| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Prefixing group.c and passwd.c with "nss_" similar to the way the
PAM client sources are prefixed with "pam_"
|
|
|
|
|
|
Previously, it was implicitly using the nss_dom_ctx, but there are
situations where we would want to send a different private context
|
|
This is useful so that the NSS responder can identify an domain's
entry timeout for expiring the memory cache for a lookup such as
with netgroups.
|
|
This is useful for guaranteeing the size of an input buffer.
|
|
|
|
|
|
|
|
|
|
libdhash version 0.4.2 is required because older versions cannot update
hash entries.
|
|
|
|
|
|
getgrnam()/getgrgid() should return all group members instead of only those
which have already been cached (in sysdb). To achieve this every member
that is currently not in the cache is looked up via LDAP and saved to the
cache.
|
|
Addtional parameter "populate_members" for save_group() and save_groups()
to indicate that the "member" attribute of the groups is populated with
sysdb DNs of the members (instead of LDAP DNs).
|
|
This patch suppresses a 'shadows a global declaration' warning.
|
|
strcasecmp() is defined in strings.h which might not be included under
certain conditions.
|
|
|
|
Each back end can support id, auth or access provider, but each
back end supports different subset of these. Man pages should
describe which providers are supported by each back end.
Ticket: #615
|
|
sss_hash_create() produces a dhash table living in the talloc
hierarchy.
|
|
Erase events on LDAP socket when backend is offline and an event appears on the socket.
Normally this would lead to infinite loop, because event is present on the fd,
but instead of being processed, an error log is written and the program continues to wait
for the event.
Ticket: #599
|
|
When the failover code returns that there are no available servers
while we are marked offline, we were returning an error to the PAM
authentication code. Instead, we should return success with a
result value of SDAP_UNAVAIL so that the PAM responder will mark
the domain offline and attempt offline authentication.
|
|
|
|
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
|
|
|
|
|
|
|
|
|
1) Pam modules should be explicitly built for /lib64/security
2) The krb5 locator plugin is always built; remove the conditional
3) The krb5 locator plugin belongs in the sssd-client package
4) The sss_obfuscate manpage was not packaged
|
|
|
|
|
|
|
|
We were accidentally returning an error when sysdb_getpwnam()
returned zero results internally in sysdb_initgroups(). The
correct behavior here is to return EOK and a result object with
zero entries.
|
|
|
|
We tried to be too clever and only requested the name of the group,
but we require the objectClass to validate the results.
https://fedorahosted.org/sssd/ticket/622
|
|
|
|
This might be useful for examining the test database manually with LDB tools
|
|
When we changed the default min_id to be 1, we forgot about the local
domain. It makes sense to keep the minimum id larger there.
|
|
Use a #define instead of hardcoded string
|
|
This reverts 56d8d19ac9d857580a233d8264e851883b883c67
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/614
|
|
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory.
|
|
Fixes: #585
|
|
Three assignments deleted, two return code inspection added.
Also found and fixed one critical bug caused by dead assignment.
Ticket: #590
|
|
Some assignments deleted, two return value inspections were
added.
Ticket: #589
|
|
Various dead assignments were deleted, some return value inspections
were added.
Ticket: #588
|
|
Dead assignments were deleted. Also prototype of function
sdap_access_decide_offline() has been changed, since its return
code was never used.
Ticket: #586
|
|
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
