summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-12-05MEMBEROF: Keep inherited ghost users around on modify operationJakub Hrozek2-34/+637
https://fedorahosted.org/sssd/ticket/1652 It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.
2012-12-05MEMBEROF: Implement the modify operation for ghost usersJakub Hrozek2-36/+715
Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.
2012-12-05MEMBEROF: Split the add ghost operation into a separate functionJakub Hrozek1-17/+73
This new function will be reused by the modify operation later
2012-12-05MEMBEROF: Split the del ghost attribute op into a reusable functionJakub Hrozek1-12/+22
This new function is going to be reused by the modify operation
2012-12-05MEMBEROF: split processing the member modify into a separate functionJakub Hrozek1-47/+73
This will allow to process ghost users in a similar fashion
2012-12-05MEMBEROF: Implement delete operation for ghost usersJakub Hrozek2-7/+362
https://fedorahosted.org/sssd/ticket/1668 The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.
2012-12-05LDAP: Continue adjusting group membership even if there is nothing to addJakub Hrozek1-2/+1
https://fedorahosted.org/sssd/ticket/1695
2012-12-05Add memory barrier to mmap cache client code loopSimo Sorce1-0/+3
Fixes https://fedorahosted.org/sssd/ticket/1694
2012-12-05Always append rctx as private dataSimo Sorce1-1/+1
This is used for the new calls back from the data provider.
2012-12-05Add backchannel NSS provider query on initgr callsSimo Sorce1-0/+165
This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
2012-12-05Hook for mmap cache update on initgroup callsSimo Sorce4-0/+148
This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
2012-12-05Hook to perform a mmap cache update from sssd_nssSimo Sorce4-0/+124
This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
2012-12-05mmap cache: public functions to invalidate recordsSimo Sorce2-0/+135
These functions can be called from the nss responder to invalidate records that have ceased to exist or that need to be refreshed the first time an application needs them.
2012-12-04link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthreadTimo Aaltonen1-0/+2
There used to be an overlinked dependency that's gone now, so to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS. v2: Fix sss_ssh_authorizedkeys linking as well.
2012-12-04Use an entry type mask macro to filter entry typesSimo Sorce5-5/+6
Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
2012-12-04Streamline ipa_account_info handlerSimo Sorce1-74/+55
In particular note that we merge ipa_account_info_netgroups_done() and ipa_account_info_users_done() into a single fucntion called ipa_account_info_done() that handles both cases We also remove the auxiliary function ipa_account_info_complete() that unnecessarily violates the tevent_req style and instead use a new function named ipa_account_info_error_text() to generate error text.
2012-12-04Fix tevent_req style for get_netgroup in ipa_idSimo Sorce1-80/+71
Also do not intermix two tevent_req sequences
2012-12-04Fix ipa_subdomain_id names and tevent_req styleSimo Sorce3-52/+36
2012-12-04Fix tevent_req style for krb5_authSimo Sorce4-371/+334
No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
2012-12-04do not crash when id_provider is not setPavel Březina1-0/+6
https://fedorahosted.org/sssd/ticket/1686
2012-12-04Missing parameter in DEBUG message.Michal Zidek1-1/+2
2012-12-04Indentation fixJakub Hrozek1-5/+2
2012-12-04Dereference after null check in sss_idmap_sid_to_unixMichal Zidek1-1/+5
https://fedorahosted.org/sssd/ticket/1684
2012-12-04NSS: Fix netgroup midpoint cache refreshJakub Hrozek3-3/+3
https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-12-02IPA: Handle bad results from c-ares lookupStephen Gallagher1-1/+11
In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
2012-12-02sudo: print message if old protocol is usedPavel Březina1-3/+15
2012-12-02avoid versioning libsss_sudoPavel Březina1-3/+4
2012-11-28Monitor quit when not exists no process no stopsAriel O. Barria1-1/+3
https://fedorahosted.org/sssd/ticket/1669
2012-11-28Null pointer dereferenced.Michal Zidek1-96/+100
https://fedorahosted.org/sssd/ticket/1674
2012-11-28Avoid const warnings when deallocating memorySimo Sorce1-1/+1
In some case we allocate and assign data to a const pointer. When we then try to free it we would get a const warning because talloc_free accepts a void, not a const void pointer. Use discard_const to avoid the warning, it is safe in this case.
2012-11-28Avoid duplicating macrosSimo Sorce1-4/+0
This macro is already available in util/util.h which is expicitly included in this file.
2012-11-28Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."Simo Sorce1-5/+1
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774. This commit doesn't really make sense, we are never accessing freed memory as all we are dealing with is a pointer which is never itsef part of the memory we are freeing (if it were, it would be an error in the caller and we shouldn't mask it in this macro).
2012-11-28idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek6-80/+125
When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
2012-11-28Uninitialized pointer readMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1673
2012-11-28sss_cache: Small refactor.Michal Zidek3-58/+72
The logic that checks if sssd_nss is running and then sends SIGHUP to monitor or removes the caches was moved to a function sss_memcache_clear_all() and made public in tools_util.h.
2012-11-26TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek1-0/+248
2012-11-26MEMBEROF: Do not add the ghost attribute to selfJakub Hrozek2-13/+87
When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
2012-11-26debug: print fatal and critical errors if debug level is unresolvedMichal Zidek2-7/+4
If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors. https://fedorahosted.org/sssd/ticket/1345
2012-11-26Save errno before it might be modified.Simo Sorce1-8/+16
The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error.
2012-11-23SYSDB: Don't operate with aliases same as nameOndrej Kos1-0/+6
fixes https://fedorahosted.org/sssd/ticket/1628 When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.
2012-11-23LDAP: fix uninitialized variableOndrej Kos1-1/+1
initialized variable, was causing build warning
2012-11-22Handle compiling FQDN regular expression with old pcre gracefullyJakub Hrozek1-0/+9
https://fedorahosted.org/sssd/ticket/1661
2012-11-22Fix errors reported by rpmlintJan Cholasta10-29/+19
2012-11-22Use systemd by default on Fedora 16+Jan Cholasta1-2/+60
https://fedorahosted.org/sssd/ticket/1437
2012-11-21MONITOR: Fix off-by-one error in add_string_to_listJakub Hrozek1-1/+4
We need to allocate num_services+2 - one extra space for the new service and one for NULL.
2012-11-20fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek11-27/+91
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-20SYSDB: Use the add_string convenience functions for managing ghost user ↵Jakub Hrozek1-24/+9
attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.
2012-11-20BUILD: Temporary workaround for Kerberos buildStephen Gallagher1-2/+3
This patch extends the Kerberos version check to support Kerberos version 1.11 alpha and later. It is a temporary measure until we can redesign the configure checks for better granularity.