summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-07-27Move SELinux processing from session to account PAM stackJan Zeleny4-56/+90
The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
2012-07-27Renamed session provider to selinux providerJan Zeleny9-66/+65
2012-07-27Always free request in data provider PAM callbackJan Zeleny1-2/+3
In case of error the request wasn't freed and the callback just ended.
2012-07-25Provide counter of possible matches in SELinux IPA providerJan Zeleny1-6/+6
The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.
2012-07-25Fix linking of HBAC rules and SELinux user mapsJan Zeleny1-0/+13
Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
2012-07-25Remove ipa_selinux_map_merge()Jan Zeleny3-55/+0
This function is no longer necessary since sysdb interface for copying elements has been implemented.
2012-07-24Fix SSSDConfigTestJakub Hrozek1-1/+2
2012-07-23manpage: seealso - include ssh conditionallyPavel Březina1-6/+10
SSH utilities were included in see also section even if SSSD is built without SSH support.
2012-07-23add hostid and subdomains sections in sssd-ipa.confPavel Březina1-1/+5
https://fedorahosted.org/sssd/ticket/1368
2012-07-23Extend category support in SELinux user mapsJan Zeleny1-6/+24
This patch adds the possibility for user/host category attributes to have more than one value. It also fixes semantically wrong evaluation of SELinux map priority.
2012-07-23Added some DEBUG statements into SELinux related codeJan Zeleny2-8/+38
2012-07-23sdap_sudo.c: add missing end of line in few debug messagesPavel Březina1-3/+3
2012-07-20SYSDB: Add log message for unexpected LDB errorsStephen Gallagher1-0/+3
2012-07-20Fix sysdb_search_selinux_usermap_by_username return valueJakub Hrozek1-0/+1
There was a logic bug in sysdb_search_selinux_usermap_by_username that resulted in returning the value the variable "ret" had after the last call to sysdb_attrs_get_uint32_t, which in cases the last rule processed did not have the requested attributes led to using the default user context.
2012-07-20NSS: Add override_shell optionStephen Gallagher9-2/+49
If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
2012-07-20MAN: Improvements to the AD provider manpageStephen Gallagher2-0/+114
Add information about ID mapping (including how to disable it) as well as information on how to handle homedir and shell. https://fedorahosted.org/sssd/ticket/1433
2012-07-20MAN: List all available backends for provider optionsStephen Gallagher1-14/+84
https://fedorahosted.org/sssd/ticket/1432
2012-07-18Bumping version to 1.9.0 beta 6Jakub Hrozek1-1/+1
2012-07-18Update translations for 1.9.0 beta 5 releaseJakub Hrozek31-2890/+16150
2012-07-18PAM: Fix off-by-one-error in the SELinux session codeJakub Hrozek1-1/+1
2012-07-18AD: Fix defaults for krb5_canonicalizeStephen Gallagher1-2/+2
The AD provider cannot function with canonicalization because of a bug in Active Directory rendering it unable to complete a password-change while canonicalization is enabled.
2012-07-18Fix uninitialized valuesNick Guay12-23/+23
https://fedorahosted.org/sssd/ticket/1379
2012-07-18IPA: Return and save all SELinux rules in the providerJakub Hrozek1-47/+27
https://fedorahosted.org/sssd/ticket/1421
2012-07-18SYSDB: Delete SELinux mappingsJakub Hrozek2-0/+19
2012-07-18IPA: Download defaults even if there are no SELinux mappingsJakub Hrozek1-60/+59
We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults.
2012-07-18Modify priority evaluation in SELinux user mapsJan Zeleny5-9/+113
The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
2012-07-18Add function sysdb_attrs_copy_values()Jan Zeleny2-0/+27
This function copies all values from one sysdb_attrs structure to another
2012-07-18LDAP: Properly cast type for MINSSF valueJan Vcelak1-11/+9
2012-07-18Fixed: Uninitialized value in krb5_child-test if ccname was specified.Michal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1411
2012-07-18Fixed: Unchecked return value from dp_opt_set_int.Michal Zidek1-1/+5
2012-07-16Fixed wrong number in shadowLastChangeJan Zeleny1-1/+2
The attribute is supposed to contain number of days since the epoch, not the number of seconds.
2012-07-16sudo test client: avoid SIGSEGV when run without argumentsPavel Březina1-1/+1
SIGSEGV occured when sss_sudo_cli was run without any arguments.
2012-07-16resolv_gethostbyname_send: strdup hostname to work properly when hostname is ↵Pavel Březina1-5/+12
allocated on stack If we provide a hostname that was allocated on stack, it may contain invalid data in the time when it is actually resolved. This patch fixes it.
2012-07-16Add missing "%" to specfileJakub Hrozek1-1/+1
2012-07-16AD: Add missing DP option terminatorStephen Gallagher1-1/+2
2012-07-13RPM: Own several directoriesJakub Hrozek1-0/+4
2012-07-12Add newline to DEBUG messagesJakub Hrozek1-2/+2
2012-07-10Fix typo: exhasution->exhaustion.Yuri Chornoivan1-1/+1
2012-07-10Bumping version to 1.9.0 beta 5Jakub Hrozek1-1/+1
2012-07-10Update translations for 1.9.0 beta 4 releaseJakub Hrozek32-9370/+15153
2012-07-10Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek4-10/+11
2012-07-10Print based on pointer contents not addressJakub Hrozek1-1/+3
2012-07-10Fix segfault when using local providerStephen Gallagher1-6/+5
The name context was not being initialized for local provider domains because it was handled after skipping over the back-end initialization routine. This patch moves the name context init routine to occur earlier. https://fedorahosted.org/sssd/ticket/1412
2012-07-10pac responder: limit access by checking UIDsSumit Bose10-11/+394
A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
2012-07-10Remove dead code in ipa_subdomains_handler_done()Sumit Bose1-1/+1
Fixes https://fedorahosted.org/sssd/ticket/1410
2012-07-10Remove resource leak in sssdpac_import_authdataSumit Bose1-3/+1
Fixes https://fedorahosted.org/sssd/ticket/1409
2012-07-09Fix incorrect error-checkStephen Gallagher1-1/+1
Coverity #12770
2012-07-09Check for errors from krb5_unparse_nameStephen Gallagher1-1/+8
Coverity #12781
2012-07-09Add missing return value checkStephen Gallagher1-1/+1
Coverity #12782
2012-07-09Avoid NULL-dereference in error-handlingStephen Gallagher1-1/+3
Coverity #12783
generated by cgit (git 2.34.1) at 2024-11-09 03:50:37 +0000