Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1500
|
|
https://fedorahosted.org/sssd/ticket/1460
|
|
|
|
To validate a TGT a keytab entry from the client realm is preferred but
if none ca be found the last entry should be used. But the entry was
freed and zeroed before it could be used.
This should also fix the trusted domain use case mentioned in
https://fedorahosted.org/sssd/ticket/1396
although a different approach then suggested in the ticket is used.
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
https://fedorahosted.org/sssd/ticket/1434
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
|
|
|
|
|
|
ldap_destroy() is not present in RHEL5
|
|
We were not closing LDAP connection when using SSL
with invalid certificate.
https://fedorahosted.org/sssd/ticket/1490
|
|
|
|
Also rename it to sysdb_attrs_get_el_ext()
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
The compilation produced an error due to missing declaration of uint32_t
and a couple of warnings caused by different prototypes of argument
parsing functions in older Python releases.
|
|
https://fedorahosted.org/sssd/ticket/1455
In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.
The IPA default must be only used if there *are* rules on the server,
but none matches.
|
|
write_selinux_string() would try to unlink the temporary file even after
it was renamed. Failure to unlink the file would not be fatal, but would
produce a confusing error message.
Also don't use "0" for the default fd number, that's reserved for stdin.
Using -1 is safer.
|
|
https://fedorahosted.org/sssd/ticket/1480
|
|
https://fedorahosted.org/sssd/ticket/1436
Now subdomains are not evaluated for local domains.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1452
|
|
The caller should issue a next request, which would just shortcut with
ENOENT.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1415
|
|
https://fedorahosted.org/sssd/ticket/1478
|
|
It was ambiguous that these options supported the new multiple
search base format, as well as the search filters.
|
|
group members with groups outside nesting limit.
https://fedorahosted.org/sssd/ticket/1194
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
https://fedorahosted.org/sssd/ticket/1462
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1464
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1459
|
|
It is not an attribute.
|
|
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion.
|
|
|
|
The DP was sending the reply in a format the responder did not expect,
so the responder always failed to parse the message.
|
|
https://fedorahosted.org/sssd/ticket/1345
When the monitor is unable to load configuration and non debug
level is set (e.g. when sssd is started via 'service'), none
message was saved into logs. This patch forces debug messages
to be written in this scenario.
|
|
In the failover, we treat both KDC and LDAP on the IPA server as a single
"port", numbered 0. This was done in order to make sure that the SSSD
always talks to the same server for both LDAP and Kerberos.
However, this clever hack breaks when the IPA provider needs to establish an
GSSAPI encrypted LDAP connection because we're asking the fail over code to
yield a server while no server has yet been marked as tried. This triggers a
fail over for the KDC, so in effect, the TGT is received from second server.
If the second server is not available for some reason, the whole provider
goes offline.
The fail over needs to detect that the server asked for is still being
resolved and return the same pointer.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1457
|