| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
With this mode we can add socket activated services and have systemd
pre exec sssd to genrate the configuration file w/o starting the whole
sssd if not necessary.
Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
|
| |
|
|
|
|
|
|
| |
The protocol requires a user to creat a container efore trying to store
an entry in it. Do the same in the local provider so that no surprises
arise when admins route request to a remote storage server.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Properly handle and enforce ithe presence of the content-type header
in the local and proxy providers to conform to the Custoida protocol.
Avoids different behavior between the local provider and a remote server
that may cause developers to have an application working against the
local storage and then fail when the administrator configures a remote
storage.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Generates a master key file if it doesn't exist and encrypts secrets using the
master key contained in the file.
Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
|
| |
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider dependencies
Related:
https://fedorahosted.org/sssd/ticket/2913
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewd-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Prepares autoconf for the new Secrets Provider
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
|
|
|
| |
The secrets database will have "subsections", ie sections that are in the
"secrets" namespace and look like this: [secrets/<path>]
This function allows to source any section under secrets/ or under any
arbitrary sub-path.
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
| |
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
|
| |
|
|
|
|
|
|
|
| |
Now thast services use an internal watchdog we do not need pings anymore,
this will cut down the chatter and allow more flexible process management,
for example socket activation and exit-on-idle.
Resolves:
https://fedorahosted.org/sssd/ticket/2921
|
| |
|
|
|
|
|
| |
This allows the services to self monitor.
Related:
https://fedorahosted.org/sssd/ticket/2921
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The watchdog uses a kernel timer to issue a signal to the process.
It checks if the ticker is not being reset by the main event loop, which
would indicate that the process got stuck.
At the same time it sets a tevent timer to clear the watchdog ticker, so
that the watchdog handler is kept happy.
If the watchdog detects that the timer event failed to reset the watchdog for
three times in a row then the process is killed.
Normally the monitor will detect the child terminated and will rescheduled it.
Related:
https://fedorahosted.org/sssd/ticket/2921
|
| |
|
|
|
|
|
|
| |
We should log error messages generated by
libini if there are problems with parsing
gpo files.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
libldb is not consistent with appending line feed
in debug messages. AS a result of this two messages can be on the same line
in sssd log files. Which makes analyzing log files more difficult.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We were unable to parse modifyTimestamp where a non-numeric part
(timezone) was involved. The format is YYYYMMDDHHmmssZ. It may
also contain fraction or different timezone, everytime separated
from the datetime by character. This patch gets the numberic part
and then appends the string part again to get value usable in filter.
Resolves:
https://fedorahosted.org/sssd/ticket/2970
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To close a socket associated to an fd event we must set the close
function of the event and not associate a destructor to a parent context.
Otherwise the destructor will close() the socket before the fd event is
freed, and this may cause invalid calls on a closed file descriptor to
poll/epoll/etc.
Discovered by looking at strace output.
Resolves:
https://fedorahosted.org/sssd/ticket/2973
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
FreeIPA versions older than 3.1 have rdn sudoCmd instead of ipaUniqueID.
Resolves:
https://fedorahosted.org/sssd/ticket/2969
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
The input part has no longer meaning.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
This way it makes it a lot easier to add new parameters.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2848
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This function is not used anywhere and const char ** suits better
in my use case (next patch) so I just changed the function.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To ensure no memory is leak on long living context such as rctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2869
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After ldb connect ldb context contains the following error:
"NULL Base DN invalid for a base search"
This comes from internal ldb function ldb_set_default_dns() which
runs base search on NULL dn to discover records similar to what
rootDSE provides. However, tdb backend considers this an error
and sets the message above.
This may break memory leak checks in tests when we do push/pop on
test_ctx which is a indirect parent of ldb_context. The error message
is allocated when push is called but it is freed by other ldb queries
and therefore not preset during the push phase and thus the leak check
fails.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Each debug message is matched to a specific request, this way it
will be easier to follow the request flow especially when paralel
request are running.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
It is not always a name.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This way it is more clear that the string parameters should not
be misued when adding a new one.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are different expectations about how the pam_message array is
organized, details can be found in the pam_conv man page. E.g. sudo was
not able to handle the Linux-PAM style but expected the Solaris PAM
style. With this patch both styles should work as expected.
Resolves https://fedorahosted.org/sssd/ticket/2971
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
The function connect return -1 in case of error
and we could call strerror with -1 instead of
errno.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
libipa_hbac is also used by external projects such as pam_hbac:
https://github.com/jhrozek/pam_hbac
In order to make sure we don't use C99 features in the libipa_hbac code
in the future, this patch adds an explicit -std=c89 flag to CFLAGS.
Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Moving the library to the lib directory will force maintainers to think
twice about changes, because it would be obvious this is a library.
Also don't use includes from sssd source tree paths, but add the util
path to Makefile's CFLAGS so that other projects can copy the
hbac_evaluator.c file verbatim.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
On platforms without the format attribute, libhbac could not be
compiled.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Adding more debug messages proved to be useful during pam_hbac
development.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
libipa_hbac can be used by external consumers like pam_hbac who run on
old platforms that do not support C99. Refrain from using C99 features
in that codebase.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a function sss_cli_check_socket which checks
socket in client code. The socket is reopened in case of some
issues e.g. responder terminated connections ...
We use syscall poll for checking status of socket.
It's not 100% reliable method because there is still
chance that responder will terminate socket after this check.
Here is a schema of sss_*_make_request functions:
sss_cli_check_socket
sss_cli_make_request_nochecks {
sss_cli_send_req {
poll
send
}
sss_cli_recv_rep {
poll
read
}
}
The syscall pool does not return EPIPE directly but we convert
special revents from poll to EPIPE. As it was mentioned earlier,
checking of socket in the sss_cli_check_socket is not 100% reliable.
It can happen very rarely due to TOCTOU issue (Time of check to time of use)
We can return EPIPE from the sss_cli_make_request_nochecks function
in case of failure in poll in sss_cli_send_req. The send function
in sss_cli_send_req can also return EPIPE is responder close socket
in the same time. The send function can succeed in sss_cli_send_req
but it does not mean that responder read the message. It can happen
that timer for closing socket can be handled before reading a message.
Therefore there is a still a chance that we might return EPIPE in case
of failure in poll in sss_cli_recv_rep.
Therefore we need to reconnect to responder(sss_cli_check_socket)
in case of EPIPE returned from sss_cli_make_request_nochecks and
try to do the same request one more time.
Resolves:
https://fedorahosted.org/sssd/ticket/2626
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Patch for #2626 will be simpler with this small refactoring
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds a test that tests a complex nested group hierarchy. Also defines
the talloc chunk for group members to 1 to make sure the realloc branch
is always tested.
Unit test for: https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warnings are emited from macro generated code in dlinklist.h
e.g.
src/ldb_modules/memberof.c:4209:13: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_DEMOTE(ctx->group_list, grp, struct mbof_member *);
^~~~~~~~~~~~
src/ldb_modules/memberof.c:4209:13: note: ...this ‘if’ clause, but it is not
src/ldb_modules/memberof.c: In function ‘mbof_member_update’:
src/ldb_modules/memberof.c:4305:9: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_PROMOTE(ctx->group_list, mem);
^~~~~~~~~~~~~
src/ldb_modules/memberof.c:4305:9: note: ...this ‘if’ clause, but it is not
src/ldb_modules/memberof.c: In function ‘mbof_rcmp_update’:
src/ldb_modules/memberof.c:4408:9: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
DLIST_REMOVE(ctx->user_list, x);
^~~~~~~~~~~~
src/util/crypto/nss/nss_obfuscate.c: In function ‘sss_password_decrypt’:
src/util/crypto/nss/nss_obfuscate.c:419:5: error: statement is indented
as if it were guarded by... [-Werror=misleading-indentation]
SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/python/pyhbac.c: In function ‘PyInit_pyhbac’:
src/python/pyhbac.c:1987:5: error: statement is indented as if it were
guarded by... [-Werror=misleading-indentation]
TYPE_READY(m, pyhbac_hbacrule_type, "HbacRule");
^~~~~~~~~~
src/python/pyhbac.c:1987:5: note: ...this ‘if’ clause, but it is not
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
| |
It will compilation of 40 files.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
