Age | Commit message (Collapse) | Author | Files | Lines |
|
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
|
|
|
|
|
Switch statement missing a break causes unintended implicit setting of
'm' options in sss_useradd.
Fixes: #512
|
|
|
|
|
|
Also update manpage for min_id/max_id to be more clear about how
it relates to primary GID.
|
|
Under certain circumstances, the openldap libraries will continue
internally trying to reconnect to a connection lost (as during a
cable-pull test). We need to drop the reconnection callbacks when
marking the backend offline in order to guarantee that they are
not called with an invalid sdap_handle.
|
|
Fixes: #518
|
|
Fixes: #505
|
|
Fixes: #508
|
|
We weren't properly linking libsss_krb5.so against libkeyutils
|
|
Fixes: #488
|
|
Fixes: #498
|
|
OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to
LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS
error messages to be displayed on either version.
|
|
|
|
Fixes: #496
|
|
|
|
|
|
|
|
Because the memberOf attribute is now set for the service objects we do
not need to fetch the service groups separately anymore.
|
|
|
|
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs
structure if the requested element does not exist. Recent versions of
libldb do not accept empty elements when writing new objects to disk.
sysdb_attrs_get_string_array() does not create an empty element but
returns ENOENT.
|
|
|
|
Caused the kerberos provider to not use the kernel keyring
|
|
|
|
|
|
|
|
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
|
|
|
|
|
|
To allow a fallback to the setting in krb5.conf the locator plugin
returns KRB5_PLUGIN_NO_HANDLE in nearly all error conditions. Only if the
call back fails the error code of the callback is returned.
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
|
|
We were not passing the old authtok to the pam_chauthtok()
function, causing it to return PAM_AUTH_ERR.
|
|
This patch adds a new tevent_req to the proxy provider, which will
spawn short-lived child processes to handle PAM requests. These
processes then call the proxied PAM stack and return the results
via SBUS method reply. Once it is returned, the parent process
kills the child.
There is a maximum of ten child processes running simultaneously,
after which requests will be queued for sending once a child slot
frees up. The maximum processes will be made configurable at a
later date (as this would violate string freeze).
|
|
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
|
|
|
|
|
|
|
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
|