| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
If the LDAP schema was set to a different value than AD and ID mapping
was enabled, the value of ret was not defined.
Make sure we define ret for the condition below with the
default for ID mapping which is 'no GID'
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The meta server status consists of two parts:
A) port status - managed by failover mechanism
B) SRV lookup status - managed by SRV resolver
Both parts are resetted to "neutral" after some time, having
B timeout greater than A timeout.
We were hitting the following issue:
1. SRV lookup fails (DNS is not reachable), this will set A to
"not working and B to "resolve error". Then the next server is
tried but fails as well.
2. If SSSD tries to go back online the failover will set A to
"neutral" and it will try to resolve SRV again. But B status is
still set to "resolve error" since we haven't reached the timeout
yet and SRV resolution fails immediately. But the next server
is not tried since the port status (A) remains "neutral".
This patch sets the port status to "not working" making the
failover to continue with the next server as expected.
https://fedorahosted.org/sssd/ticket/2390
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds periodic check to test if
backend can exit offline mode and only
marks backend as not offline if server
for the service is available.
Prior to this patch we marked backend as not
offline if the offline_timeout was reached
without checking for the server availability
and when the next request failed again
we switched back to the offline mode.
This caused significant slowdowns in some
edge cases.
Fixes:
https://fedorahosted.org/sssd/ticket/2355
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2377
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If case_sensitivity is set to 'preserving', getXXnam
returns name attribute in the same format as
stored in LDAP.
Fixes:
https://fedorahosted.org/sssd/ticket/2367
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
When the GPO processing tried to advance to the next GPO on encountering
an error, the som_index was not incremented, causing an infinite loop.
Reviewed-by: Yassir Elley <yelley@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. It was a default value of option ldap_user_uuid,
but it was not use anywhere.
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
D-Bus only supports 255 signatures which caused a segmentation fault
when sudo responder tried to refresh more rules at once.
Resolves:
https://fedorahosted.org/sssd/ticket/2387
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Request is freed if creation of subrequest fails and ENOMEM is returned.
This would lead to use after free as returned value is checked on
caller's side and (already freed) request would be marked as erroneous.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Move copy&pasted code for iteration of nested groups into separate
function.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2385
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Body of functions sdap_x_deref_search_done(), sdap_asq_search_done(),
sdap_sd_search_done and sdap_get_generic_done() are the same. Remove
code duplication by calling sdap_get_generic_done() from
sdap_x_deref_search_done(), sdap_sd_search_done and from
sdap_asq_search_done() instead of having two more duplicate
implementations.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The function was named "find_subdomain" yet it could find both main
domain and subdomain.
sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"`
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Resolving groups obtained via Token-Groups in case of disabled ID mapping may
lead to failure as non-posix groups are not resolved. This patch amends
sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is
returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Without this option krb5_child cannot be run in interactive mode.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds some more log messages to functionality of storing groups into
sysdb. As these functions are low level and failures are often handled on
higher levels the commonly chosen level is SSSDBG_TRACE_LIBS.
Resolves:
https://fedorahosted.org/sssd/ticket/2239
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.
This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.
The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.
Resolves:
https://fedorahosted.org/sssd/ticket/2212
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2348
When SSSD is running in interactive mode, we should print DEBUG messages
directly to stderr, not journal.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Version symbol files will help package systems to catch backward compatible
changes (newly added functions) into library.
The difference between libraries libsss_nss_idmap_test.so and
libsss_nss_idmap.so is that the 1st library will not be installed and has more
exported functions, which are necessary for mocking with cmocka for test
sss_nss_idmap-test.
Resolves:
https://fedorahosted.org/sssd/ticket/2194
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Introduces a new method implemented only by the IFP responder. When this
method is received, the responder attempts to reconnect to the system
bus, if not connected already.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
This function was not used since 2009. Unused and untested function
would just rot, better to remove it completely.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
No caller directly accessed this parameter. Moreover, it seemed useless
since the same data is available as SYSDB_ORIGINAL_DN in the attributes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
While I was changing the sdap_parse_entry function, I also realized that
some of the DEBUG messages were converted to the #defines, but their
level was still not accurate. This patch fixes the DEBUG levels and
indentation around them.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The same LDAP attribute might be used several times for the same user or
group attribute. For instance, some servers have a global "ID" number
that should be used for both UID and GID. However, our
sdap_parse_entry() function only copied the LDAP attribute to the first
matching sysdb attribute.
This patch adds a second nested loop that checks if any of the other
LDAP attributes are eligible.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
the opts.h files were consuming some #defines from ldap_common.h (such
as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad
practice and break programs that wish to just include the opts.h header.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysdb_attrs_get_el() cannot return ENOENT. Even if the requested member
doesn't exist, an empty element is created instead. This patch changes
the code to use sysdb_attrs_get_el_ext() which returns ENOENT.
The code only ever worked because we forgot to check the return value of
sdap_nested_group_split_members(). When the empty attribute reached
sdap_nested_group_split_members(), the function returned ENOMEM and
count == 0. The caller used to only check the value of count, not the
retval.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Don't fail if num_missing is 0.
Resolves:
https://fedorahosted.org/sssd/ticket/2369
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Don't call tevent_req_done after tevent_req_error (for the same request).
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
