summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-09-11Fix formating of variables with type: longLukas Slebodnik7-13/+16
2013-09-11LDAP: Store cleanup timestamp after initial cleanupJakub Hrozek3-10/+10
When the SSSD changes serves (and hence lastUSN) we perform a cleanup as well. However, after recent changes, we didn't set the cleanup timestamp correctly, which made the lastUSN logic fail.
2013-09-10is_dn(): free dnPavel Březina1-0/+2
2013-09-10krb5: Fix warning sometimes uninitializedLukas Slebodnik1-0/+2
warning: variable 'ret' is used uninitialized whenever 'if' condition is false if (kerr) { ^~~~
2013-09-10DB: Rise search functions debug levelsOndrej Kos1-9/+9
2013-09-10DB: Add user/group lookup by SIDOndrej Kos3-23/+134
2013-09-10sysdb_search_group_by_gid: obtain gid instead of uidPavel Březina1-1/+1
2013-09-09krb5: Remove unused helper functionsSimo Sorce2-88/+0
these functions are not needed anymore. Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5_child: Simplify ccache creationSimo Sorce1-387/+87
The containing ccache directory is precreated by the parent code, so there is no special need to do so here for any type. Also the special handling for the FILE ccache temporary file is not really useful, because libkrb5 internally unlinks and then recreate the file, so mkstemp cannot really prevent subtle races, it can only make sure the file is unique at creation time. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add file/dir path precheckSimo Sorce2-0/+35
Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Remove unused functionSimo Sorce2-32/+0
Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Remove unused ccache backend infrastructureSimo Sorce7-167/+14
Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Unify function to create ccache filesSimo Sorce5-94/+43
Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use new function to validate ccachesSimo Sorce3-371/+88
This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Make check_for_valid_tgt() staticSimo Sorce3-76/+74
check_for_valid_tgt() is used exclusively in krb5_uitls.c so move it there. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: move template check to initializzationSimo Sorce4-24/+22
The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Move determination of user being activeSimo Sorce3-43/+17
The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Replace type-specific ccache/principal checkSimo Sorce3-148/+89
Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce5-119/+21
This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add helper to destroy ccache as userSimo Sorce2-0/+111
This function safely destroy a ccache given a cache name and user crdentials. It becomes the user so no possible races can compromise the system, then uses libkrb5 functions to properly destroy a ccache, independently of the cache type. Finally restores the original credentials after closing the ccache handlers. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Add calls to change and restore credentialsSimo Sorce2-0/+131
In some cases we want to temporarily assume user credentials but allow the process to regain back the original credentials (normally regaining uid 0). Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09tests: Add dlopen test to make sure modules worksSimo Sorce4-1/+193
This tests dlopens and resolves all symbols to make sure there are no missing symbols in our provider modules.
2013-09-09AUTOTOOLS: More robust detection of inotify.Lukas Slebodnik4-5/+39
We checked only header file "sys/inotify" for detection whether inotify works. Some platforms do not have built in inotify, but contain library, which provides inotify-compatible interface. This patch adds more robust detection of inotify in configuration time and appends linker flags to Makefile if inotify is provided by library.
2013-09-09AUTOTOOLS: Use pkg-config to detect libraries.Lukas Slebodnik6-27/+70
We used pkg-config only as a fallback if header files was not found, but detection of library failed in case of available header file and linking problem (missing -Ldir). This patch prefers pkg-config.
2013-09-09AUTOTOOLS: add check for type intptr_tLukas Slebodnik1-3/+6
We check whether HAVE_INTPTR_T is defined in definition of macro discard_const_p, but autootols macro AC_CHECK_TYPE did not generate it.
2013-09-09AUTOTOOLS: Refactor unicode library detectionLukas Slebodnik3-15/+45
If $libdir is not in default library path libunistring cannot be found. (pkg-config can not be used in this case). This patch helps to search libunistring in "$libdir" directory. In refactoring part, indentation was updated to be more readable and some duplicated parts were removed.
2013-09-09AUTOTOOLS: Add directories for searching ldap headers and libsLukas Slebodnik1-2/+2
2013-09-09AUTOMAKE: Use portable way to link with gettextLukas Slebodnik1-1/+4
Function gettext needn't be included in libc, it can be part of another library. Autotools macro AM_GNU_GETTEXT generate makefile variables (LIBINTL, LTLIBINTL), which contain necessary linker flags. checking for GNU gettext in libc... no checking for iconv... yes checking for GNU gettext in libintl... yes checking whether to use NLS... yes checking where the gettext function comes from... external libintl
2013-09-09AUTOMAKE: Use portable way to link with dlopenLukas Slebodnik2-2/+3
2013-09-09AUTOTOOLS: Add missing AC_MSG_RESULTLukas Slebodnik4-5/+10
AC_MSG_RESULT was not used everywhere after AC_MSG_CHECKING. Therefore two lines from configure output was mixed in some cases.
2013-09-09AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBSLukas Slebodnik1-1/+2
Detect directory with python libraries and add this directory to the list of directories to be searched for linker.
2013-09-09mmap_cache: Do not remove record from chain twiceLukas Slebodnik1-0/+6
It is not very likely, that record will have the same hash1 and hash2, but it is possible. In this situation, it does not make sense to remove record twice. Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash in this situation. It was only possible if record was alone in chain. Resolves: https://fedorahosted.org/sssd/ticket/2049
2013-09-09krb5: Ingnore unknown expansion sequencesSimo Sorce2-30/+45
Recently support was added to use also libkrb5 style expansions that uses a %{varname} type of template. There are a number of templates we do not care/can't expand in sssd. The current code misses tests and failed to properly preserve some of the templates we do not want to handle. Addiotionally in order to be future proof this patch treats unknown templates as pass-through templates and defer any error checking to libkrb5, so that sssd is consistent with how kinit would behave. Resolves: https://fedorahosted.org/sssd/ticket/2076
2013-09-09Makefile: Fix sssd_be targetsSimo Sorce1-2/+2
The $(PAM_LIBS) variable should be added to LDADD not LDFLAGS
2013-09-05RPM: Add new subpackage for PAC responderStephen Gallagher1-8/+31
It was discovered that duplicating files in two subpackages is not permitted by Fedora packaging guidelines[1]. This patch moves the PAC responder to a new sssd-common-pac subpackage that both the sssd-ipa and sssd-ad subpackages will require. [1] https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#DuplicateFiles
2013-09-05dyndns: do not modify global family_orderSumit Bose1-3/+3
Resolves: https://fedorahosted.org/sssd/ticket/2063
2013-09-05AD: Rename parametrized #defineJakub Hrozek1-3/+3
2013-09-05Fix reference to sssd-krb5 man pageNikolai Kondrashov1-1/+1
Replace incorrect reference to "sssd-krb5.conf" manpage with the correct "sssd-krb5" in sssd_krb5_locator_plugin man page source.
2013-09-05ad srv: prefer servers that are in the same domain as clientPavel Březina1-0/+89
https://fedorahosted.org/sssd/ticket/2001
2013-09-05utils: add is_host_in_domain()Pavel Březina3-0/+45
2013-09-05fo srv: add priority to fo_server_infoPavel Březina2-0/+2
This will give SRV plugins all information needed for additional sorting.
2013-09-05resolv_sort_srv_reply: remove unnecessary mem_ctxPavel Březina4-11/+15
2013-09-05Rename SAFEALIGN macrosMichal Zidek1-30/+40
The new SAFEALIGN macros name turned to be inappropriate because they do not reflect what the macros really do.
2013-09-05krb5_utils tests: fix some typosPavel Březina1-8/+8
2013-09-05MAN: Document that sss_cache should be run after changing the cache timeoutJakub Hrozek1-0/+13
2013-09-05Fix warning missing argumentsLukas Slebodnik1-1/+1
2013-09-03KRB5: Fix warning declaration shadows global declarationLukas Slebodnik1-8/+8
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a global declaration /usr/include/stdio.h:754: warning: shadowed declaration is here
2013-09-03UTIL: Use standard maximum value of type size_tLukas Slebodnik2-9/+8
It is better to use standard constant for maximum value of type size_t, instead of reinventing wheel with own defined constant SIZE_T_MAX This patch replace string "SIZE_T_MAX" -> "SIZE_MAX"
2013-09-03Include sys/types.h for types id_t and uid_tLukas Slebodnik2-0/+2
2013-09-03PROXY: Handle empty GECOSJakub Hrozek1-1/+8
If the user's GECOS as returned by the proxied module is an empty string (as opposed to NULL), the ldb transaction would error out.