Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
To support IPA DS to Kerberos password migration a seperate
authentication target is added. It calls the Kerberos authentication
target and in the case of a 'Preauthentication Error' the LDAP
authentication target. On success the Kerberos target is called again to
request the TGT.
|
|
Thanks to Marko Myllynen for spotting this.
|
|
- save current ccache file to sysdb
- use the saved ccache file if the user has running processes
- create an empty ccache if offline
- return enviroment variables if offline
|
|
In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
|
|
With the previous code in domains with many users and enumeration enable we
would eventually end up making thousands of individual searches for entries in
the clean-up process.
Change the code to do a full enumeration before a cleanup so we do one single
big search to update all entries and only then search for entries to purge.
This also fixes the fact that the cleanup task was running at every enumeration
instead of running every "ldap_purge_cache_timeout" seconds.
|
|
|
|
|
|
Incorporates changes we made to v2 after 0.6, or that were missed by the
original upgrade script:
* removes magic_private_groups option
* removes libPath option
* changes provider=files to provider=proxy proxy_lib_name=files
* changes store-legacy-passwords to store_legacy_passwords
|
|
* splitlist is a function
* shared SSSDConfigObject to reduce code duplication
* added missing exception class
* fixed some typos
* remove extra 'pass' in unittests
* use assertRaises in unittests
|
|
With this patch, SSSDConfigAPI is able to keep comments and ordering of
sections.
Fixes: #226
|
|
With this patch, the upgrade script we use for changing the config files
is able to keep ordering and comments.
Fixes: #249
|
|
Provides a convenient wrapper around ipachangeconf that is closer
API-wise to ConfigParser
|
|
|
|
After completing an upgrade successfully, we were still falling
into the "version not found" case. We should be exiting the
function after performing the upgrade.
|
|
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An initgroups call refreshes both the user and the user's groups, this is ideal
for pam so that we don't need addiotnal initgroups calls (initgroups calls are
cached too now) during the login process.
|
|
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
|
This slipped through in previous patches.
Fixes #283
|
|
|
|
|
|
|
|
Change memctx to make clear it should be used only when a callback is being
used.
|
|
|
|
Also rework check_cache so that the operations it makes are more explicit.
Also add comments about why we are doing something.
Should make the code easier to understand in future (took quite some time and
discussion on IRC to understand exactly how this function was behaving and to
find the callback passing bug).
|
|
|
|
- use the correct private data for each PAM task
- make proxy_pam_target a mandatory option for auth, chpass and access
|
|
|
|
|
|
This patch add support for the host, source host and user category
'all'. All other category values are ignored so far. With the patch the
interpretation of an empty memberUser and empty sourceHost and
externalHost is changed to 'not applicable'.
|
|
|
|
|
|
Refactor user/group delete functions so that they can be used without a
transaction (they autostart an operation).
Add user and group search function where a subfilter can be specified.
|
|
|
|
Currently the Kerberos child handler evaluates the siginfo_t structure
to wait for a specific child. This scheme is prone to error, especially
when there are more than one child process active, and can produce
missleading debug message. This patch simplifies the scheme as it waits
for any child.
|
|
|
|
When possible using a macro that correctly deals with tstate
|
|
* do not mention the sbus_timeout parameter at all
* document the config_file_version parameter
* different wording for negative cache
|
|
|
|
The counter was not set so we were storing only the first user for each
anumeration.
|
|
|
|
|
|
|
|
|