sssd.git/src/responder/pam, branch my-master

RESPONDERS: Create a common file with service names and versions

2012-12-18T16:25:34+00:00

The monitor sends calls different sbus methods to different responders.
Instead of including headers of the particular responders directly in
monitor, which breaks layering a little, create a common header file
that will be included from src/responder/common/

sssd_pam: Cleanup requests cache on sbus reconect

2012-12-14T16:23:56+00:00

The pam responder was not properly configured to recover from a backend
disconnect. The connections that were in flight before the disconnection
were never freed and new requests for the same user would just pile up on
top of the now phantom requests.

Fixes: https://fedorahosted.org/sssd/ticket/1655

Refactor the way subdomain accounts are saved

2012-11-19T14:11:03+00:00

The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.

Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails

2012-11-12T10:09:26+00:00

PAM: Do not leak fd after SELinux context file is written

2012-11-01T23:02:44+00:00

https://fedorahosted.org/sssd/ticket/1619

We don't close the fd when we write the selinux login file in the pam
responder. This results in a fd leak.

Include talloc log in our debug facility

2012-10-29T16:15:37+00:00

https://fedorahosted.org/sssd/ticket/1495

Add new option default_domain_suffix

2012-10-01T19:45:21+00:00

SELinux: Always use the default if it exists on the server

2012-09-13T16:11:59+00:00

https://fedorahosted.org/sssd/ticket/1513

This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045

During an e-mail discussion, it was decided that

    * if the default is set in the IPA config object, the SSSD would use
      that default no matter what
    * if the default is not set (aka empty or missing), the SSSD
      would just use the system default and skip creating the login
      file altogether

Check if the SELinux login directory exists

2012-09-04T08:14:18+00:00

https://fedorahosted.org/sssd/ticket/1492

Only create the SELinux login file if there are mappings on the server

2012-08-16T11:31:03+00:00

https://fedorahosted.org/sssd/ticket/1455

In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.

The IPA default must be only used if there *are* rules on the server,
but none matches.