summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Remove MPG groups if getgrgid was called before getpw()Jakub Hrozek2015-07-311-2/+39
| | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUTPavel Reichl2015-07-316-13/+13
| | | | | | | | | Enum member SDAP_CACHE_PURGE_TIMEOUT has counter-intuitive name as it's used to access 'ldap_purge_cache_timeout' option. SDAP_CACHE_PURGE_TIMEOUT is more fitting name. Reviewed-by: Petr Cech <pcech@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-3111-11/+359
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam_sss: add sc supportSumit Bose2015-07-312-1/+96
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add certificate support to PAM (pre-)auth requestsSumit Bose2015-07-3111-39/+1370
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* authok: add support for Smart Card related authtokensSumit Bose2015-07-314-0/+187
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pack_message_v3: allow empty nameSumit Bose2015-07-311-3/+4
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add NSS version of p11_childSumit Bose2015-07-311-0/+636
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* utils: add NSS version of cert utilsSumit Bose2015-07-312-0/+216
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not send SSS_OTP if two factors were usedSumit Bose2015-07-291-1/+6
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2729 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Use ad_site also when site search failsPavel Březina2015-07-291-2/+10
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2725 Some deployments use the ad_site option for cases where the AD clients are not able to find a site for one reason or another. With our current code, the ad_site option value can only override a site that the client found, not supply the value for cases no site could be found. This patch fixes the issue. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Repair dependecies on deprecated librariesPetr Cech2015-07-281-12/+28
| | | | | | | | | | | Modules libsystemd-journal and libsystemd-login are deprecated and "libsystemd" should be used instead of them. Resolves: https://fedorahosted.org/sssd/ticket/2733 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: fix compiler warningsPavel Reichl2015-07-282-3/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Handle sssd-owned keytabs when running as rootJakub Hrozek2015-07-282-8/+41
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* UTIL: Lower debug level in perform_checks()Jakub Hrozek2015-07-281-4/+4
| | | | | | | Failures in perform_checks() don't have to be fatal, therefore the debug messages shouldn't be either. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* IPA: Better debuggingJakub Hrozek2015-07-281-0/+3
| | | | Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* TOOLS: add sss_override for local overridesPavel Březina2015-07-274-0/+828
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TOOLS: add common command frameworkPavel Březina2015-07-272-0/+497
| | | | | | | | | | Add general framework to simplify creating "cmd COMMAND [OPTIONS...]" style tools. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SYSDB: prepare for LOCAL viewPavel Březina2015-07-274-2/+88
| | | | | | | | | | | | Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* VIEWS TEST: add null-checkPavel Březina2015-07-271-0/+6
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: use negative cache for sid-by-id requestsSumit Bose2015-07-271-0/+55
| | | | | | | | | | | | | | | | | | | Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* negcache: allow domain name for UID and GIDSumit Bose2015-07-277-49/+82
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* AD: Handle cases where no GPOs applyStephen Gallagher2015-07-261-3/+43
| | | | | | | | | | | | | | | | | It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* intg: Invalidate memory cache before removing filesLukas Slebodnik2015-07-241-0/+1
| | | | | | | Workaround for: https://fedorahosted.org/sssd/ticket/2726 Reviewed-by: Michal Židek <mzidek@redhat.com>
* DYNDNS: support for dualstackPavel Reichl2015-07-244-39/+302
| | | | | | | | | | | | When dyndns_iface option was not used, address of connection to LDAP was used. This patch proposes following change: * Interface containing address of connection is found. * All A and AAAA addresses of this interface are collected. * Collected addresses are sent during DDNS update. * Function sss_iface_addr_add() is removed. Resolves: https://fedorahosted.org/sssd/ticket/2558
* TESTS: dyndns tests support AAAA addressesPavel Reichl2015-07-241-13/+38
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2558
* DYNDNS: special value '*' for dyndns_iface optionPavel Reichl2015-07-243-11/+24
| | | | | Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update.
* DYNDNS: support mult. interfaces for dyndns_iface optPavel Reichl2015-07-245-15/+86
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2549
* DYNDNS: sss_iface_addr_list_get return ENOENTPavel Reichl2015-07-243-3/+36
| | | | | | | If none of eligible interfaces matches ifname then ENOENT is returned. Resolves: https://fedorahosted.org/sssd/ticket/2549
* Fix minor typosYuri Chornoivan2015-07-236-9/+9
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* CONTRIB: Gentoo daemon startup options as declared in conf.d/sssdTyler Gates2015-07-221-1/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2722 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* man: List alternative schema defaults for LDAP AutoFS parametersRobin McCorkell2015-07-221-7/+10
| | | | | | | | | | | | | | | ldap_autofs_map_name and ldap_autofs_entry_key have their rfc2307bis defaults listed alongside the rfc2307 defaults. ldap_autofs_entry_object_class has a fixed description and default This patch replaces the other one I posted, implementing the alternative schema defaults Jakub suggested. Regards, Robin McCorkell Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Use the right domain for case-sensitive flagJakub Hrozek2015-07-221-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Update few debug messagesLukas Slebodnik2015-07-172-5/+7
| | | | | | | | | It reduces a noise caused by canonicalization of non-existing user. Resolves: https://fedorahosted.org/sssd/ticket/2678 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* nss_check_name_of_well_known_sid() improve name splittingSumit Bose2015-07-163-41/+62
| | | | | | | | | | | | | | | Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Use NSCD path in execl()Jakub Hrozek2015-07-151-1/+1
| | | | | | | | | | man execl says: The first argument, by convention, should point to the filename associated with the file being executed. We used just 'nscd' instead. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Return right data provider error codeLukas Slebodnik2015-07-151-1/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2719 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IFP: Add wildcard requestsJakub Hrozek2015-07-157-0/+472
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-1511-2/+39
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_lookup_type enumJakub Hrozek2015-07-156-33/+73
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Use sdap_get_and_parse_generic_/_recvJakub Hrozek2015-07-152-8/+8
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Using the new request sdap_get_and_parse_generic_send is a separate commit so that we can audit where the function is used during a code review. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add sdap_get_and_parse_generic_sendJakub Hrozek2015-07-152-35/+136
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 So far we had a simple sdap_get_generic_send() request that uses the right defaults around the low-level sdap_get_generic_ext_send() request and calls the parser. This patch adds also sdap_get_and_parse_generic_send() that exposes all options that sdap_get_generic_ext_send() offers but also calls the parser. In this patch the function is not used at all. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Fetch users and groups using wildcardsJakub Hrozek2015-07-152-2/+51
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-153-3/+39
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* cache_req: Extend cache_req with wildcard lookupsJakub Hrozek2015-07-153-15/+579
| | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds two new functions to the cache_req API: - cache_req_user_by_filter_send - cache_req_group_by_filter_send These functions can be used to retrieve users or groups that match a specified filter. Also renames a variable to avoid constant confusion -- the variable is only used for debug output. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUPJakub Hrozek2015-07-154-1/+23
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SYSDB: Add functions to look up multiple entries including name and custom ↵Jakub Hrozek2015-07-153-19/+631
| | | | | | | | | | | | | | | | | | | filter Related: https://fedorahosted.org/sssd/ticket/2553 Adds new sysdb function: - sysdb_enumpwent_filter - sysdb_enumpwent_filter_with_views - sysdb_enumgrent_filter - sysdb_enumgrent_filter_with_views These are similar to enumeration functions, but optionally allow to specify a filter to be applied on user/group names. Also an additional custom filter can be applied. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* tests: Move N_ELEMENTS definition to tests/common.hJakub Hrozek2015-07-154-9/+2
| | | | | | Avoids code duplication Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* test common: sss_dp_get_account_recv() fix assignmentSumit Bose2015-07-141-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Updating the translations for the 1.13.0 releaseJakub Hrozek2015-07-0616-2565/+1496
|
generated by cgit (git 2.34.1) at 2025-09-25 21:12:47 +0000