summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap
Commit message (Collapse)AuthorAgeFilesLines
* SUDO: be able to parse modifyTimestamp correctlyPavel Březina2016-03-173-17/+50
| | | | | | | | | | | | | We were unable to parse modifyTimestamp where a non-numeric part (timezone) was involved. The format is YYYYMMDDHHmmssZ. It may also contain fraction or different timezone, everytime separated from the datetime by character. This patch gets the numberic part and then appends the string part again to get value usable in filter. Resolves: https://fedorahosted.org/sssd/ticket/2970 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* tests: Add a unit test for the external groups resolutionJakub Hrozek2016-03-111-4/+6
| | | | | | | | | Adds a test that tests a complex nested group hierarchy. Also defines the talloc chunk for group members to 1 to make sure the realloc branch is always tested. Unit test for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sdap: improve filtering of multiple results in GC lookupsSumit Bose2016-03-011-42/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Global Catalog of AD contains some information about all users and groups in an AD forest. Users from different domain in the forest can have the same name. The most obvious example is the Administrator user which is present in all domains. Although SSSD uses a domain specific search base for looking up users in the GC the search might still return multiple results if there is a user with the same name in one of the child (or grand-child ...) domains because of the hierarchic nature of the LDAP tree. Limiting the search depth would not help because users can be created in deeply nested OUs. Currently SSSD expects in this case that the user object is store in CN=Users or below. This works for all default users like Administrator but in general users can be created anywhere in the directory tree. If a user is created outside of CN=Users and there is a user with the same name in a child domain the initgroups command to look up the group-memberships of the user fails because it is not clear which of the two results should be used (initgroups for the child domain user works fine). This patch adds an additional scheme to select the right result based on the domain component attribute name 'dc'. This attribute indicates an additional component in the domain name and hence a child domain. So as long as the result contains a dc component following out search base it cannot be the object we are looking for. This scheme includes the old CN=Users based one but since it is more expensive I kept the old scheme which so far worked all the time and only use the new one if the old one fails. Resolves https://fedorahosted.org/sssd/ticket/2961 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* remove user certificate if not found on the serverPavel Březina2016-03-011-0/+10
| | | | | | | | | | | | | | | | If the user is not found by cert lookup when the user is already cached, two things may happen: 1) cert was removed from the user object 2) user was removed Instead of issuing another cert lookup we will just remove cert attribute from the cache not touching the expiration timestamp so the user may be updated later when needed. Resolves: https://fedorahosted.org/sssd/ticket/2934 Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use the IPA provider interface to resolve external group membersJakub Hrozek2016-02-243-28/+654
| | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2522 Currently the approach is not optimized for performance, because each external member is resolved in a full transaction to make sure even ID views and similar information is processed. In future, we should implement https://fedorahosted.org/sssd/ticket/2943 we will again be able to process all the data in a single transaction. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Add interface to call into IPA provider from LDAP providerJakub Hrozek2016-02-241-0/+23
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2522 Adds a pluggable interface that is able to resolve the IPA group's external members. At the moment, the request calls the full be_ interface to make sure all corner cases like id-views are handled internally. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add a new option ldap_group_external_memberJakub Hrozek2016-02-242-0/+4
| | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>
* subdomains: inherit ldap_krb5_keytabSumit Bose2016-02-231-0/+1
| | | | | | | | | | If a non-default keytab is configured for the parent domain the subdomains will still use the default keytab because the alternative keytab is not inherited. As a consequence SSSD might not be able to connect to services in the subdomain because the default keytab is either not present or does not have suitable keys. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Fix typos reported by lintianLukas Slebodnik2016-02-231-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add return code ERR_ACCOUNT_LOCKEDPavel Reichl2016-02-172-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012 This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ----------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ----------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ----------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ----------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Just return NULL if tevent_req_create() failsSumit Bose2016-02-111-2/+1
| | | | | | | | | In general we just return NULL if tevent_req_create() fails because there is nothing we can do with the request anyway. Especially tevent_req_error() should not be called because it tries to dereference req. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Add error code to debug messagePavel Reichl2016-02-091-2/+4
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* IDMAP: Add support for automatic adding of rangesPavel Reichl2016-01-203-5/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Make it possible to silence errors from dereferenceJakub Hrozek2016-01-192-9/+23
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>
* sdap_connect_send: fail if uri or sockaddr is NULLPavel Březina2016-01-191-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2904 Reviewed-by: Michal Židek <mzidek@redhat.com>
* SUDO: simplify usn filterPavel Březina2016-01-191-4/+2
| | | | | | usn >= current && usn != currect is equivalent to usn >= current + 1 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remember usn as number instead of stringPavel Březina2016-01-193-21/+24
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: allow disabling full refreshPavel Březina2016-01-191-1/+1
| | | | | | | | This condition always disabled smart refresh when full refresh interval was set to zero and thus disabling periodic refresh functionality completelely. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: assume zero if usn is unknownPavel Březina2016-01-192-16/+7
| | | | | | | | When we switched to be_ptaks full_refresh_done has become obsolete since timing is handled in a better way. In case of unknown USN we assume zero which allows us to disable full refresh completely in configuration. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: remove full_refresh_in_progressPavel Březina2016-01-192-5/+0
| | | | | | When we switched to be_ptask this variable has become obsolete. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: sdap_sudo_set_usn() do not steal usnPavel Březina2016-01-192-3/+10
| | | | | | This is less error prone. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Add sdap_or_filtersPavel Březina2016-01-192-7/+27
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: use ipa_get_rdn() in nested groupsPavel Březina2016-01-191-71/+9
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: fail on failed request that cannot be retryPavel Březina2016-01-191-0/+3
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: allow to disable ptaskPavel Březina2016-01-191-16/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: move code shared between ldap and ipa to separate modulePavel Březina2016-01-194-110/+197
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: make sudo sysdb interface more reusablePavel Březina2016-01-194-327/+15
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: use sdap_search_bases instead custom sb iteratorPavel Březina2016-01-191-104/+23
| | | | | | Removes code duplication. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: support empty filters in sdap_combine_filters()Pavel Březina2016-01-191-1/+4
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: rename sdap_get_id_specific_filterPavel Březina2016-01-1911-39/+20
| | | | | | | | More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: Add request that iterates over all search basesPavel Březina2016-01-195-7/+286
| | | | | | | | We often need to iterate over many search bases but we always use mostly copy&paste iterator. This will reduce code duplication and simplify code flow. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: do not fail if refs are found but not processedPavel Březina2016-01-151-10/+1
| | | | | | | | | | It is possible to end up with not-processed referrals when using AD provider and ldap_referrals=true. Resolves: https://fedorahosted.org/sssd/ticket/2906 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* SDAP: handle ret properly in ldap_get_options()Pavel Březina2016-01-141-4/+9
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap: remove originalMeberOf if there is no memberOfSumit Bose2016-01-121-1/+7
| | | | | | | | | | | | Since originalMemerberOf is not mapped directly to an original attribute and is handled specially it is not automatically removed if there is no memberOf in the original object anymore. This patch put originalMemerberOf on the list of attribute which should be removed in that case. Resolves https://fedorahosted.org/sssd/ticket/2917 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap_save_grpmem: determine domain by SID if possibleSumit Bose2016-01-061-13/+35
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2910 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Use right domain for user lookupsSumit Bose2016-01-061-1/+1
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2910 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SUDO: get srv_opts after we are connectedPavel Březina2015-12-151-1/+3
| | | | | | It may be NULL in _send if SSSD has not been connected to LDAP so far. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: use size_t instead of int in for cyclesPavel Březina2015-12-151-2/+2
| | | | | | | So we compare proper data types. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: make sdap_sudo_handler staticPavel Březina2015-12-152-2/+4
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: remove finalizerPavel Březina2015-12-151-7/+1
| | | | | | | It is not used anywhere anyway. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: obtain host information when going onlinePavel Březina2015-12-153-55/+101
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2672 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: fix potential memory leak in sdap_sudo_initPavel Březina2015-12-151-2/+9
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: do not imitate full refresh if usn is unknown in smart refreshPavel Březina2015-12-152-20/+23
| | | | | | | | USN value should be always known now if at least one full refresh was successful. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: built host filter inside sdap_sudo_refresh requestPavel Březina2015-12-153-245/+215
| | | | | | | | Preparation for: https://fedorahosted.org/sssd/ticket/2672 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: set USN inside sdap_sudo_refresh requestPavel Březina2015-12-153-60/+49
| | | | | | | Reduce code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: sdap_sudo_load_sudoers improve iteratorPavel Březina2015-12-151-69/+55
| | | | | | | | The old search base iterator was difficult to read since its logic spread through all functions. This patch also shorten names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: fix sdap_sudo_smart_refresh_recv()Pavel Březina2015-12-151-7/+7
| | | | | | | This fix huge violation of tevent coding style. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: fix tevent stylePavel Březina2015-12-154-300/+265
| | | | | | | | Rearrage and rename functions in sdap_async_sudo.c to obey tevent style and improve readability. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: fix sdap_id_op logicPavel Březina2015-12-151-16/+18
| | | | | | | Adds missing sdap_id_op_done call and retry logic. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SUDO: simplify error handlingPavel Březina2015-12-154-70/+41
| | | | | | | | This patch removes state->error and uses only ret instead since state->error was only duplication anyway. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-27 14:17:47 +0000