| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
Instead of waiting an arbitrary timeout, start all providers first, and wait for
all of them to reply to the monitor before starting other services.
Add a timeout handler so that services are started even if one of the providers
fails to actually register back to the monitor.
Also fixes services destructors
delist_service was overriding the natural svc destructor.
remove the offending code and make the svc_destructor always try
to remove a service from the service list, if the service is not
listed it will just be a noop.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
Network timeouts are used in quick operations like bind.
Search timeout is used for operations that can "legally" require more time.
Change defaults to 6 and 60 seconds respectively.
|
|
|
|
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
|
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
This should fix #218
It should also prevent us from leaking memory in case the original request times
out and should prevent races with the callbacks beeing freed after sdp_req is
freed and thus dereferencing freed memory in the callbacks detructors.
|
|
The issue was that the host IP was recorded twice,
once as a main address and another as IP alias.
It seemed that the IP was returned as name
but the issue turned out to be different.
See https://fedorahosted.org/sssd/ticket/207.
|
|
Addressing Ticket #191.
Renamed all varibles from 'template' to 'tpl'.
Used 'tplt' in function names instead of 'templete'.
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
|
|
|
|
|
|
Similar to Simo's patch that fixed the tools, this one converts the
python bindings to the start_transaction/end_transaction functions.
Also fixes memory hierarchy so that tools_ctx is allocated in every
operation and used as memory context for the operation instead of
self->mem_ctx which simplifies cleanup.
|
|
- add a hint to the man page about permissions on sssd.conf
- add a test if a symbolic link can be opened
|
|
Use this new utility call to ensure that the config file is safe
to read from.
|
|
Patch adds ability to read
configuration using already open
file descriptor.
Started by Steve G and refined a bit by me.
|
|
|
|
This patch continues work started
with the previous patch.
It resolves message attribute.
Message attribute is a special attribute
in the event that may contain
references to other attributes in the
event. When message is resolved the
references are replaced with actual
values of the referenced attributes.
|
|
Started working on the async processing
and realised that I need to have a good
copy of the event with all the fields resolved
so this patch has some foundation for the async
functions (module elapi_async.c) but they
are mostly stubbed out.
The actual code will be added down the road.
Instead the patch focuses on the code
introduced in elapi_resolve.c module
and the use of the functions from it.
It also adds the implementation of the
high level calls that initialize ELAPI
with the external callbacks to be used
during async processing (elapi_log.c).
|
|
|
|
This is a feature that helps ELAPI.
It makes lookup of the fields that need
to be resolved for every event a bit faster.
The idea is to be able to put a 'pin'
into a specific place while iterating
the collection and make this place a new
"wrap around" place for the collection.
This means that next time you
iterate this collection you will start
iterating from the next item and
the item you got before pin will be last
in your iteration cycle.
Here is the example:
Assume you have two collections that you need
to compare and perform some action on collection
1 based on the presense of the item in collection 2.
Collection1 = A, B, C, D, E. F
Collection2 = A, C, F
The usual approach is to try A from collection 1
against A, B, C from collection 2. "A" will be found
right away. But to find "F" it has to be compared
to "A" and "C" first. The fact that the collections
are to some extent ordered can in some cases
help to reduce the number of comparisons.
If we found "C" in the list we can put a "pin"
into the collection there causing the iterator
to warp at this "pin" point. Since "D" and "E"
are not in the second collection we will have
to make same amount of comparisons in traditional
or "pinned" case to not find them.
To find "F" in pinned case there will be just one
comparison.
Traditional case = 1 + 3 + 2 + 3 + 3 + 3 = 15
Pinned case = 1 + 3 + 1 + 3 + 3 + 1 = 12
It is a 20% comparison reduction.
|
|
Created a new module to hold functions
related to iterator and iterating
collections. Planning to add new functions
but the main collection module is already
too big. So this patch just moves code around
and fixes the build making foundation for
the next patch.
|
|
Needed item comparison functions and realized
that the easiest way to test them would be using
sorting. Since there already been a ticket #73
to do that I added function to sort collection
based on different properties of the item.
COLLECTION Fixing issues with comparisons
COLLECTION Adding do-while to macro
|
|
Always use the network timeout defined in the options.
But raise defaults to 60 seconds or enumerations can easily fail.
|
|
Tools were using nested loops that are illegal.
(and enforced in latest tevent with a nice abort())
Fix them by creating appropriate synchronous transaction calls.
Also fix tools_ctx mem hierarchy setup.
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
|
|
|
|
|
|
|
|
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
|
|
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
|
|
Update gettext strings
|
|
- this fixes a compiler warning about the redefinition of
SIZEOF_OFF_T in the python bindings, because python is
compiled with large file support.
|
|
Timers always come before fd events, wait 5 microseconds between processing
operations so that tevent has a chance of cactching an fd event in between.
This allows the backend to reply to pings even while processing very large ldap
results (importanty especially during the first enumeration).
|
|
|
|
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
|
|
|
|
|
|
|
|
|
|
This converts a great many configuration options to the new
standard format.
|
|
|
|
The backends do not honor the reloadConfig SBUS message right now,
so if an admin changes the sssd.conf file, it will update only the
monitor, potentially leaving the SSSD as a whole in a bad state.
This patch will simply comment out monitor_config_file() for the
time being until https://fedorahosted.org/sssd/ticket/91 is fixed.
|
|
- make the build of the locator plugin optional
- added a man page for the locator plugin
- use krb5.h if krb5/krb5.h cannot be found
- added alternatives for missing functions
- set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version
is lesser than 1.0.0
|
