summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* UTIL: Allow to append new line in sss_vdebug_fnLukas Slebodnik2016-03-231-1/+1
| | | | | | | | libldb is not consistent with appending line feed in debug messages. AS a result of this two messages can be on the same line in sssd log files. Which makes analyzing log files more difficult. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SUDO: be able to parse modifyTimestamp correctlyPavel Březina2016-03-171-12/+12
| | | | | | | | | | | | | We were unable to parse modifyTimestamp where a non-numeric part (timezone) was involved. The format is YYYYMMDDHHmmssZ. It may also contain fraction or different timezone, everytime separated from the datetime by character. This patch gets the numberic part and then appends the string part again to get value usable in filter. Resolves: https://fedorahosted.org/sssd/ticket/2970 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA SUDO: support old ipasudocmd rdnPavel Březina2016-03-141-22/+103
| | | | | | | | | FreeIPA versions older than 3.1 have rdn sudoCmd instead of ipaUniqueID. Resolves: https://fedorahosted.org/sssd/ticket/2969 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA SUDO: fix typoPavel Březina2016-03-141-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* libipa_hbac: Move the library to src/lib/ipa_hbacJakub Hrozek2016-03-128-2782/+1
| | | | | | | | | | | Moving the library to the lib directory will force maintainers to think twice about changes, because it would be obvious this is a library. Also don't use includes from sssd source tree paths, but add the util path to Makefile's CFLAGS so that other projects can copy the hbac_evaluator.c file verbatim. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libipa_hbac: Fix typo in constant nameJakub Hrozek2016-03-121-1/+1
| | | | | | | On platforms without the format attribute, libhbac could not be compiled. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libipa_hbac: Add more debug messagesJakub Hrozek2016-03-121-3/+19
| | | | | | | Adding more debug messages proved to be useful during pam_hbac development. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libipa_hbac: Do not use C99Jakub Hrozek2016-03-121-4/+10
| | | | | | | | libipa_hbac can be used by external consumers like pam_hbac who run on old platforms that do not support C99. Refrain from using C99 features in that codebase. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA SUDO: download externalUser attributePavel Březina2016-03-093-0/+3
| | | | | | | | | | This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: invalidate override data if original view is missingSumit Bose2016-02-261-3/+13
| | | | | | | | | | | | | | If the idview name cannot be read from cache this either means that the cache was empty or the name wasn't written because of an error. In the case of an error SSSD would assume that the default view was used. If the new view is different from the default view the override data must be invalidated. Since the sysdb call to invalidate the override data would work with an empty cache as well and do nothing it is safe to call it on both cases. Related to https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: lookup idview name even if there is no master domain recordSumit Bose2016-02-261-35/+43
| | | | | | | | | | | | | | | Currently the IPA subdomain provider returns with a error if there is no master domain record found. Since this record contains data which is only needed to create a trust with AD, like e.g. the IPA domain SID, this record is only created by ipa-adtrust-install. But the idview name is read after the master domain record. To make the idview feature work with a plain FreeIPA setup without running ipa-adtrust-install the missing master domain record should be handled gracefully and the following lookup should run as well. Resolves https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Use the common if-else coding styleJakub Hrozek2016-02-251-4/+2
| | | | | Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Add interface to call into IPA provider from LDAP providerJakub Hrozek2016-02-245-1/+319
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2522 Adds a pluggable interface that is able to resolve the IPA group's external members. At the moment, the request calls the full be_ interface to make sure all corner cases like id-views are handled internally. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add a new option ldap_group_external_memberJakub Hrozek2016-02-241-0/+1
| | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>
* HBAC: Check format string in hbac log functionLukas Slebodnik2016-02-232-1/+9
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: log real hbac functionLukas Slebodnik2016-02-233-2/+5
| | | | | | | The string "hbac" wsa logged previously. Real hbac function will be logged with this patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Use sss_vdebug_fn in hbac_debug_messagesLukas Slebodnik2016-02-231-12/+1
| | | | | | | This patch reduce unnecessary memory allocations for log messages from libhbac. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Use prefix for debug functionLukas Slebodnik2016-02-231-2/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IDMAP: Add support for automatic adding of rangesPavel Reichl2016-01-201-0/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Make it possible to silence errors from dereferenceJakub Hrozek2016-01-191-1/+5
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA SUDO: Add support for ipaSudoRunAsExt* attributesPavel Březina2016-01-193-0/+17
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: simplify usn filterPavel Březina2016-01-191-7/+3
| | | | | | usn >= current && usn != currect is equivalent to usn >= current + 1 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remember usn as number instead of stringPavel Březina2016-01-191-7/+7
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: assume zero if usn is unknownPavel Březina2016-01-192-14/+6
| | | | | | | | When we switched to be_ptaks full_refresh_done has become obsolete since timing is handled in a better way. In case of unknown USN we assume zero which allows us to disable full refresh completely in configuration. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remove full_refresh_in_progressPavel Březina2016-01-192-5/+0
| | | | | | When we switched to be_ptask this variable has become obsolete. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement smart refreshPavel Březina2016-01-193-7/+438
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Remember USNPavel Březina2016-01-191-2/+48
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement rules refreshPavel Březina2016-01-195-5/+186
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement full refreshPavel Březina2016-01-195-1/+2281
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Implement sudo handlerPavel Březina2016-01-192-0/+120
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/XXXX Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmd mappingPavel Březina2016-01-193-0/+19
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmdgrp mappingPavel Březina2016-01-193-0/+21
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudorule mappingPavel Březina2016-01-194-0/+52
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: choose between IPA and LDAP schemaPavel Březina2016-01-192-58/+88
| | | | | | | | | | | This patch implement logic to choose between IPA and LDAP schema. From this point the sudo support in IPA is removed if sudo search base is not set specifically, it will be brought back in furter patches. Resolves: https://fedorahosted.org/sssd/ticket/1108 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: add ipa_get_rdn and ipa_check_rdnPavel Březina2016-01-192-0/+188
| | | | | | To exploit knowledge of IPA LDAP hierarchy. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: rename sdap_get_id_specific_filterPavel Březina2016-01-196-18/+15
| | | | | | | | More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>
* ldap: remove originalMeberOf if there is no memberOfSumit Bose2016-01-121-1/+11
| | | | | | | | | | | | Since originalMemerberOf is not mapped directly to an original attribute and is handled specially it is not automatically removed if there is no memberOf in the original object anymore. This patch put originalMemerberOf on the list of attribute which should be removed in that case. Resolves https://fedorahosted.org/sssd/ticket/2917 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_s2n_save_objects(): use configured user and group timeoutSumit Bose2016-01-061-5/+5
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2899 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Mark globals in ipa_opts.h as externPavel Březina2015-12-142-297/+353
| | | | | | To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA_PROVIDER: Explicit no handle of servicesPetr Cech2015-12-111-1/+29
| | | | | | | | | | | Function get_object_from_cache() does not handle services. This patch adds quick shortcut to avoid sending an LDAP query to cache. Resolves: https://fedorahosted.org/sssd/ticket/2747 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DP: Reduce code duplication in the callback handlersJakub Hrozek2015-12-101-1/+1
| | | | | | | Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Use search timeout, not enum timeout for searching overridesJakub Hrozek2015-12-091-1/+1
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2866 If the LDAP connection is still established when the client moves offline, we rely on the search timeout to find out the client is offline. The override search used the enum timeout defaults to 60 seconds. That caused too long delays in going offline. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: fix override with the same nameSumit Bose2015-11-201-6/+7
| | | | | | | | | | | | | If the user name of a AD user is overridden with the name itself in an IPA override object SSSD adds this name twice to the alias list causing an ldb error when trying to write the user object to the cache. As a result the user is not available. This patch makes sure that there are no duplicated alias names. Resolves https://fedorahosted.org/sssd/ticket/2874 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* util: Update get_next_domain's interfaceMichal Židek2015-10-232-4/+4
| | | | | | | | | | | | Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* HBAC: remove misleading comment about deny rulesPavel Reichl2015-10-081-4/+0
| | | | | | | | | HBAC deny rules are no longer supported. This comment should have been removed as part of 'Remove HBAC DENY rules from SSSD' https://fedorahosted.org/sssd/ticket/912 Reviewed-by: Michal Židek <mzidek@redhat.com>
* AD: Provide common connection list construction functionsJakub Hrozek2015-10-071-13/+8
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>
* DYNDNS: use realm and server commands only as fallbackPavel Reichl2015-10-051-7/+0
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: fix minor memory leakPavel Reichl2015-10-021-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* HBAC: Better libhbac debuggingPetr Cech2015-10-014-2/+243
| | | | | | | | | | | | | Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: Retry fetching keytab if IPA user lookup failsJakub Hrozek2015-09-232-14/+185
| | | | | | | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2639 Instead of calling ipa_get_ad_acct_send directly, call a new request ipa_srv_ad_acct_send. The new request wraps ipa_get_ad_acct_send and either tries to request a new keytab every time the lookup fails but the domain is online. be_mark_dom_offline() is called when the retry fails with the new code. The retry tries to re-setup the trusted domain. With two-way setups, the request is a no-op. With one-way trust setups, the request re-fetches new keytab unconditionally. Reviewed-by: Sumit Bose <sbose@redhat.com>
generated by cgit (git 2.34.1) at 2026-01-09 05:16:56 +0000