summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* p11: add gnome-screensaver to list of allowed servicesSumit Bose2016-01-201-1/+1
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2925 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Make it possible to silence errors from dereferenceJakub Hrozek2016-01-193-10/+28
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>
* sdap_connect_send: fail if uri or sockaddr is NULLPavel Březina2016-01-191-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: try to use current server in the renewal taskSumit Bose2016-01-191-3/+23
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: add be_fo_get_active_server_name()Sumit Bose2016-01-192-0/+20
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* FO: add fo_get_active_server()Sumit Bose2016-01-193-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: add task to renew the machine account password if neededSumit Bose2016-01-1910-0/+426
| | | | | | | | | | | | | | | | | | AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP_TASK: add be_ptask_get_timeout()Sumit Bose2016-01-193-0/+28
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: allow to skip default options for child processesSumit Bose2016-01-196-38/+47
| | | | | | | | | | | | | Currently the SSSD default options like e.g. --debug-level are added unconditionally to the command line options of a child process when started with the child helper functions. If a binary from a different source should be started as a child by SSSD those options might not be known or used differently. This patch adds an option to exec_child_ex() which allows to skip the default options and only add specific options. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA SUDO: Add support for ipaSudoRunAsExt* attributesPavel Březina2016-01-195-0/+23
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: simplify usn filterPavel Březina2016-01-192-11/+5
| | | | | | usn >= current && usn != currect is equivalent to usn >= current + 1 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remember usn as number instead of stringPavel Březina2016-01-194-28/+31
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: allow disabling full refreshPavel Březina2016-01-191-1/+1
| | | | | | | | This condition always disabled smart refresh when full refresh interval was set to zero and thus disabling periodic refresh functionality completelely. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: assume zero if usn is unknownPavel Březina2016-01-194-30/+13
| | | | | | | | When we switched to be_ptaks full_refresh_done has become obsolete since timing is handled in a better way. In case of unknown USN we assume zero which allows us to disable full refresh completely in configuration. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remove full_refresh_in_progressPavel Březina2016-01-194-10/+0
| | | | | | When we switched to be_ptask this variable has become obsolete. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: sdap_sudo_set_usn() do not steal usnPavel Březina2016-01-192-3/+10
| | | | | | This is less error prone. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement smart refreshPavel Březina2016-01-193-7/+438
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Add sdap_or_filtersPavel Březina2016-01-192-7/+27
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Remember USNPavel Březina2016-01-191-2/+48
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement rules refreshPavel Březina2016-01-195-5/+186
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement full refreshPavel Březina2016-01-196-2/+2285
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement sudo handlerPavel Březina2016-01-193-0/+121
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/XXXX Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmd mappingPavel Březina2016-01-195-0/+26
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmdgrp mappingPavel Březina2016-01-195-0/+28
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudorule mappingPavel Březina2016-01-196-0/+92
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: choose between IPA and LDAP schemaPavel Březina2016-01-192-58/+88
| | | | | | | | | | | This patch implement logic to choose between IPA and LDAP schema. From this point the sudo support in IPA is removed if sudo search base is not set specifically, it will be brought back in furter patches. Resolves: https://fedorahosted.org/sssd/ticket/1108 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: use ipa_get_rdn() in nested groupsPavel Březina2016-01-192-71/+11
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: add ipa_get_rdn and ipa_check_rdnPavel Březina2016-01-194-0/+438
| | | | | | To exploit knowledge of IPA LDAP hierarchy. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: fail on failed request that cannot be retryPavel Březina2016-01-191-0/+3
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: allow to disable ptaskPavel Březina2016-01-191-16/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: move code shared between ldap and ipa to separate modulePavel Březina2016-01-195-110/+199
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: make sudo sysdb interface more reusablePavel Březina2016-01-199-398/+354
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: use sdap_search_bases instead custom sb iteratorPavel Březina2016-01-191-104/+23
| | | | | | Removes code duplication. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: support empty filters in sdap_combine_filters()Pavel Březina2016-01-191-1/+4
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: rename sdap_get_id_specific_filterPavel Březina2016-01-1917-57/+35
| | | | | | | | More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Add request that iterates over all search basesPavel Březina2016-01-196-7/+288
| | | | | | | | We often need to iterate over many search bases but we always use mostly copy&paste iterator. This will reduce code duplication and simplify code flow. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SPEC: Fix unowned directoriesLukas Slebodnik2016-01-151-2/+20
| | | | | | | https://fedoraproject.org/wiki/Packaging:UnownedDirectories Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: do not fail if refs are found but not processedPavel Březina2016-01-151-10/+1
| | | | | | | | | | It is possible to end up with not-processed referrals when using AD provider and ldap_referrals=true. Resolves: https://fedorahosted.org/sssd/ticket/2906 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* SDAP: handle ret properly in ldap_get_options()Pavel Březina2016-01-141-4/+9
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Krb5/PAM: Fix account lockout error handlingSimo Sorce2016-01-144-0/+11
| | | | | | | | | | | | | | The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is returned by the KDC when an account lockout is in effect. When an account is expired the kdc returns KRB5KDC_ERR_NAME_EXP. Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code. Resolves: https://fedorahosted.org/sssd/ticket/2924 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Adding DNS SRV lookup for krb5 providerPetr Cech2016-01-141-0/+7
| | | | | | | | | This patch add DNS SRV lookup for krb5 provider. Resolves: https://fedorahosted.org/sssd/ticket/2888 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Move libsss_sudo.so outside sssd-commonLukas Slebodnik2016-01-141-3/+20
| | | | | | | | | | | | | | The module ${libdir}/libsss_sudo.so is used only by /usr/bin/sudo. If libsss_sudo.so was part of sssd-client then 32 bit version would never be used on 64 bit machine and files in sssd-client can be used by multilib applications e.g. libnss_sss.so can be indirectly "dlopened" by 64 bit applications and 32 bit application. (32-bit web browser; ordinary 64bit applications ...) Resolves: https://fedorahosted.org/sssd/ticket/2855 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix pep8 warnings in pyhbac-test.pyJakub Hrozek2016-01-131-27/+30
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* tests: use unittest.TestCase.assertCountEqual if possibleJakub Hrozek2016-01-132-57/+55
| | | | | | | | | | | | | We used to defined a compat method for assertItemsEqual that existed on Python 2.7, but not on old Python 2.x. As an effect, we used our compat code even if assertCountEqual was available from standard library. The recent Python 3.x versions renamed assertItemsEqual to assertCountEqual. Therefore we should use the modern version which is in the standard library over a compat version provided by ourselves. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>
* DP: Print warning when the handler is not configuredJakub Hrozek2016-01-121-1/+3
| | | | | | | | We would previously only print the generic warning, not the user-supplied error message. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>
* ldap: remove originalMeberOf if there is no memberOfSumit Bose2016-01-122-2/+18
| | | | | | | | | | | | Since originalMemerberOf is not mapped directly to an original attribute and is handled specially it is not automatically removed if there is no memberOf in the original object anymore. This patch put originalMemerberOf on the list of attribute which should be removed in that case. Resolves https://fedorahosted.org/sssd/ticket/2917 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD SRV: prefer site-local DCs in LDAP pingPavel Březina2016-01-111-10/+30
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2765 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Change package ownership of %{pubconfpath}/krb5.include.dLukas Slebodnik2016-01-111-1/+1
| | | | | | | | | | | | | krb5 domain mapping files are stored to the directory %{pubconfpath}/krb5.include.d. It can be stored by ipa or ad provider. However this directory was owned by sub-package sssd-ipa. And ad provider can be installed without this package. Therefore %{pubconfpath}/krb5.include.d should be owned by common dependency. The owner of this directory was also fixed to sssd. It's already done by make install. It was changed only in spec file. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Log SID in debug messageLukas Slebodnik2016-01-081-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sdap_save_grpmem: determine domain by SID if possibleSumit Bose2016-01-061-13/+35
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2910 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-26 20:40:43 +0000