Age | Commit message (Collapse) | Author | Files | Lines |
|
On older versions of the python headers, some arguments used
'char *' instead of 'const char *', which means that assigning a
constant string such as "adduser" threw a warning about discarding
qualifiers.
This patch cleans up most of these warnings in this file. There
remain several warnings in the sss_local_methods initialization
that I do not know how to fix.
|
|
|
|
|
|
If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.
The option 'deny' is added for the access_provider to explicitly deny
access.
|
|
- if chpass_provider is not given in the configuration file but an
auth_provider and the auth_provider can also handle change password
requests it is used as chpass_provider.
|
|
|
|
The way we were processing errors from the provider caused offline
authentication to stop working. Previously the problem was masked
by a bug in the data provider that always returned "Success" for any
operation no matter what the actual return code was. when DP got
removed the bug became evident.
|
|
- if the password is reset by root we do not ask for a password during
PAM_PRELIM_CHECK. But if there is one available during PAM_UPDATE_AUTHTOK
we will use it, because now we are in an expired password dialog.
|
|
|
|
|
|
If a backend target is not configured the return code is changed
from PAM_SYSTEM_ERR to PAM_MODULE_UNKNOWN and an error message is
sent back to the client.
|
|
The sdap_id_connect_* request tries to bind to an LDAP server with
the default credentials. Only the opts component of the sdap_id_ctx
context is used. A new request sdap_cli_connect_* is created which
expects only the opts pointer as parameter and not the whole context.
This makes it reusable by other providers.
|
|
|
|
|
|
|
|
Add getpwnam, getgrnam sync versions
Fix ticket #164: Groupnames in non-local domains
Fix ticket #100: Error Message Modifying a user that doesn't Exist
Fix ticket #214: incorrect error message when MPG already exists
Fix ticket #188: Deleting and modifying users in non-local domain
Fix ticket #120: Adding a user to a full domain gives unhelpful error message
|
|
|
|
|
|
|
|
|
|
|
|
Also adds unit tests for the SSSDConfig API
|
|
|
|
- the patch to handle short read introduced a new variable len to
store the amount of data read. Instead of using this variable
unpack_buffer was called with the old variable ret. Thanks to
mnagy@redhat.com for finding this.
- this patch also fixes a potential error when the message size is
equal to the buffer size.
|
|
- when the kerberos provider was used as a chpass_provider but
not as auth_provider the backend died
|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
Instead of waiting an arbitrary timeout, start all providers first, and wait for
all of them to reply to the monitor before starting other services.
Add a timeout handler so that services are started even if one of the providers
fails to actually register back to the monitor.
Also fixes services destructors
delist_service was overriding the natural svc destructor.
remove the offending code and make the svc_destructor always try
to remove a service from the service list, if the service is not
listed it will just be a noop.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
Network timeouts are used in quick operations like bind.
Search timeout is used for operations that can "legally" require more time.
Change defaults to 6 and 60 seconds respectively.
|
|
|
|
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
|
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
This should fix #218
It should also prevent us from leaking memory in case the original request times
out and should prevent races with the callbacks beeing freed after sdp_req is
freed and thus dereferencing freed memory in the callbacks detructors.
|
|
The issue was that the host IP was recorded twice,
once as a main address and another as IP alias.
It seemed that the IP was returned as name
but the issue turned out to be different.
See https://fedorahosted.org/sssd/ticket/207.
|
|
Addressing Ticket #191.
Renamed all varibles from 'template' to 'tpl'.
Used 'tplt' in function names instead of 'templete'.
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
|
|
|
|
|
|
Similar to Simo's patch that fixed the tools, this one converts the
python bindings to the start_transaction/end_transaction functions.
Also fixes memory hierarchy so that tools_ctx is allocated in every
operation and used as memory context for the operation instead of
self->mem_ctx which simplifies cleanup.
|
|
- add a hint to the man page about permissions on sssd.conf
- add a test if a symbolic link can be opened
|
|
Use this new utility call to ensure that the config file is safe
to read from.
|
|
Patch adds ability to read
configuration using already open
file descriptor.
Started by Steve G and refined a bit by me.
|
|
|
|
This patch continues work started
with the previous patch.
It resolves message attribute.
Message attribute is a special attribute
in the event that may contain
references to other attributes in the
event. When message is resolved the
references are replaced with actual
values of the referenced attributes.
|
|
Started working on the async processing
and realised that I need to have a good
copy of the event with all the fields resolved
so this patch has some foundation for the async
functions (module elapi_async.c) but they
are mostly stubbed out.
The actual code will be added down the road.
Instead the patch focuses on the code
introduced in elapi_resolve.c module
and the use of the functions from it.
It also adds the implementation of the
high level calls that initialize ELAPI
with the external callbacks to be used
during async processing (elapi_log.c).
|
|
|
|
This is a feature that helps ELAPI.
It makes lookup of the fields that need
to be resolved for every event a bit faster.
The idea is to be able to put a 'pin'
into a specific place while iterating
the collection and make this place a new
"wrap around" place for the collection.
This means that next time you
iterate this collection you will start
iterating from the next item and
the item you got before pin will be last
in your iteration cycle.
Here is the example:
Assume you have two collections that you need
to compare and perform some action on collection
1 based on the presense of the item in collection 2.
Collection1 = A, B, C, D, E. F
Collection2 = A, C, F
The usual approach is to try A from collection 1
against A, B, C from collection 2. "A" will be found
right away. But to find "F" it has to be compared
to "A" and "C" first. The fact that the collections
are to some extent ordered can in some cases
help to reduce the number of comparisons.
If we found "C" in the list we can put a "pin"
into the collection there causing the iterator
to warp at this "pin" point. Since "D" and "E"
are not in the second collection we will have
to make same amount of comparisons in traditional
or "pinned" case to not find them.
To find "F" in pinned case there will be just one
comparison.
Traditional case = 1 + 3 + 2 + 3 + 3 + 3 = 15
Pinned case = 1 + 3 + 1 + 3 + 3 + 1 = 12
It is a 20% comparison reduction.
|
|
Created a new module to hold functions
related to iterator and iterating
collections. Planning to add new functions
but the main collection module is already
too big. So this patch just moves code around
and fixes the build making foundation for
the next patch.
|