126fc074a9ce6e98391eb909

https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.





https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.







Refactor the way subdomain accounts are saved
2012-11-19T14:11:03+00:00

Simo Sorce
simo@redhat.com

2012-11-16T20:25:42+00:00

8d9e0547a864cee05ab36bc988300c0cfa986025

The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.





The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.







Store the original group DN in the subdomain user object
2012-11-11T02:44:46+00:00

Sumit Bose
sbose@redhat.com

2012-11-07T11:09:55+00:00

891370856f6c797f959dab06b194e34102185d53

For user of the local domain the server-side DN of the groups the user
is a member of is stored with the user object in the cache and used to
improve performance e.g. by the HBAC code. Since subdomain users should
be handled by HBAC as well the group DN is stored in the same way as for
users of the local domain.

This patch also adds code to remove the attribute from the user object
if the user is removed from the group.





For user of the local domain the server-side DN of the groups the user
is a member of is stored with the user object in the cache and used to
improve performance e.g. by the HBAC code. Since subdomain users should
be handled by HBAC as well the group DN is stored in the same way as for
users of the local domain.

This patch also adds code to remove the attribute from the user object
if the user is removed from the group.







Get lists of GIDs to be added and deleted and use them
2012-11-11T02:44:41+00:00

Sumit Bose
sbose@redhat.com

2012-11-07T11:01:27+00:00

a0afedf608e07219fba20853fb5a9a1a9f1ce2e9

Currently the user was just added to all local groups which are given in
the PAC. With this patch the user is added only to groups he is
currently not a member of and deleted from groups which are not found in
the PAC anymore.





Currently the user was just added to all local groups which are given in
the PAC. With this patch the user is added only to groups he is
currently not a member of and deleted from groups which are not found in
the PAC anymore.







Add pac_user_get_grp_info() to read current group memberships
2012-11-11T02:44:34+00:00

Sumit Bose
sbose@redhat.com

2012-11-07T10:53:13+00:00

6722c85cb59c2d6fc223966c2b83cc3ea0d9aceb

To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.

Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes





To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.

Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes







Add diff_gid_lists() with test
2012-11-11T02:44:29+00:00

Sumit Bose
sbose@redhat.com

2012-11-07T10:34:09+00:00

1a456e464803c6d1e82081e9b4d618fa0b07b3d7

This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().





This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().







Include talloc log in our debug facility
2012-10-29T16:15:37+00:00

Michal Zidek
mzidek@redhat.com

2012-10-15T13:24:15+00:00

9e2c64c6d4f5560e27207193efea6536a566865e

https://fedorahosted.org/sssd/ticket/1495





https://fedorahosted.org/sssd/ticket/1495







pac responder: add user principal and name alias to cached user object
2012-10-26T08:32:05+00:00

Sumit Bose
sbose@redhat.com

2012-10-15T20:08:05+00:00

d9137b153f1266ee5659405b2d7bc11787dad817

The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.





The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.