summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2011-08-01Request password control unconditionally during bindJakub Hrozek1-6/+6
https://fedorahosted.org/sssd/ticket/940
2011-08-01HBAC rule validation Python bindingsJakub Hrozek2-0/+129
https://fedorahosted.org/sssd/ticket/943
2011-08-01Change the default value of ldap_tls_cacert in IPA providerJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/944
2011-08-01Add rule validator to libipa_hbacStephen Gallagher4-1/+190
https://fedorahosted.org/sssd/ticket/943
2011-08-01Remove incorrect private variableStephen Gallagher1-1/+1
This caused no ill effects, since it wasn't used in the callback. However, it is a layering violation (especially since req is freed in the callback)
2011-08-01Wrong paramater to sysdb_attrs_add_uint32Jakub Hrozek1-1/+1
2011-08-01Require matched version and release for libipa_hbacStephen Gallagher1-0/+1
2011-07-29Converge accept_fd_handler and accept_priv_fd_handlerStephen Gallagher1-85/+50
These two functions were almost identical. Better to maintain them as a single function.
2011-07-29Fix incorrect NULL check in ipa_hbac_common.cStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/936
2011-07-29Fix memory leak in ipa_hbac_evaluate_rulesStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/933
2011-07-29Add vetoed_shells optionJohn Hodrien6-1/+27
There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-07-29sss_client: avoid leaking file descriptorsSimo Sorce2-0/+15
If a pam or nss module is dlcolse()d and unloaded we were leaking the file descriptor used to communicate to sssd in the process. Make sure the fucntion used to close the socket file descriptor is called on dlclose() Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)
2011-07-29UTF8 HBAC testJakub Hrozek1-0/+117
2011-07-29libipa_hbac: Support case-insensitive comparisons with UTF8Stephen Gallagher5-17/+111
2011-07-27Handle allocation error in python HBAC bindingsJakub Hrozek1-0/+3
https://fedorahosted.org/sssd/ticket/934
2011-07-27Remove dead code from python HBAC bindingsJakub Hrozek1-4/+0
https://fedorahosted.org/sssd/ticket/935
2011-07-27Explicitly ignore groups with gidNumber=0Jakub Hrozek2-11/+18
https://fedorahosted.org/sssd/ticket/916
2011-07-27Set gidNumber of non-posix groups to 0 even on updatesJakub Hrozek1-8/+44
2011-07-27silence compilation warnings on RHEL5pbrezina1-12/+13
https://fedorahosted.org/sssd/ticket/930
2011-07-21Fix indexing of skipped groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/928
2011-07-21fo_get_server_name() getter for a server nameJakub Hrozek6-4/+32
Allows to be more concise in tests and more defensive in resolve callbacks
2011-07-21Rename fo_get_server_name to fo_get_server_str_nameJakub Hrozek7-11/+11
2011-07-21Only print server address if one is availableJakub Hrozek1-0/+7
2011-07-21Do not add a NULL host parsed from LDAP URIJakub Hrozek1-1/+8
https://fedorahosted.org/sssd/ticket/911
2011-07-13Fix python HBAC bindings for python <= 2.4Jakub Hrozek7-85/+315
Several parts of the HBAC python bindings did not work with old Python versions, such as the one shipped in RHEL5. The changes include: * a compatibility wrapper around python set object * PyModule_AddIntMacro compat macro * Py_ssize_t compat definition * Do not use PyUnicode_FromFormat * several function prototypes and structures used to have "char arguments where they have "const char *" in recent versions. This caused compilation warnings this patch mitigates by using the discard_const hack on python 2.4
2011-07-13Fixes for python HBAC bindingsJakub Hrozek2-12/+105
These changes were proposed during a review: * Change the signature of str_concat_sequence() to const char * * use a getsetter for HbacRule.enabled to allow string true/false and integer 1/0 in addition to bool * fix a minor memory leak (HbacRequest.rule_name) * remove overzealous discard consts
2011-07-13Use ares_search instead of ares_query for hostname resolutionJakub Hrozek1-1/+1
ares_query does not take search or domain directives from /etc/resolv.conf into account https://fedorahosted.org/sssd/ticket/922
2011-07-13Remove unused krb5_service structure memberJakub Hrozek3-7/+1
2011-07-11Check DNS records before updatingJakub Hrozek4-25/+470
https://fedorahosted.org/sssd/ticket/802
2011-07-11Allow returning arbitrary address from resolv_hostent as stringJakub Hrozek2-3/+10
2011-07-11Split reading resolver family order into a separate functionJakub Hrozek3-23/+52
2011-07-11Do not hardcode default resolver timeoutJakub Hrozek2-1/+3
2011-07-11Escape IP address in kdcinfoJakub Hrozek2-14/+36
https://fedorahosted.org/sssd/ticket/909
2011-07-11Move IP adress escaping from the LDAP namespaceJakub Hrozek5-14/+14
2011-07-08Allow NULL memctx in sysdb_custom_subtree_dnStephen Gallagher1-3/+11
ldb_dn_new_fmt() has a bug and cannot take a NULL memory context
2011-07-08Add LDAP access control based on NDS attributesSumit Bose9-3/+253
2011-07-08Add support for experimental featuresSumit Bose2-0/+10
New experimental features should have their own configure switch to enable or disable them at compile time. Additionally they can check if the configure variable build_all_experimental_features is set and enable the feature. This variable will be set if the command line option --enable-all-experimental-features is used to configure sssd. This will make it easy to enable all experimental features. Experimental features should be marked in the man pages. To simplify this include/experimental.xml can be used.
2011-07-08Provide python bindings for the HBAC evaluator libraryJakub Hrozek4-4/+2243
2011-07-08Treat NULL or empty rhost as unknownStephen Gallagher2-11/+25
Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts.
2011-07-08Add ipa_hbac_treat_deny_as optionStephen Gallagher6-2/+42
By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
2011-07-08Add ipa_hbac_refresh optionStephen Gallagher7-1/+38
This option describes the time between refreshes of the HBAC rules on the IPA server.
2011-07-08Add new HBAC lookup and evaluation routinesStephen Gallagher3-125/+400
2011-07-08Remove old HBAC implementationStephen Gallagher2-1595/+1
2011-07-08Add helper functions for looking up HBAC rule componentsStephen Gallagher7-0/+2622
2011-07-08Add HBAC evaluator and testsStephen Gallagher7-2/+1062
2011-07-08Add helper function msgs2attrs_arrayStephen Gallagher2-0/+33
This function converts a list of ldb_messages into a list of sysdb_attrs.
2011-07-05ipa_dyndns: Use sockaddr_storage for storing IP addressesJakub Hrozek1-12/+17
https://fedorahosted.org/sssd/ticket/915
2011-07-05Call ldap_install_tls() on ldaps connectionsSumit Bose1-0/+15
2011-07-01Replace system() function with fork and execl call.Matthew Ife1-22/+30
This is much more selinux friendly as it allows policy makers to call nscd_domtrans to transition to nscd_t instead of giving more access to the system via the corcmd_exec_bin macro. Modified-by: Simo Sorce <ssorce@redhat.com> Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-07-01Do not access state after tevent_req_done() is called.Sumit Bose1-10/+16