Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2012-05-09 | Try all KDCs when getting TGT for LDAP | Jakub Hrozek | 1 | -15/+18 | |
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324 | |||||
2012-05-09 | Clearer documentation for use_fully_qualified_names | Stef Walter | 1 | -0/+5 | |
* Previously only the side effect was described. | |||||
2012-05-07 | Only reset kpasswd server status when performing a chpass operation | Jakub Hrozek | 1 | -2/+3 | |
https://fedorahosted.org/sssd/ticket/1316 | |||||
2012-05-07 | krb5 locator: Do not leak addrinfo | Jakub Hrozek | 1 | -0/+2 | |
2012-05-07 | Special-case LDAP_SIZELIMIT_EXCEEDED | Jakub Hrozek | 1 | -4/+9 | |
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322 | |||||
2012-05-07 | Kerberos locator: Include the correct krb5.h header file | Jakub Hrozek | 2 | -2/+14 | |
https://fedorahosted.org/sssd/ticket/1325 | |||||
2012-05-07 | Fix typo in debug message | Pavel Březina | 1 | -1/+1 | |
2012-05-07 | Limit krb5_get_init_creds_keytab() to etypes in keytab | Stef Walter | 4 | -0/+181 | |
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375 | |||||
2012-05-07 | Remove erroneous failure message in find_principal_in_keytab | Stef Walter | 2 | -2/+4 | |
* When it's actually a failure, then the callers will print a message. Fine tune this. | |||||
2012-05-04 | If canon'ing principals, write ccache with updated default principal | Stef Walter | 2 | -3/+8 | |
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518 | |||||
2012-05-04 | SSSDConfigAPI: Fix missing option in tests | Stephen Gallagher | 1 | -0/+2 | |
2012-05-04 | Modify behavior of pam_pwd_expiration_warning | Jan Zeleny | 9 | -52/+119 | |
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider. | |||||
2012-05-04 | Fix endian issue in SID conversion | Sumit Bose | 3 | -10/+18 | |
Since the byte-order is only important when dealing with the binary SID the sub-auth values are stored in host order and are only converted while reading or writing the binary SID. | |||||
2012-05-03 | LDAP: Add support for enumeration of ID-mapped users and groups | Stephen Gallagher | 1 | -31/+102 | |
2012-05-03 | MAN: Add manpage for ID mapping | Stephen Gallagher | 3 | -0/+214 | |
2012-05-03 | LDAP: Treat groups with unmappable SIDs as non-POSIX groups | Stephen Gallagher | 1 | -9/+12 | |
2012-05-03 | LDAP: Add helper function to map IDs | Stephen Gallagher | 5 | -119/+81 | |
This function will also auto-create a new ID map if the domain has not been seen previously. | |||||
2012-05-03 | LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵ | Stephen Gallagher | 2 | -0/+16 | |
entries | |||||
2012-05-03 | LDAP: Add helper routine to convert LDAP blob to SID string | Stephen Gallagher | 5 | -68/+195 | |
2012-05-03 | LDAP: Map the user's primaryGroupID | Stephen Gallagher | 8 | -12/+73 | |
2012-05-03 | LDAP: Enable looking up id-mapped groups by GID | Stephen Gallagher | 1 | -2/+45 | |
2012-05-03 | LDAP: Allow looking up ID-mapped groups by name | Stephen Gallagher | 2 | -29/+125 | |
2012-05-03 | LDAP: Enable looking up id-mapped users by UID | Stephen Gallagher | 1 | -6/+43 | |
2012-05-03 | LDAP: Allow automatically-provisioning a domain and range | Stephen Gallagher | 1 | -3/+43 | |
If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well. | |||||
2012-05-03 | LDAP: Add routine to extract domain SID from an object SID | Stephen Gallagher | 4 | -2/+52 | |
Also makes the domain prefix macros from sss_idmap public. | |||||
2012-05-03 | LDAP: Allow setting a default domain for id-mapping slice 0 | Stephen Gallagher | 7 | -0/+48 | |
2012-05-03 | LDAP: Add autorid compatibility mode | Stephen Gallagher | 7 | -8/+20 | |
2012-05-03 | LDAP: Enable looking up ID-mapped users by name | Stephen Gallagher | 3 | -9/+56 | |
2012-05-03 | LDAP: Initialize ID mapping when configured | Stephen Gallagher | 2 | -0/+10 | |
2012-05-03 | LDAP: Add ID mapping range settings | Stephen Gallagher | 6 | -0/+19 | |
2012-05-03 | LDAP: Add helper routines for ID-mapping | Stephen Gallagher | 3 | -2/+340 | |
2012-05-03 | SYSDB: Add sysdb routines for ID-mapping | Stephen Gallagher | 3 | -0/+347 | |
2012-05-03 | LDAP: Add id-mapping option | Stephen Gallagher | 6 | -0/+6 | |
2012-05-03 | LDAP: Add objectSID config option | Stephen Gallagher | 8 | -0/+47 | |
2012-05-03 | Read sysdb attribute name, not LDAP attribute map name | Jakub Hrozek | 1 | -2/+2 | |
https://fedorahosted.org/sssd/ticket/1320 | |||||
2012-05-03 | SSH: Add dp_get_host_send to common responder code | Jakub Hrozek | 9 | -52/+211 | |
Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176 | |||||
2012-05-03 | Rename split_service_name_filter | Jakub Hrozek | 1 | -16/+16 | |
The function was used outside services code which was confusing due to its name. This patch renames it to sound more netrual. | |||||
2012-05-03 | Fix typo in spec file | Sumit Bose | 1 | -1/+1 | |
2012-05-03 | SYSDB: Handle upgrade script failures better | Stephen Gallagher | 1 | -4/+13 | |
There was a bug in finish_upgrade() where it would return EOK if it succeeded in canceling the transaction due to an error. We should instead be returning the original error. | |||||
2012-05-03 | AUTOFS: remove unused assignments | Jakub Hrozek | 2 | -5/+9 | |
Also changes setautomntent_send so that is only return NULL in case the tevent_req creation fails. | |||||
2012-05-03 | IPA: Check return values | Jakub Hrozek | 2 | -2/+12 | |
2012-05-03 | PROXY: return correct return codes | Jakub Hrozek | 1 | -7/+9 | |
We were reporting on the value of "status" instead of "ret'. We also didn't set ret to EOK in cases group contained no members. | |||||
2012-05-03 | SSS_DEBUGLEVEL: silence analyzer warnings | Jakub Hrozek | 1 | -2/+3 | |
Errno was returned instead of ret. The other hunk removes return code from fread - it is not needed, the NULL termination of the string is ensured by initializing the buffer. | |||||
2012-05-02 | NSS: fix returning group from cache | Jakub Hrozek | 1 | -1/+1 | |
2012-05-02 | Handle endianness issues on older systems | Stephen Gallagher | 1 | -0/+17 | |
Older versions of glibc (like that on RHEL 5) do not have the le32toh() function exposed. We need this for handling the Active Directory ID-mapping, so we'll copy these macros from endian.h on a newer glibc. | |||||
2012-05-02 | DP: return correct error message when subdomains back end target is not ↵ | Jakub Hrozek | 1 | -1/+1 | |
configured The done handler uses the value of status, not ret. | |||||
2012-05-02 | HBAC: Prevent NULL dereference in hbac_evaluate | Jakub Hrozek | 1 | -2/+4 | |
'info' is optional parameter and can be set to NULL | |||||
2012-05-02 | ipa_get_config_send: remove unused assignment | Jakub Hrozek | 1 | -1/+0 | |
2012-05-02 | IPA netgroups: return EOK when there are no netgroups to process | Jakub Hrozek | 1 | -0/+1 | |
If the code fell through the loop, ret would have been random value. | |||||
2012-05-02 | NSS: Check return code of sss_mmap_cache_gr_store | Jakub Hrozek | 1 | -0/+5 | |