Age | Commit message (Collapse) | Author | Files | Lines |
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
The domain name is no longer send as an element on its own, but
if set as a member of the response array. If the user was not found
pd->domain is NULL and strlen will seg-fault.
|
|
- added range check for supplied UIDs and GIDs
- initialize pc_gid to 0 to trigger gid generation
|
|
Other pam modules which are called after pam_sss might want to
reuse the given password so that the user is not bothered with
multiple password prompt. When pam_sss is configured with the
option 'forward_pass' it will use pam_set_item to safe the
password for other pam modules.
|
|
see https://fedorahosted.org/sssd/ticket/25
|
|
Apply suggested fixes by Simo after code review
* return statements no longer use () unless it's an expression
* remove all use of assert() in library
* use bool,true,false instead of int,TRUE,FALSE
* add check for NULL hash table in public entry points
* example code in header file now a seperate file
* assure consistent use of unsigned long data type
* add more debugging support
* break out generation of integer key into convert_key() function
* table parameters now tunable rather than hardcoded
* table can now accept custom alloc()/free() functions
* add function create_table_ex() to pass extra table parameters
* remove MUL(), DIV(), MOD() macros
* hash statistics now separate struct which can be queried
* test program now accepts tuning parameters, iteration count; has better error checking and reporting
fix min/max load factor comman line args in test program
|
|
It needs a gpg key for signing the tarball.
|
|
|
|
Realized that I need to differentiate
sections and attributes. To do this the
line numbers for sections will be negative.
|
|
There was a confusion about the functions that were
recently added. They are incomplete. New added
comments make it clear.
|
|
There is controversy about the inlines so they are removed.
|
|
Force a user lookup against the users domain provider.
If a user domain is not specified search though all non fully qualifying
domains.
Perform authentication against the corrent domain auth backend, based on the
user's domain found in the lookup if one was not
specified.
Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM
responder too now.
|
|
This patch addresses several issues:
a) Cleaning unit test to match coding standard
b) Replace tabs with spaces - I do not know where they came
but there were some.
c) Allowing to read file and keep aside a collection
of K-V pairs where key is the key in the INI file and value is the
line number on which line the key apears.
d) There will be different kinds of errors so
error printing function was abstracted.
g) Placeholders for other printing functions have been introduced.
|
|
Add code to check if the file has changed since the last update was performed.
Avoid dumping and reloading the config ldb if the modification time of the
configuration file has not changed at all.
|
|
We need to stop parsing domains as soon as a caaandidate is found and let the
callback search additional domains if the id is not found.
Should fix ticket #21
|
|
Tried to use the INI interface and saw that
the list of parsing errors can be not NULL
but the actual data is cleaned.
|
|
The read_line() function used an internal buffer allocated on stack
as temporary storage for a line read from file, then returned it.
read_line() now gets a buffer from the caller.
Fixed memory leaks in INI and Collection found by valgrind.
|
|
Also convert all places where we were using custom code to parse
config arguments.
And fix a copy&paste error in nss_get_config
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
Also remove the [services/infopipe] section, since we're not
shipping InfoPipe yet, and that would be confusing.
|
|
|
|
|
|
|
|
We were missing several BuildRequires for the autotools. Also, we
were linking against two external libraries in the common code
that we do not actually use.
|
|
|
|
|
|
Also setting dctx->domain to NULL is a recipe for segfaults :-)
Assign dctx->domain only when dom actually holds a domain pointer.
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
|
|
|
|
The SSSD now links with the ini_config and collection libraries
in the common directory.
The monitor will track changes to the /etc/sssd/sssd.conf file
using inotify on platforms that support it, or polled every 5
seconds on platforms that do not.
At startup or modification of the conf file, the monitor will
purge the existing confdb and reread it completely from the conf
file, to ensure that there are no lingering entries. It does this
in a transaction, so there should be no race condition with the
client services.
A new option has been added to the startup options for the SSSD.
It is now possible to specify an alternate config file with the
-c <file> at the command line.
|
|
Allows building shared or static libraries using autotools and
provides a pkg-config file to simplify inclusion into other parts
of the project (or other projects in the future)
For now, we will statically link the collection library and INI
parser.
|
|
|
|
|
|
Fixes requested during code review
|
|
Previously it was runtime-selectable in the confdb, but this is
not a sensible approach, as if it were to change during runtime,
it would cause problems communicating with the child services.
|
|
Added a few new functions.
Cleaned code that was subject to conditional build.
Fixed the floating point conversion.
Keep const values as const.
|
|
This way we do not waste resources starting searching for users/groups in
multiple backends when the first one has the answer.
Also prevents possible race conditions where a user named the same way is found
in multiple backends and the wrong one is returned.
|
|
|
|
Since we switched to allowing domains to be configured but
inactive, we need to include the default set (just LOCAL) into
the first-start config.
|
|
This was missed when we moved away from using the message_handler
for sending replies (in order to support async processing).
|
|
To be able to correctly filter out duplicate names when multiple non-fully
qualified domains are in use we need to be able to specify the domains order.
This is now accomplished by the configuration paramets 'domains' in the
config/domains entry. 'domains' is a comma separated list of domain names.
This paramter allows also to have disbaled domains in the configuration without
requiring to completely delete them.
The domains list is now kept in a linked list of sss_domain_info objects.
The first domain is also the "default" domain.
|
|
|
|
Use common sss_parse_name function in all responders
Simplify responder headers by combining common,cmd,dp in one header and
add name parse structure as part of the common responder context.
|
|
This way LOCAL domains backed by files works as expected too.
Tested with nss_files + pam_unix
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
|
|
|
|
|