summaryrefslogtreecommitdiffstats
path: root/src/providers
Commit message (Collapse)AuthorAgeFilesLines
...
* IPA: use sysdb_attrs_add_string_safe to add group memberSumit Bose2015-04-271-2/+3
| | | | | | | | The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not try to save override data for the default viewSumit Bose2015-04-271-5/+10
| | | | | | | | | | For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ad_opts: Use different default attribute for group nameLukas Slebodnik2015-04-171-1/+1
| | | | | | | | | | | | | | | | The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com>
* subdom: Remove unused function get_flat_name_from_subdomain_nameJakub Hrozek2015-04-162-24/+0
| | | | | | | The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD GPO: Always look up GPOs from machine domainStephen Gallagher2015-04-151-21/+33
| | | | | | | | | | | | | | When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Always get domain-specific ID connectionStephen Gallagher2015-04-151-11/+7
| | | | | | | | | | | | | | | | ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Clean up ad_access_gpoStephen Gallagher2015-04-151-7/+5
| | | | | | Align goto usage with conventions in the rest of the source. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-141-4/+31
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* SDAP: Filter ad groups in initgroupsLukas Slebodnik2015-04-141-0/+12
| | | | | | | | | | Function sdap_add_incomplete_groups stored domain local groups from subdomain as POSIX group, which should not be done. Resolves: https://fedorahosted.org/sssd/ticket/2614 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-144-47/+99
| | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Do not set gid 0 twiceLukas Slebodnik2015-04-141-7/+0
| | | | | | | | | | | | | | | | | | | | | The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nsupdate: Append -d/-D to nsupdate with a high debug levelJakub Hrozek2015-04-141-1/+17
| | | | | | https://fedorahosted.org/sssd/ticket/897 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* dyndns: Log nsupdate stderr with a high debug levelJakub Hrozek2015-04-141-0/+12
| | | | | | https://fedorahosted.org/sssd/ticket/2224 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Set sdap handle as explicitly connected in LDAP authJakub Hrozek2015-04-081-0/+12
| | | | | | | | | | | | | In case SSSD is set with id_provider=proxy and auth_provider=ldap, the LDAP provider is not used to retrieve the user info with the higher-level calls, but the lower-level connection establishment is used instead. In this case, we need to make sure to mark the connection as explicitly connected to be notified about results of looking up the DN. Resolves: https://fedorahosted.org/sssd/ticket/2620 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* enumeration: fix talloc contextPavel Březina2015-04-082-2/+2
| | | | | | | | | | | | | | If for some reason ptask fails (e.g. timeout), req is talloc freed but because subreq is attached to ectx which is permanent it is finished anyway. Then a crash occures when we are trying to access callback data. The same happens in sdap_dom_enum_ex_send. Resolves: https://fedorahosted.org/sssd/ticket/2611 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: Unify prototype and definitionLukas Slebodnik2015-04-011-2/+3
| | | | | | | | | The prototype of function copy_keytab_into_memory does not match the definition. One of arguments differs in constant modifier. Patch also include header file to implementation module. If should avoid such problems in future. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: Check return value of ad_gpo_store_policy_settingsLukas Slebodnik2015-04-011-0/+6
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: fix a typo in debug messagePavel Reichl2015-03-261-1/+1
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Remove the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-248-79/+19
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Deprecate the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-241-0/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Deny rules have not been supported by the IPA server since 2.1. We should deprecate the ipa_hbac_treat_deny_as option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Only treat malformed HBAC rules as fatal if deny rules are enabledJakub Hrozek2015-03-241-14/+54
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 If deny rules are not in effect, we can skip malformed HBAC rules because at worst we will deny access. If deny rules are in effect, we need to error out to be on the safe side and avoid skipping a deny rule. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Drop useless sysdb parameterJakub Hrozek2015-03-241-16/+10
| | | | | | | | https://fedorahosted.org/sssd/ticket/2603 It's better to dereference the domain structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Use custom error codes when validating HBAC rulesJakub Hrozek2015-03-244-29/+29
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Resolv: re-read SRV query every time if its TTL is 0Jakub Hrozek2015-03-241-1/+1
| | | | | | | We should make sure the client re-checks the SRV query each request if the SRV query is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* ldap: refactor nds_check_expired to use util funcPavel Reichl2015-03-231-23/+6
| | | | | | Refactor nds_check_expired() to use utility function sss_utc_to_time_t(). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap: refactor check_pwexpire_kerberos to use util funcPavel Reichl2015-03-231-24/+6
| | | | | | | | | Refactor check_pwexpire_kerberos() to use utility function sss_utc_to_time_t(). Modify test to handle new error code ERR_TIMESPEC_NOT_SUPPORTED Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TESTS: test expirationPavel Reichl2015-03-231-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: Decorate the sdap_op functions with DEBUG messagesJakub Hrozek2015-03-231-1/+9
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make StartTLS bind configurable with ldap_opt_timeoutJakub Hrozek2015-03-231-2/+3
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make password change timeout configurable with ldap_opt_timeoutJakub Hrozek2015-03-233-5/+10
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make simple bind timeout configurableJakub Hrozek2015-03-234-8/+19
| | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: remove unused codePavel Reichl2015-03-231-5/+1
| | | | | | Also fix debug message. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: error out instead of leaving array element uninitializedSumit Bose2015-03-231-1/+4
| | | | | | | | | | | In general every object created by the AD provider should have a SID attribute. Since SIDs and GPOs are used for access control a missing SID should be treated as error for now until it is known if there is a valid reason why the SID is missing. Resolves https://fedorahosted.org/sssd/ticket/2608 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-203-34/+21
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: add debug hintPavel Reichl2015-03-201-1/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: set EINVAL if dn can't be linearizedPavel Reichl2015-03-191-0/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: make sure output variable is setSumit Bose2015-03-191-1/+3
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* selinux: Handle setup with empty default and no configured rulesJakub Hrozek2015-03-172-4/+10
| | | | | | | | | | SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA idviews: check if view name is setSumit Bose2015-03-171-1/+4
| | | | | | | | | | When working with older FreeIPA releases the view name might not always been set. This patch add checks to might sure it is only dereferenced when set. Resolves https://fedorahosted.org/sssd/ticket/2604 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-1719-44/+46
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP/AD: do not resolve group members during tokenGroups requestSumit Bose2015-03-179-18/+64
| | | | | | | | | | | | | | | | | | | | | | During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_selinux: Fix warning may be used uninitializedLukas Slebodnik2015-03-171-1/+1
| | | | | | | | | | | | | src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] state->sci = sci; ^ src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here struct selinux_child_input *sci; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: make sure extdom expo data is availableSumit Bose2015-03-131-0/+5
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: do not treat missing sub-domain users as errorSumit Bose2015-03-131-3/+7
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2444 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: fix coverity warningPavel Reichl2015-03-111-2/+12
| | | | | | | In ldap_child_get_tgt_sync() variable 'ret' got overriden in done section without ever before being read. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: More debugging for create_ccache()Jakub Hrozek2015-03-101-13/+41
| | | | | | | | It was difficult to find where the problem was without advanced techniques like strace. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_refresh: get rid of callback pointersPavel Březina2015-03-091-67/+31
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* be_refresh: support groupsPavel Březina2015-03-083-0/+53
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* be_refresh: support usersPavel Březina2015-03-083-0/+53
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2346 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* be_refresh: add sdap_refresh_initPavel Březina2015-03-085-30/+33
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-28 02:03:03 +0000