| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This also fixes several corner cases and crashers.
It's not prudent to pass user input to (even admin) input as a
format string to printf, and various distros now check for this.
This can cause accessing memory incorrectly, and various also
various libc abort()'s.
In addition various assumptions were made about full_name_format
that aren't necessarily the case if the user uses a more complex
format.
Use safe-printf.c implementation for formatting full_name_format.
Adapt the NSS resolver so it doesn't barf on formatted strings that
are shorter than expected given a full_name_format.
Tests added and updated appropriately.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the default printf(3) implementation cannot safely be
used on user (or admin) provided input, this is a safe implementation.
This will be used in later patches by the full_name_format option
The implementation came from realmd, but only has libc dependencies.
The number of fields is pre-defined, and safe printf fails if
an invalid field is accessed.
Only string fields are supported, and only flags relevant to string
fields are supported. Width and precision work as expected, but
precision cannot read from a field.
Tests are included, and ported to the check based testing that
sssd uses.
|
| |
|
|
|
|
|
|
|
|
| |
When building with -Werror 'make check' fails with many
errors like:
../src/tests/cmocka/test_authtok.c: In function ‘test_sss_authtok_password’:
../src/tests/cmocka/test_authtok.c:98:48: error: cast discards ‘__attribute__((const))’ qualifier from pointer target type [-Werror=cast-qual]
Make sss_authtok_set() @data argument const, and fix its documentation
|
| |
|
|
|
| |
The functionality was removed, but we forgot to remove the corresponding
tests, mostly because these tests were only ever ran as root.
|
| | |
|
| |
|
|
|
| |
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback.
|
| |
|
|
|
|
|
|
|
|
| |
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
|
| |
|
|
|
|
|
|
|
|
| |
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
The same applies for the LDAP connection to the trusted AD DC.
Includes a unit test.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The patch makes sure that a completely lower-cased version of a fully
qualified name is used for case insensitive searches. Currently there
are code paths where the domain name was used as configured and was not
lower-cased.
To make sure this patch does not break with old entries in the cache or
case sensitive domains a third template was added to the related filters
templates which is either filled with a completely lower-cased version or
with the old version. The other two template values are unchanged.
|
| | |
|
| |
|
|
|
|
|
| |
Unit test testing detection of the right domain when processing group with members from several domains
Resolves:
https://fedorahosted.org/sssd/ticket/2132
|
| |
|
|
|
|
|
|
|
|
|
| |
sysdb_add_user fails with EIO if enumeration is disabled and user contains
backslashes.
We try to remove ghost attributes from groups with disabled enumeration,
but unsanitized filter is used to find ghost attributes
"(|(ghost=usr\\\\002)" and ldb cannot parse this filter.
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
| |
|
|
|
|
|
|
|
|
| |
sysdb_delete_user fails with EIO if user does not exist and contains
backslashes.
ldb could not parse filter (&(objectclass=group)(ghost=usr\\\\001)),
because ghost value was not sanitized
Resolves:
https://fedorahosted.org/sssd/ticket/2163
|
| |
|
|
|
| |
test_utils removed files from test_dir before test execution, but
files wasn't clean up after successful test execution.
|
| | |
|
| |
|
|
|
|
| |
Besides checking the content of output packets it might also be useful
to check the status. This is e.g. important if no results are expected
and the status should be set to ENOENT and not to any other error code.
|
| | |
|
| |
|
|
|
| |
If no domain name is specified the global name pattern and regular
expression will be returned.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2133
|
| | |
|
| |
|
|
| |
Changing style of including header files from outside of sssd tree - from "header.h" to <header.h>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a workaround until
https://fedorahosted.org/sssd/ticket/2129 is fixed properly.
Consider a group entry such as:
cn: subgroup@subdom
ghost: someuser
ghost: anotheruser@subdom
Currently in order to print all group members as FQDN (which is the default
for AD provider), the code needs to iterate over the ghost attributes and
parse them into (name,domain) and optionally re-add the domain.
The proper fix would be to store always just the FQDN in the hardcoded
form of user@domain
|
| | |
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2082
Adds a new option that allows the admin to specify a LDAP access filter
that can be applied globally, per-domain or per-forest.
|
| |
|
|
|
|
|
|
| |
This patch fixes few format string warnings in the file test_utils.c
src/tests/cmocka/test_utils.c:54:56:
warning: format specifies type 'unsigned int' but the
argument has type 'size_t' (aka 'unsigned long') [-Wformat]
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Added functions to check if given IP address is a special address
(broadcast, multicast...).
|
| |
|
|
|
|
|
|
|
|
|
| |
If POSIX IDs are managed externally e.g. by AD it might be possible that
the IDs are centrally manages for the whole forest. Hence there might
not be a single ID range for each member domain in the forest but only a
single ID range for the whole forest. This means that we have to allow
collisions if ID ranges in this case.
Unit tests are added to make sure that the collisions are only allowed
for external mappings.
|
| |
|
|
|
| |
According to asprintf(3) the content off errmsg is undefined
on error, lets set it to NULL.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/1534
|
| | |
|
| |
|
|
|
| |
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
| |
|
|
|
|
|
|
|
| |
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
| |
|
|
|
| |
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
| |
|
|
|
|
|
|
|
| |
Recent simple access provider patches started using
be_ctx during access check. This caused segfault in
unit tests, since be_ctx wasn't initialized.
Resolves:
https://fedorahosted.org/sssd/ticket/2034
|
| | |
|
