summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* sbus: move iface and object path code to separate filePavel Březina2015-01-233-190/+219
| | | | | | | | | | This is done to better distinguish between connection code and interface stuff. It will help with orientation and thus simplify next changes. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sbus: add new iface via sbus_conn_register_iface()Pavel Březina2015-01-2311-94/+43
| | | | | | | | | | | | | | | | | | | Rename sbus_conn_add_interface() to sbus_conn_register_iface() and remove sbus_new_interface() calls since it is just one more unnecessary call outside the sbus code. The function sbus_new_interface() is made static and used directly in sbus_conn_register_iface(). The name was chosen to better describe what the function is doing. That it registers an interface on a given object path. The same interface can be used with different paths so it is not really about adding an interface. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: fix SID lookupsSumit Bose2015-01-231-1/+9
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-234-2/+133
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* views: fix GID overrride for mpg domainsSumit Bose2015-01-211-1/+20
| | | | | | | | | | | When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Open the PAC socket from krb5_child before dropping rootJakub Hrozek2015-01-213-0/+27
| | | | | | | | | | The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>
* nss: Add original DN and memberOf to origbyname requestSumit Bose2015-01-202-2/+5
| | | | | | | | | IPA HBAC evaluation relies on the original values for DN and memberOf attributes. Resolves https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: refactor fill_orig()Sumit Bose2015-01-201-67/+66
| | | | | | The two loops in fill_orig were almost identical. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: make fill_orig() multi-value awareSumit Bose2015-01-202-21/+198
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: fix entry order in MEMORY keytabSumit Bose2015-01-192-28/+172
| | | | | | | | | | | | | | | Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY type keytab and not at the end a simple copy into a MEMORY type keytab will revert the order of the keytab entries. Since e.g. the sssd_krb5 man page give hints about where to add entries into keytab files to help SSSD to find a right entry we have to keep the order when coping a keytab into a MEMORY type keytab. This patch fixes this by doing a second copy to retain the original order. Resolves https://fedorahosted.org/sssd/ticket/2557 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: add dots as valid character in domain namesPavel Reichl2015-01-151-1/+1
| | | | | | | | | Add dots into a set of allowed characters for domain names. Resolves: https://fedorahosted.org/sssd/ticket/2527 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: dyndns_iface supports only one interfacePavel Reichl2015-01-152-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2548 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Amend the description of ignore_group_membersJohn Dickerson2015-01-151-1/+19
| | | | | | | | | | | | The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: add systemd-user to gpo default permit listPavel Reichl2015-01-152-1/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2556 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-1510-57/+68
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Remove child_cleanupJakub Hrozek2015-01-152-24/+0
| | | | | | Not used anymore after previous patch. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructorJakub Hrozek2015-01-151-22/+17
| | | | | | | | ldap_child was the only child process that used child_cleanup instead of the common child_io_destructor. Unify the implementation to use the common function instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* TESTS: Cover child_common.c with unit testsJakub Hrozek2015-01-152-1/+330
| | | | | | The module wasn't tested properly, which made it harder to patch it Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Make two child_common.c functions staticJakub Hrozek2015-01-152-20/+20
| | | | | | | Two functions were only used internally, makes no sense to keep them in the child_common module API. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* server-tests: use strtouint32 instead strtolPavel Březina2015-01-151-4/+7
| | | | | | | | | | PID may be greater than 0xffff thus we remove this check but it is supposed to be in range of uint32. There are also some improvements to get more information from assertions. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix warning: for loop has empty bodyLukas Slebodnik2015-01-151-3/+9
| | | | | | | | Example of warning: src/ldb_modules/memberof.c:4203:536: error: for loop has empty body [-Werror,-Wempty-body] src/ldb_modules/memberof.c:4203:536: note: put the semicolon on a separate line to silence this warning Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: Remove indentation in element programlisteningLukas Slebodnik2015-01-146-38/+38
| | | | | | | | The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEWJakub Hrozek2015-01-141-0/+1
| | | | | | Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLISTSumit Bose2015-01-141-0/+14
| | | | | | | Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve missing membersSumit Bose2015-01-141-14/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()Sumit Bose2015-01-141-50/+50
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: process_members() optionally return missing members listSumit Bose2015-01-141-18/+67
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add missing breakSumit Bose2015-01-141-0/+1
| | | | | | | The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: make version check more preciseSumit Bose2015-01-141-2/+2
| | | | | | | | | The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: do not look up overrides on client with default viewSumit Bose2015-01-141-14/+49
| | | | | | | | The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: Reduce code duplication in sysdb_gpo.cJakub Hrozek2015-01-132-52/+27
| | | | | | | | | Two places in sysdb_gpo.c were searching for the GPO result object while the only difference was the attributes searched for. Remove this duplication and make the search function static as it's not used outside the module. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: ipa_resolve_user_list_send() take care of overridesSumit Bose2015-01-131-10/+8
| | | | | | | Currently ipa_resolve_user_list_send() only looks up the related user objects but do not check for overrides. This patch tries to fix this. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb: fix group members with overridden namesSumit Bose2015-01-132-11/+63
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: resolve ghost members if a non-default view is appliedSumit Bose2015-01-132-0/+213
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: add get_be_acct_req_for_user_name()Sumit Bose2015-01-132-0/+18
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Extract server hostname after connectingJakub Hrozek2015-01-131-29/+29
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2543 The LDAP URI is not valid prior to connecting to LDAP. Moreover, reconnecting to a different server might invalidate the URI. Move reading the URI after the connection has been established. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Don't use stdout for output in gpo_childJakub Hrozek2015-01-133-6/+12
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2544 Use a dedicated fd instead to work around https://bugzilla.samba.org/show_bug.cgi?id=11036 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-137-22/+39
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* GPO: Set libsmb debugging to stderrJakub Hrozek2015-01-131-0/+1
| | | | | | | | | | | | libsmb logs to stdout by default. It's much more reasonable to log to stderr by default. Please also note: https://bugzilla.samba.org/show_bug.cgi?id=11036 and: https://fedorahosted.org/sssd/ticket/2544 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Python3 support in SSSDBohuslav Kabrda2015-01-1312-141/+292
| | | | https://fedorahosted.org/sssd/ticket/2017
* IFP: use new cache interfacePavel Březina2015-01-091-320/+45
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: enable views in cache requestPavel Březina2015-01-091-3/+9
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* responders: new interface for cache requestPavel Březina2015-01-093-0/+1155
| | | | | | | | | | | | | | | | Many areas of responders performs an expiration check and refresh of cached objects during single or multiple domain search. This code is duplicated on many areas of the code with small or none modifications. This interface aims to reduce code duplication between responders, by providing one universal API for requesting cached objects. This API will take care of cache lookup, expiration check, cache refresh, out of band cache request, negative cache in both single and multi domain searches. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: remove code duplication in single domain cleanupPavel Březina2015-01-099-81/+29
| | | | Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: add test_multidom_suite_cleanup()Pavel Březina2015-01-092-0/+69
| | | | | | Cleanup multiple domains. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: add create_multidom_test_ctx()Pavel Březina2015-01-092-21/+58
| | | | | | This will allow to create a multi domain test environment. Reviewed-by: Michal Židek <mzidek@redhat.com>
* tests: refactor create_dom_test_ctx()Pavel Březina2015-01-091-61/+193
| | | | | | | Separate the function into more functions as a preparation for creating a multi domain test environment. Reviewed-by: Michal Židek <mzidek@redhat.com>
* logrotate: Fix warning file size changed while zippingLukas Slebodnik2015-01-091-0/+1
| | | | | | | | | | | | Postpone compression of the previous log file to the next rotation cycle. This only has effect when used in combination with compress. We need to use it because we cannot tell sssd to close log files and thus sssd processes might continue writing to the previous log file for some time. Resolves: https://fedorahosted.org/sssd/ticket/2547 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Fix a typoJakub Hrozek2015-01-081-1/+1
| | | | Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* TESTS: Cover sysdb_gpo.c with unit testsJakub Hrozek2015-01-082-0/+80
| | | | | | Untested code is risky to change. Reviewed-by: Pavel Reichl <preichl@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-27 16:02:33 +0000