Age | Commit message (Collapse) | Author | Files | Lines |
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
Also remove the [services/infopipe] section, since we're not
shipping InfoPipe yet, and that would be confusing.
|
|
|
|
|
|
|
|
We were missing several BuildRequires for the autotools. Also, we
were linking against two external libraries in the common code
that we do not actually use.
|
|
|
|
|
|
Also setting dctx->domain to NULL is a recipe for segfaults :-)
Assign dctx->domain only when dom actually holds a domain pointer.
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
|
|
|
|
The SSSD now links with the ini_config and collection libraries
in the common directory.
The monitor will track changes to the /etc/sssd/sssd.conf file
using inotify on platforms that support it, or polled every 5
seconds on platforms that do not.
At startup or modification of the conf file, the monitor will
purge the existing confdb and reread it completely from the conf
file, to ensure that there are no lingering entries. It does this
in a transaction, so there should be no race condition with the
client services.
A new option has been added to the startup options for the SSSD.
It is now possible to specify an alternate config file with the
-c <file> at the command line.
|
|
Allows building shared or static libraries using autotools and
provides a pkg-config file to simplify inclusion into other parts
of the project (or other projects in the future)
For now, we will statically link the collection library and INI
parser.
|
|
|
|
|
|
Fixes requested during code review
|
|
Previously it was runtime-selectable in the confdb, but this is
not a sensible approach, as if it were to change during runtime,
it would cause problems communicating with the child services.
|
|
Added a few new functions.
Cleaned code that was subject to conditional build.
Fixed the floating point conversion.
Keep const values as const.
|
|
This way we do not waste resources starting searching for users/groups in
multiple backends when the first one has the answer.
Also prevents possible race conditions where a user named the same way is found
in multiple backends and the wrong one is returned.
|
|
|
|
Since we switched to allowing domains to be configured but
inactive, we need to include the default set (just LOCAL) into
the first-start config.
|
|
This was missed when we moved away from using the message_handler
for sending replies (in order to support async processing).
|
|
To be able to correctly filter out duplicate names when multiple non-fully
qualified domains are in use we need to be able to specify the domains order.
This is now accomplished by the configuration paramets 'domains' in the
config/domains entry. 'domains' is a comma separated list of domain names.
This paramter allows also to have disbaled domains in the configuration without
requiring to completely delete them.
The domains list is now kept in a linked list of sss_domain_info objects.
The first domain is also the "default" domain.
|
|
|
|
Use common sss_parse_name function in all responders
Simplify responder headers by combining common,cmd,dp in one header and
add name parse structure as part of the common responder context.
|
|
This way LOCAL domains backed by files works as expected too.
Tested with nss_files + pam_unix
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
|
|
|
|
|
|
Adds ini subdirectory so it will be built, adds some clarification
to the README, makes the configure --help more clear about the
trace level and enables -Wall reporting.
|
|
|
|
|
|
This became obsolete when we moved all functions to sysdb.
|
|
The ldap_ prefix should be considered reserved namespace for ldap librraies
Renaming all ldap_* internal stuff to sdap_, in some cases also move from
ldap_be_ to sdap_ as the reason for _be_ was just clearly a name space
conflict (ldap_be_init, etc..)
|
|
Makes LOCAL a normal backend removing some special handling.
Fix/Add id range filtering and name filtering
Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within
sysdb and was causing getxxent calls to fail completely.
Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and
causing some unwanted failures.
Change sysdb to always return the uid number when searching member entries so
that id range filtering can be perfomed also in group searhes (does not work
with legacy backends)
|
|
A new nss_parse_name function uses pcre to parse names, this makes
it possible, in future, to make the filter user configurable.
Add a new filter mechanism to filter out users that uses the negative cache by
setting a permanet negative entry.
Rework the entry points where the negative cache is checked for.
|
|
|
|
|
|
- value array is not terminated properly
- infopipe service is added dynamically
|
|
|
|
May happen at startup if, for some reason dp is very slow to start and we
receive a request before a reconnection is rescheduled in the responder dp
reconnection code.
This shouldn't happen normally so make it clear with a debug statement.
|
|
Make nss_ctx a private pointer of the common resp_ctx
Use sss_process_init and remove all duplicate functions from nsssrv.c
|
|
The structure we copy the domain pointerr on is not zero when allocated.
We need to zero it ourselves or we get segfaults later on.
A cut&paste error caused us to call the wrong getpw function.
|
|
once per cycle
|
|
|
|
|
|
|