Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1997
Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.
We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
|
|
|
|
|
|
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
|
|
|
Dircache can be either file or directory. Wrong value was used
when dircache was itself directory.
https://fedorahosted.org/sssd/ticket/2002
|
|
We did not set port status for metaservers (srv servers)
in fo_reset_services().
Fixes:
https://fedorahosted.org/sssd/ticket/1933
|
|
The switch statement was dead code due to missing case/default.
|
|
Option -E/--everething was added to invalide all types of entries.
https://fedorahosted.org/sssd/ticket/1988
|
|
https://fedorahosted.org/sssd/ticket/1778
When trying to copy special file, only message is logged now.
|
|
|
|
This will ensure that we aren't pulling in extra samba4
dependencies for the Kerberos provider.
|
|
|
|
The PAC responder is now used by both IPA and AD providers.
|
|
There are no longer any Fedora platforms running SSSD with SYSV
init scripts. We don't need the upgrade logic any more.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1999
ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.
We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
When IPA server mode is on, then this patch will create an ad_id_ctx for
each subdomain discovered in IPA provider. The ID context is needed to
perform direct lookups using the AD provider.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The AD subdomains will only use default options values. This patch
introduces a new utility function sdap_copy_map() that copies the
default options map.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
https://fedorahosted.org/sssd/ticket/1993
SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
|
|
The mpg flag will be read from the cache for subdomains and the domain
object will be created accordingly.
|
|
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
|
Since FreIPA will start to support external mapping for trusted domains
as well the range type for the domain must be know before the domain
object is created. The reason is that external mapping will not use
magic private groups (mpg) while algorithmic mapping will use them.
|
|
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
Recent versions of FreeIPA support a range type attribute to allow
different type of ranges for sub/trusted-domains. If the attribute is
available it will be used, if not the right value is determined with the
help of the other idrange attributes.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
This patch implements a wrapper for
sss_idmap_domain_has_algorithmic_mapping() for the sdap ID mapping.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Currently the range management code is in the generic LDAP provider and
can be used by the LDAP and AD provider. New ranges are allocated with
the help of a hash value of the domain SID.
If the IPA provider cannot find a range for a given domain it cannot
allocate a new range on its own but has to look up the idrange objects
on the FreeIPA server and use them accordingly. To allow the LDAP, AD
and IPA provider to use as much common code as possible a plugin
interface, similar to the one used to find the DNS site, to find a
missing range would be useful. The default plugin will be used by the
LDAP and the AD provider and the IPA provider will implement a plugin to
read the data from the server.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
To allow libsss_idmap to manage all id-ranges the id-ranges of the
domains configured in sssd.conf which are currently unmanaged must be
added to libsss_idmap.
|
|
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
This patch implements some unit tests for the recent enhancements to
libsss_idmap.
|
|
With this call it can be checked if for a given domain algorithmic
mapping is available or if the ID must be read from an external source.
The default if an error occurs or no matching range was found is false,
i.e external mapping, to meet the requirements for simple LDAP based
domains where only external mapping is available.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
When ID are mapped externally it must be checked if the extern ID falls
into the right configured range to avoid ID conflicts.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Since it is planned that the LDAP based ID providers (LDAP, AD, IPA)
will always use libsss_idmap to map ID or get information about how to
map it, it must be possible to add domains to libsss_idmap which do not
have a SID or where is SID is not known when external mapping is used.
Algorithmic mapping always requires a domain SID.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
The idea is that ranges for IDs from AD can be used in libsss_idmap as
well, but whenever a mapping is requested for this range a specific
error code IDMAP_EXTERNAL is returned to tell SSSD to do
an AD lookup. This way SSSD does not need to inspect the ranges itself
but all is done inside if libsss_idmap.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
To be able to detect configuration changes in idranges managed by
FreeIPA an identifier should be stored on the client together with the
other idrange related data.
Fixes https://fedorahosted.org/sssd/ticket/1979
|
|
Currently libss_idmap implicitly assumes that the RID 0 is always mapped
to the first ID of the given range. This is not the case anymore when
multiple ranges are used e.g. for trusted domains in FreeIPA.
A new call sss_idmap_add_domain_ex() was added which can take the first
RID as an argument. This new call will get more options with other
patches hence I didn't change the library version with this patch.
Fixes https://fedorahosted.org/sssd/ticket/1938
|
|
|
|
|
|
|
|
|
|
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done
was called. Inside of function sss_cmd_done memory was freed,
but this freed memory was used in caller functions, therefore sssd crashed.
https://fedorahosted.org/sssd/ticket/1980
|