| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Using a global memory context for short-lived private data might lead to
memory growth.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2406
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
Our code errored out in the rare case when the user was *also* an LDAP
member of his primary group.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
| |
The function sdap_fill_memberships did several tasks. It's more readable
to split linking the primary members into a separate function.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2323
The functions that check for password expiration can return non-zero
return codes not only on internal failure, but also to indicate that the
password was expired. The code would in this case shortcut in the error
handler instead of making its way to the switch-case code below that
translates the SSSD error codes into PAM error codes.
We don't lose the error reporting, because any internal error would
translate into PAM_SYSTEM_ERROR anyway.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have difficulty setting up an sss_cli_mc_ctx structure, we try
to clean things up so that we'll be ready to try again the next time
we're called.
Part of that is closing the descriptor of the file if we've opened it
and using memset() to clear the structure.
Now that sss_nss_mc_get_ctx() does its work in two phases, and each one
may end up doing the cleanup, each needs to be careful to reset the
descriptor field so that the new value provided by memset() (0) isn't
mistakenly treated as a file which should be closed by the other.
Resolves:
https://fedorahosted.org/sssd/ticket/2409
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Structure "struct sdap_dyndns_update_state" has two linked lists of
structures "struct sss_iface_addr": addresses, dns_addrlist
In *_recv functions, linked list was talloc stealed
to structure sss_iface_addr, but just 1st member was moved to "state" talloc
context. Other member of link list were freed with removing subrequest,
which caused use after free problem.
Resolves:
https://fedorahosted.org/sssd/ticket/2405
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Memory leaks will not be detected if talloc context is NULL.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Real functions use own allocation strategy. We use talloc in wrapped functions.
But wrapped functions should not use global_talloc_context,
leak_check_teardown will report false positive memory leaks.
leak_check_teardown()
./src/tests/cmocka/test_dyndns.c:378: error: Failure!
[ FAILED ] dyndns_test_ok_dyndns_test_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
global_talloc_context should not be NULL in tests. It should be initialised
with function leak_check_setup otherwise memory leak will not be detected.
check_leaks_pop should not be directly called for global_talloc_context.
It is a purpose of function leak_check_teardown
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
man inet_ntop says:
The caller specifies the number of bytes available in this buffer
in the argument size.
AF_INET
src points to a struct in_addr (in network byte order) which is
converted to an IPv4 network address in the dotted-decimal
format, "ddd.ddd.ddd.ddd". The buffer dst must be at least
INET_ADDRSTRLEN bytes long.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the libwbclient API for Samba daemons and
utilities. The main purpose is to map Active Directory users and groups
identified by their SID to POSIX users and groups identified by their
POSIX UIDs and GIDs respectively.
The API is not fully implemented because SSSD does not support some AD
features like WINS or NTLM. Additionally this implementation has its
focus on the file-server use case and hence does not implement some
features which might be needed for a domain controller use case.
Some API calls are generic and independent of the backend like e.g.
converting binary SIDs and GUIDs into a string representation and back
or memory allocation and deallocation. These parts are taken from the
original Samba sources together with copyright and authors. Files
with'_sssd' as part of the name contain the SSSD related calls.
Resolves: https://fedorahosted.org/sssd/ticket/1588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
This reverts commit 08145755f66e83c304e11228c2b610a09576dd81.
|
| |
|
|
| |
This reverts commit 5197ac634572a2e0f8c7cacad68d5e5336064744.
|
| |
|
|
| |
This reverts commit 4c560e7b98e7ab71d22be24d2fbc468396cb634f.
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an object can't be resolved as a posix group we then try to resolve
it as a non-posix (without the gid attribute) nested group and store it as a
group stub into the sysdb.
The purpose is to be able to resolve nested posix groups which are
members of non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Create new set of attributes to be used when processing non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit fc8d98c9f0bb26de7be732c3e542b85c8abdba53.
The reason why the control was marked critical is that we expect
to get it back on reply, or it should fail. We should rather leave
the criticality bit and handle the error (by downgrading to not use
deref controls) if the server fails.
In other words, we should not workaround bugs in any LDAP server.
If server claim it support deref control, it should work with critical flag.
sh-4.2$ ldapsearch -LLL -h 172.17.0.9 -x -b "" -s base supportedControl
dn:
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
sh-4.2$ grep "1.3.6.1.4.1.4203.666.5.16" /usr/include/ldap.h
#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16"
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.9 -b 'dc=example,dc=com' \
-E '!deref=member:cn,uid' \
cn=ref_grp1 cn,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Don't log error if access is denied in function sdap_access_done().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 move code from sdap_access_filter_done()
into sdap_access_done() to make its reuse possible and thus avoid code
duplication.
Rename check_next_rule() to sdap_access_check_next_rule().
Update definition order of tevent-using functions by time of execution.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Fixed typo and replaced duplicated string by macro definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As preparation for ticket #2364 separate code for parsing user basedn
to a new function sdap_get_basedn_user_entry().
We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
As a preparation for ticket #2364 separate code for storing user bool
values into sysdb to a new function sdap_save_user_cache_bool().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was possible to send SIGUSR1 and to both sssd and sssd_be processes,
but only possible to send SIGUSR2 to sssd. This patches fixes the
dichotomy by making the sssd_be process handle SIGUSR2 as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
With this path, a user whose name is "space user" would match a sudo
rule while using the override_default_space option. Please note that the
option is only a client-side override, so the sudoUser attribute must
contain the space in order to match the original name. In other words,
when substituting space ( ) for underscore (_), this attribute would match:
sudoUser: space user
this would not:
sudoUser: space_user
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
The input of the InfoPipe responder substitutes the configured character
for space and the GetUserAttrs and GetUserGroups functions substitute
space for the configured character in their output.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
When using the override_default_space option, this patch allows to log
in using both the original name (space user) as well as the normalized
name (space_user).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
In order to make the override_space option usable by other responders,
we need to move the override_space option to the generic responder
structure.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2397
- make sss_replace_whitespaces only replace space (' ') not any
whitespace
- make sss_replace_whitespaces only replace a single char, not the whole
string
- rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to
CONFDB_NSS_OVERRIDE_DEFAULT_SPACE
- rename the override_default_whitespace option to override_space
- rename sss_replace_whitespaces() to sss_replace_space()
- rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space()
- rename nctx->override_default_wsp_str to nctx->override_space
- make the return value of sss_replace_space non-const to avoid freeing
the result without compilation warnings
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2400
Netgroups often have members that will not process correctly when we
require a fully-qualified name. This patch simply ignores the
default_domain setting for netgroup lookups - we ignore FQDN only
domains for netgroup lookups since
1933ff17513da1d979dd22776a03478341ef5e6b anyway.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Amend the man page to reflect current behaviour.
https://fedorahosted.org/sssd/ticket/2401
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The EntryUSN is not fetched by the sudo LDAP provider when it downloads
the rules because sudorule_map is missing this attribute. We forgot to
add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support
for sudoRunAs.
Related to:
https://fedorahosted.org/sssd/ticket/2212
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Data Provider lookup code user the original input string as the
lookup key instead of the parsed name component. For example, for an
input joe@mydomain, the backend would have searched for:
(&(cn=joe@mydomain)(objectclass=user))
This patch fixes the lookup to use the parsed name.
https://fedorahosted.org/sssd/ticket/2402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Don't install sssd-ipa and sssd-ad man pages if corresponding providers
weren't built (i.e. --without-samba was specified to configure).
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command line utility ldapsearch does not set option LDAP_CONTROL_X_DEREF as
critical.
sssd performes similar ldap search as following command:
sh-4.2$ ldapsearch -x -LLL -h 172.17.0.7 \
-b 'cn=ref_grp1,ou=qagroup,dc=example,dc=com'
-E '!deref=member:objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid' \
objectClass,cn,userPassword,gidNumber,member,modifyTimestamp,modifyTimestamp,uid
Critical extension is unavailable (12)
Additional information: critical control unavailable in context
The most important is "exclamation mark" before extensions. It indicates
criticality. This caused problem when openldap server was older
openldap-2.4.23-34.el6. Dereference is performed successfully if extension is
not critical: -E 'deref=member:objectClass ...
Resolves:
https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2389
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As noted in the MIT KRB5 documentation, some servers send PAC with no
checksum, therefire the PAC validation should not be fatal, instead, we
should treat a failure from krb5_pac_verify as if there was no PAC at
all.
Reported on sssd-devel by Thomas Sondergaard
|
| |
|
|
|
|
| |
The function was unused since 2009 and moreover it was synchronous.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the LDAP schema was set to a different value than AD and ID mapping
was enabled, the value of ret was not defined.
Make sure we define ret for the condition below with the
default for ID mapping which is 'no GID'
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
