| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To ensure no memory is leak on long living context such as rctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2869
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After ldb connect ldb context contains the following error:
"NULL Base DN invalid for a base search"
This comes from internal ldb function ldb_set_default_dns() which
runs base search on NULL dn to discover records similar to what
rootDSE provides. However, tdb backend considers this an error
and sets the message above.
This may break memory leak checks in tests when we do push/pop on
test_ctx which is a indirect parent of ldb_context. The error message
is allocated when push is called but it is freed by other ldb queries
and therefore not preset during the push phase and thus the leak check
fails.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Moving the library to the lib directory will force maintainers to think
twice about changes, because it would be obvious this is a library.
Also don't use includes from sssd source tree paths, but add the util
path to Makefile's CFLAGS so that other projects can copy the
hbac_evaluator.c file verbatim.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds a test that tests a complex nested group hierarchy. Also defines
the talloc chunk for group members to 1 to make sure the realloc branch
is always tested.
Unit test for: https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
It will compilation of 40 files.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.
Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).
This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.
Resolves https://fedorahosted.org/sssd/ticket/2961
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
functionality
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2522
Currently the approach is not optimized for performance, because each
external member is resolved in a full transaction to make sure even ID
views and similar information is processed.
In future, we should implement https://fedorahosted.org/sssd/ticket/2943
we will again be able to process all the data in a single transaction.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are three functions at API of colondb wrapper:
* sss_colondb_open()
* sss_colondb_readline()
* sss_colondb_writeline()
This patch adds tests for all of them.
We test those cases:
* open nonexisting file for read
* open nonexisting file for write
* open existing empty file for read
* open existing file with records for read
* open existing empty file for write
* open existing file with records for write
* write to empty file
* write to file with existing records
* sss_colondb_open()
* sss_colondb_readline()
* sss_colondb_write_line()
* write to empty file and read it
Resolves:
https://fedorahosted.org/sssd/ticket/2764
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I can reproduce it only with clang.
But it's tipical off by one error.
sh$ ./sss_idmap-tests
Running suite(s): IDMAP
Segmentation fault (core dumped)
Running suite(s): IDMAP
==2644== Process terminating with default action of signal 11 (SIGSEGV)
==2644== Access not within mapped region at address 0xA08F430
==2644== at 0x4C2CC53: strcmp (vg_replace_strmem.c:842)
==2644== by 0x4060DA: idmap_test_sid2uid_additional_secondary_slices (sss_idmap-tests.c:451)
==2644== by 0x503C78A: ??? (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x503CB7C: srunner_run (in /usr/lib64/libcheck.so.0.0.0)
==2644== by 0x4061EE: main (sss_idmap-tests.c:965)
==2644== If you believe this happened as a result of a stack
==2644== overflow in your program's main thread (unlikely but
==2644== possible), you can try to increase the size of the
==2644== main thread stack using the --main-stacksize= flag.
==2644== The main thread stack size used in this run was 8388608.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The /usr/lib64 should be preffered path for searching
binary modules for openldap backends. The /usr/lib/ should
be used for storing no binary files on 64 bit platform
e.g. scripts ...
The current vresion of would choose /usr/lib/ even though
/usr/lib64 contains real openldap modules.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Python tests for pyhbac and pysss_murmur created symbolic
links in shared directory ".libs". It happened that both
tests created symbolic link in the same time and therefore
python2 test could try to import link to python3 module
which caused failures in tests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch is related to commit 50c9d542e8bf641412debaa82a4dcf67ddb72258
"tests: Use unique name for TEST_PATH"
It's better to do IO operation in common test directory
to prevent conflict with other test (copy & paste errors)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds support to get SELINUX context and make code more abstract so
that struct ucred (if availale) can be used w/o redefining uid,gid,pid to
int32. Also gives a layer of indirection that may come handy if we want
to improve the code further in the future.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the SSSD default options like e.g. --debug-level are added
unconditionally to the command line options of a child process when
started with the child helper functions.
If a binary from a different source should be started as a child by SSSD
those options might not be known or used differently. This patch adds an
option to exec_child_ex() which allows to skip the default options and
only add specific options.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
To exploit knowledge of IPA LDAP hierarchy.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We used to defined a compat method for assertItemsEqual that existed on
Python 2.7, but not on old Python 2.x. As an effect, we used our compat
code even if assertCountEqual was available from standard library.
The recent Python 3.x versions renamed assertItemsEqual to
assertCountEqual. Therefore we should use the modern version which is in
the standard library over a compat version provided by ourselves.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a fo_resolve_service callback would modify the server->common member
in any way, for example by dereferencing the server and lowering the
refcount to 0, which would free the common structure, then the next
iteration of fo_resolve_service_done would access memory that was
already gone.
Please see
https://tevent.samba.org/group__tevent__request.html#ga09373077d0b39e321a196a86bfebf280
for more details.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the user name of a AD user is overridden with the name itself in an
IPA override object SSSD adds this name twice to the alias list causing
an ldb error when trying to write the user object to the cache. As a
result the user is not available.
This patch makes sure that there are no duplicated alias names.
Resolves https://fedorahosted.org/sssd/ticket/2874
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There were warnings on 32 bit architecture related to 64bit integer constants.
/home/build/sssd/src/tests/sbus_codegen_tests.c:257:
warning: integer constant is too large for ‘long’ type
/home/build/sssd/src/tests/sbus_codegen_tests.c:259:
warning: integer constant is too large for ‘long’ type
INT${N}_C(value) are defined in the standard c99
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
In python 2.6, the module subprocess does not have the function
check_output.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The local override tests were added after we alredy removed
the sss_cache call from teardowns in other tests. See
commit: 782d39e3916d16b8dbba6ae97aca1db2f3c35d76
Revert "intg: Invalidate memory cache before removing files"
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce a new integration test for local view overrides.
Regression tests for: #2790, #2757 and #2802.
Resolves:
https://fedorahosted.org/sssd/ticket/2732
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a bunch of LDAP tests.
* Adding/removing a user/group/membership with rfc2307(bis) schema.
* The effect of override_homedir option.
* The effect of fallback_homedir option.
* The effect of override_shell option.
* The effect of shell_fallback option.
* The effect of default_shell option.
* The effect of vetoed_shells option.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
libdbus abort()s when a string argument is not valid UTF-8. Since the
arguments sometimes come from untrusted sources, it's better to check
the string validity explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds groups_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We need little more in backroung of responder_cache_req tests. There
will be tests which will use three test groups. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test groups_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
groups_by_filter_valid() --> group_by_recent_filter_valid()
grous_by_recent_filter_valid()
The first of new tests, group_by_recent_filter_valid(), counts with two
groups. One is stored before filter request creation and the second
group is stored after filter request creation. So filter returns only
one group.
The second of new tests, groups_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
groups are stored after filter request creation. So filter returns two
groups.
This patch adds group_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated
after filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with
two users. One is stored before filter request creation and the second
user is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two
users are stored after filter request creation. So filter returns two
users.
This patch adds users_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds function are_values_in_array() to common test code. And
there is tc_are_values_in_array macro defined which is usefull for
talloc allocated values and arrays.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We need little more in background of responder_cache_req tests. There
will be tests which will use three test users. This patch add support
for it.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch only defines constant TEST_USER_PREFIX. So code will be more
redeable.
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test users_by_filter_valid() was removed in past. We will add two new
tests instead of it. Logic of those tests is connected to RECENT
filter. It returns only records which have been wrote or updated after
filter was created (or another given time).
users_by_filter_valid() --> user_by_recent_filter_valid()
users_by_recent_filter_valid()
The first of new tests, user_by_recent_filter_valid(), counts with two
users. One is stored before filter request creation and the second user
is stored after filter request creation. So filter returns only one
user.
The second of new tests, users_by_recent_filter_valid(), counts with
three users. One is stored before filter request creation and two users
are stored after filter request creation. So filter returns two users.
This patch adds user_by_recent_filter_valid().
Resolves:
https://fedorahosted.org/sssd/ticket/2730
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Extend PAM responder unit test to check 'online' cached authentication.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Split pam_test_setup() so domain and pam parameters can be easily set
distinctly for each test.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It is not necessary to invalidate memory cache before removing
them. The sssd_client can handle it without any problem.
This reverts commit eabc1732ef91548616a699b7e9f8d30e5e7b8dd3.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Long living clients should be able to reinitialize
memory cache which was removed but it not initialized.
This patch also remove workaround in test_local_domain.py
Test for:
https://fedorahosted.org/sssd/ticket/2726
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
