summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-05-31Ghost members - various small changesJan Zeleny3-3/+3
2012-05-31Ghost members - modified sss_groupshowJan Zeleny1-4/+40
2012-05-31Ghost members - removed sdap_check_aliases()Jan Zeleny4-127/+0
This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
2012-05-31Ghost members - NSS responder changesJan Zeleny1-89/+147
Since there are two attributes storing information about user memberships of the group we have to include both of them in results. This will apply only for objects that have ghost members (i.e. they contain the SYSDB_GHOST attribute). If an object has this attribute, values of this attribute are not projected to the memberuid attribute.
2012-05-31Ghost members - sysdb upgrade routineJan Zeleny3-1/+157
It is remotely possible to have sysdb in an inconsistent state that might need upgrade. Consider scenario when user asks for group information. Some fake users are added as a part of this operation. Before users can be fully resolved and stored properly, SSSD is shut down and upgrade is performed. In this case we need to go over all fake user records (uidNumber=0) and replace each of them with ghost record in all group objects that are stated in its memberof attribute.
2012-05-31Ghost members - modifications in memberof pluginJan Zeleny1-6/+41
2012-05-31Ghost members - modifications in sysdbJan Zeleny2-80/+153
Deleted sysdb_add_fake_user(): This function is no longer used. Modified sysdb_add_user(): When user object is added to sysdb, it is important to iterate over all groups that might have its name or any of its aliases as ghost member and replace this ghost membership by a real one. This will eliminate duplicite memberships.
2012-05-31Ghost members - support in proxy providerJan Zeleny1-6/+8
2012-05-31Ghost members - support in LDAP providerJan Zeleny1-186/+286
The original approach was to store name and original DN in an object in sysdb. When later referenced as member of a group, it was retrieved by its original DN and the correct information about its sysdb DN was stored in the group object which referenced it. The new approach doesn't use fake user objects, therefore this information has to be reached differently when constructing group memberships. The approach is to store all users to a hash table where original DN is used as the key and username as value. When constructing group memberships, the name is retrieved from this hash table instead of sysdb. This hash table is constructed when retrieving user objects from LDAP server - if the user is not present in sysdb, it is automatically stored in the hash table. Another situation is for rfc2307. Because there is no nesting there, we can construct the SYSDB_GHOST attribute directly and therefore don't need a hash table of ghost users.
2012-05-31Ghost members - add the ghost attribute to sysdbJan Zeleny1-0/+2
2012-05-29Revert the client packet length, too, after reverting the packet protocolJakub Hrozek1-1/+1
2012-05-25NSS: Restore original protocol for getservbyportStephen Gallagher2-3/+4
When fixing an endianness bug, we changed the protocol unnecessarily.
2012-05-25Send 16bit protocol numbers from the sss_clientJakub Hrozek2-7/+8
https://fedorahosted.org/sssd/ticket/1348
2012-05-24NSS: Fix segfault when mmap cache cannot be initializedStephen Gallagher1-2/+2
2012-05-22Fixed issue in SELinux user mapsJan Zeleny1-0/+2
There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
2012-05-22LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek1-12/+10
structure https://fedorahosted.org/sssd/ticket/1343
2012-05-22Update translation sourcesStephen Gallagher27-643/+645
2012-05-22Warn to syslog when dereference requests failAriel Barria1-2/+2
2012-05-22KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher1-7/+13
https://fedorahosted.org/sssd/ticket/1330
2012-05-22Simple implementation of Netscape password warning expiration controlJoshua Roys2-22/+82
2012-05-22Always use positional arguments in translatable stringsStephen Gallagher9-25/+25
https://fedorahosted.org/sssd/ticket/1336
2012-05-16NSS: Expire in-memory netgroup cache before the nowait timeoutStephen Gallagher1-1/+9
The fact that we were keeping it in memory for the full duration of the cache timeout meant that we would never reap the benefits of the midpoint cache refresh. https://fedorahosted.org/sssd/ticket/1340
2012-05-16Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2-2/+2
2012-05-15RPM: Allow running 'make rpms' on RHEL 5 machinesStephen Gallagher1-5/+7
Our previous detection for this was flawed, because the %{rhel} macro did not exist on the version of RPM shipped with RHEL 5, but it worked when building for RHEL 5 through mock. This new patch relies on grepping /etc/redhat-release for the version information. https://fedorahosted.org/sssd/ticket/1206
2012-05-15Use sized_string correctly in FQDN domainsJakub Hrozek1-2/+2
2012-05-15NSS: keep a pointer to body after body is reallocatedJakub Hrozek1-0/+3
2012-05-14Fix libsss_hbac library versionSumit Bose1-1/+1
2012-05-14Rename struct dom_sid to struct sss_dom_sidSumit Bose5-32/+32
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is added to the struct used by libsss_idmap.
2012-05-14Fixed two minor memory leaksJan Zeleny2-2/+6
2012-05-14Fix typos in message and man pages.Yuri Chornoivan3-4/+4
2012-05-14Potential NULL dereference in proxy providerAriel Barria1-1/+1
2012-05-11Bumping version ton 1.8.92 for beta 2 developmentStephen Gallagher1-1/+1
2012-05-11Bumping version to 1.8.91 for 1.9.0 beta 1 releaseStephen Gallagher1-1/+1
2012-05-11Updating translations for 1.9.0 beta 1 releaseStephen Gallagher28-11714/+22049
2012-05-11build: resolve link failureJan Engelhardt1-0/+1
libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make[2]: *** [sssd_be] Error 1 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2012-05-11SYSDB: Handle user and group renames betterJakub Hrozek2-7/+182
Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.
2012-05-11Bad check for id_provider=local and access_provider=permitAriel Barria2-2/+2
documentation-access_provider Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2012-05-10sysdb: return proper error code from sysdb_sudo_purge_allJakub Hrozek1-1/+1
2012-05-10Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek1-1/+57
https://fedorahosted.org/sssd/ticket/949
2012-05-10subdomains: Fix error handling in Data ProviderJakub Hrozek1-19/+37
The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.
2012-05-10Send the correct enumeration requestJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1329
2012-05-10LDAP: Handle very large Active Directory groupsStephen Gallagher6-45/+273
Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher17-39/+62
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-10SYSDB: Add better error logging to sysdb_set_entry_attr()Stephen Gallagher1-2/+8
2012-05-09NSS: Add default_shell optionStephen Gallagher7-1/+33
This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289
2012-05-09NSS: Add fallback_homedir optionStephen Gallagher9-6/+68
This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250
2012-05-09Try all KDCs when getting TGT for LDAPJakub Hrozek1-15/+18
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-05-09Clearer documentation for use_fully_qualified_namesStef Walter1-0/+5
* Previously only the side effect was described.
2012-05-07Only reset kpasswd server status when performing a chpass operationJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1316
2012-05-07krb5 locator: Do not leak addrinfoJakub Hrozek1-0/+2