summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa
Commit message (Collapse)AuthorAgeFilesLines
* ipa subdomains provider: make sure search by SID works for homedirAlexander Bokovoy2014-05-211-5/+15
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_selinux: Put SELinux map order related variables into structureMichal Zidek2014-05-121-31/+37
| | | | | | | | | | | Small change to make the code more readable. The relation between order, order_array and order_count is more obvious when they are grouped in structure. resolves: https://fedorahosted.org/sssd/ticket/2304 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Make LDAP extra attributes available to IPA and ADSumit Bose2014-05-021-5/+6
| | | | | | | https://fedorahosted.org/sssd/ticket/2073 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Make it possible to extend an attribute mapJakub Hrozek2014-05-023-1/+12
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Remove dead code from ipa_get_selinux_recvMichal Zidek2014-04-071-38/+23
| | | | | | | | The 'else' branches in ipa_get_selinux_recv are never executed (and even if they were, the result would be the same as if the true branches were taken). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Possible null dereference in SELinux codeMichal Zidek2014-04-041-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Fix SELinux mapping order memory hierarchyJakub Hrozek2014-04-031-8/+8
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2300 The list of SELinux mapping orders was allocated on tmp_ctx and parsed into an array. The array itself was correctly allocated on mem_ctx but its contents remained on tmp_ctx, leading to a use-after-free error. This patch fixes the memory hierarchy so that both the array and its contents are allocated on mem_ctx.
* IPA: Use function sysdb_attrs_get_el in safe wayLukas Slebodnik2014-03-311-10/+7
| | | | | | | | | | | | | | | | | | | | Function sysdb_attrs_get_el can enlarge array of ldb_message_element in "struct sysdb_attrs" if attribute is not among available attributes. Array will be enlarged with function talloc_realloc but realloc can move array to another place in memory therefore ldb_message_element should not be used after next call of function sysdb_attrs_get_el sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_USER, &user_found); sysdb_attrs_get_el(netgroup, SYSDB_ORIG_MEMBER_HOST, &host_found); With netgroups, it is common to omit user or host from netgroup triple. There is very high probability that realloc will be called. it is possible pointer user_found can refer to the old area after the second call of function sysdb_attrs_get_el. Resolves: https://fedorahosted.org/sssd/ticket/2284 Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Write SELinux usernames in the right caseJakub Hrozek2014-03-131-5/+21
| | | | | | https://fedorahosted.org/sssd/ticket/2282 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: Use the correct domain when processing SELinux rulesJakub Hrozek2014-03-111-10/+15
| | | | | | | | | | We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Use GC for AD initgroup requestsSumit Bose2014-03-101-6/+15
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: Do not save intermediate data to sysdbJakub Hrozek2014-03-051-28/+28
| | | | | | https://fedorahosted.org/sssd/ticket/2264 Reviewed-by: Sumit Bose <sbose@redhat.com>
* ipa-server-mode: use lower-case user name for home dirSumit Bose2014-03-031-1/+10
| | | | | | | | | | | In older IPA server versions where the AD users where looked up by winbind the user name component of the home directory path was always lower case. This still holds for IPA clients as well. To avoid regression this patch makes the user name component lower case as well. Fixes https://fedorahosted.org/sssd/ticket/2263 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: check ranges for collisions before saving themSumit Bose2014-02-261-20/+64
| | | | | | Fixes https://fedorahosted.org/sssd/ticket/2253 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: refactor idmap code and add testSumit Bose2014-02-262-147/+108
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix DEBUG message formattingJakub Hrozek2014-02-251-1/+1
|
* IPA: Don't fail if apply_subdomain_homedir returns ENOENTJakub Hrozek2014-02-201-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Don't call tevent_req_post outside _sendJakub Hrozek2014-02-201-1/+0
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: default krb5_fast_principal to host/$client@$realmPavel Březina2014-02-171-3/+5
| | | | | | | | If krb5_fast_principal is not set in sssd.conf it was set to host/$client, KRB5 default realm was used which doesn't have to be the same as realm used for IPA, thus authentication failed when using FAST. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* IPA: Default to krb5_use_fast=tryJakub Hrozek2014-02-132-1/+28
| | | | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* Update DEBUG* invocations to use new levelsNikolai Kondrashov2014-02-1211-154/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-1225-758/+758
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* LDAP: Detect the presence of POSIX attributesJakub Hrozek2014-02-121-1/+1
| | | | | | | | | | | | | | | | | | | When the schema is set to AD and ID mapping is not used, there is a one-time check ran when searching for users to detect the presence of POSIX attributes in LDAP. If this check fails, the search fails as if no entry was found and returns a special error code. The sdap_server_opts structure is filled every time a client connects to a server so the posix check boolean is reset to false again on connecting to the server. It might be better to move the check to where the rootDSE is retrieved, but the check depends on several features that are not known to the code that retrieves the rootDSE (or the connection code for example) such as what the attribute mappings are or the authentication method that should be used. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: support for subdomain_homedirPavel Reichl2014-02-051-0/+190
| | | | | | | Homedir is defaultly set accordingly to subdomain_homedir for users from AD. Resolves: https://fedorahosted.org/sssd/ticket/2169
* LDAP: Pass a private context to enumeration ptask instead of hardcoded ↵Jakub Hrozek2014-01-291-3/+5
| | | | | | | | | | connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.
* responder: Set forest attribute in AD domainsPavel Reichl2014-01-091-1/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2160
* IPA: fix for recent AD group membership changesSumit Bose2014-01-081-0/+2
|
* Add new option ldap_group_typeSumit Bose2013-12-191-0/+1
|
* IPA: Call ipa_ad_subdom_refresh when server mode is initializedJakub Hrozek2013-12-191-6/+14
| | | | | | ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive aliasSumit Bose2013-12-191-21/+6
|
* IPA: Refresh subdomain data structures on startupJakub Hrozek2013-12-181-19/+32
| | | | | Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.
* SUBDOMAINS: Reuse cached results if DP is offlineJakub Hrozek2013-12-091-2/+6
| | | | | | | | | | If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168
* Remove unused parameter from ipa_save_netgroupLukas Slebodnik2013-11-271-2/+1
|
* Remove unused parameter from sss_selinux_extract_userLukas Slebodnik2013-11-271-1/+1
|
* SYSDB: Drop redundant sysdb_ctx parameter from sysdb.cMichal Zidek2013-11-153-9/+5
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)Michal Zidek2013-11-159-19/+17
|
* SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)Michal Zidek2013-11-152-5/+4
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_ssh moduleMichal Zidek2013-11-151-4/+2
|
* SYSDB: Drop the sysdb_ctx parameter from the sysdb_search moduleMichal Zidek2013-11-151-2/+1
|
* SYSDB: Drop the sysdb_ctx parameter from SELinux functionsJakub Hrozek2013-11-151-7/+6
|
* Merge ipa_selinux_common.c and ipa_selinux.cJakub Hrozek2013-11-153-110/+46
| | | | | Moved unused functions and merged ipa_selinux_common.c into ipa_selinux.c
* Add ldap_autofs_map_master_name optionCove Schneider2013-11-121-0/+1
|
* ipa: destroy cleanup task when subdomain is removedPavel Březina2013-10-251-0/+1
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: free sdap domain if subdomain is removedPavel Březina2013-10-251-0/+4
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/1968
* dp: make subdomains refresh interval configurablePavel Březina2013-10-251-3/+4
| | | | | | | | | | This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968
* LDAP: Amend sdap_access_check to allow any connectionJakub Hrozek2013-10-251-2/+11
| | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself.
* IPA: add trusted domains with missing idrangeSumit Bose2013-10-251-0/+137
| | | | | | | | | | If the forest root of a trusted forest is managing POSIX IDs for its users and groups the same is assumed for all member domains in the forest which do not have explicitly have an idrange set. To reflect this SSSD will create the matching ranges automatically. Fixes https://fedorahosted.org/sssd/ticket/2101
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argumentSumit Bose2013-10-251-1/+1
| | | | | | | | | | | | | When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.
* subdomains: first destroy ptask then remove sdomPavel Březina2013-10-241-3/+3
| | | | | be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.
* IPA: add callback to reset subdomain timeoutsSumit Bose2013-10-221-0/+23
| | | | Fixes https://fedorahosted.org/sssd/ticket/2030