Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/721
|
|
https://fedorahosted.org/sssd/ticket/717
|
|
https://fedorahosted.org/sssd/ticket/716
|
|
https://fedorahosted.org/sssd/ticket/712
|
|
https://fedorahosted.org/sssd/ticket/712
|
|
https://fedorahosted.org/sssd/ticket/724
|
|
https://fedorahosted.org/sssd/ticket/720
|
|
https://fedorahosted.org/sssd/ticket/719
|
|
We were unscheduling the timeout handler after the first lookup
(A or AAAA) returned, but not rescheduling it if we went on to
check the secondary record type. This resulted in the resolver
never returning a result for the secondary lookup, which can mean
that logins/screen unlocks after VPN drop or suspend/resume might
never complete.
Fixes https://fedorahosted.org/sssd/ticket/729
|
|
options.tries specifies the number of retries. Setting this to
zero means to try exactly once. Previously we were always trying
twice (internally). We want to simply honor the SSSD configuration
and fail over to the next server (or go offline) after one try.
|
|
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
|
|
|
It was decided that IPA HBAC will move to a different format to specify
time ranges in access control rules. The evaluation based on the old
format is not needed anymore.
|
|
It is planned to release IPA 2.0 without time range specifications in
the access control rules. To avoid confusion the evaluation is removed
from sssd, too.
|
|
|
|
|
|
|
|
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A temporary signal handler for SIGTERM is set up in server_setup()
that calls exit() from within a pure signal handler. This causes a
race condition where it's possible that if the SSSD is restarted
immediately while it is still initializing the sysdb caches for
the first time, it can leave the cache in a corrupt and unusable
state.
https://bugzilla.redhat.com/show_bug.cgi?id=658444
|
|
|
|
There is a race condition where if we send a SIGTERM before the
kernel has scheduled the child, it may be lost, and the child will
not terminate and will leave the monitor hung in wait().
This patch alters this behavior so that we will send the SIGTERM
again every 10ms and check the wait() in a nonblocking manner.
|
|
|
|
|
|
sdap_cli_connect_recv_ext() checks if the failover server is not set to
determine if the backend is offline. To make this work properly if
multiple servers are defined the failover server must be set to NULL if
all servers are checked.
|
|
Before setting the backend to online during a reset offline request the
check_online method if the ID provider is called. If the check_online
method returns that the ID provider is still not reachable the backend
stays offline. Otherwise the backend is switched to online and the
related callbacks are run.
Additionally the check online test is called during the res_init request
because a change in /etc/resolve.conf might also make a server reachable
which was assumed offline before.
|
|
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
https://fedorahosted.org/sssd/ticket/686
|
|
All errnum values passed into this function throughout the code
are PAM error codes, but we were passing them through strerror()
to print them, which is only meaningful for ERRNO error codes.
This patch changes dp_err_to_string() to use pam_strerror() and
renames it to dp_pam_err_to_string() for clarity.
https://fedorahosted.org/sssd/ticket/636
|
|
|