summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2011-03-09Add new translations from TransifexStephen Gallagher8-106/+16217
2011-03-09Add transifex_client configurationStephen Gallagher1-0/+13
2011-03-08Always expire host name resolutionJakub Hrozek1-8/+7
The previous version of the patch only expired a resolved host name if the port was being reset. We want to always expire it so we notice IP address changes even if the previous server is still up.
2011-03-08Remove unused sysdb_attrs objectJan Zeleny1-8/+0
2011-03-08Remove unused be_check_online() SBUS callJan Zeleny2-50/+0
2011-03-07Prevent segfault in failover codeJakub Hrozek1-2/+3
2011-03-07Refactor set_netgroup_entry()Sumit Bose1-4/+7
To avoid wrong or missing netgroup names in the getent_ctx destructor set_netgroup_entry() now takes the name out of the getent_ctx struct instead of using a separate argument.
2011-03-07Add missing name to struct getent_ctx for missing netgroupSumit Bose1-0/+6
https://fedorahosted.org/sssd/ticket/817
2011-03-03Fixes for dynamic DNS updateSumit Bose1-16/+87
The current code assumed that only one server is given in the ipa_server config option and fails if multiple servers were given. To fix this nsupdate is first called without a server name assuming that nsupdate is able to find the name of the master DNS server of the zone by reading the SOA record. If this fails the IP address of the currently active LDAP server is used and nsupdate is called again. If there is no default realm given in /etc/krb5.conf nsupdate start trying to find a realm based on the DNS domain which might lead to wrong results. To be on the safe side the realm was added to the message send to nsupdate.
2011-02-28Do not try to delete sysbd memberOf attributeSumit Bose1-0/+4
2011-02-28Reset server status after timeoutJakub Hrozek1-1/+11
https://fedorahosted.org/sssd/ticket/809
2011-02-28Use realm for basedn instead of IPA domainJakub Hrozek6-48/+66
https://fedorahosted.org/sssd/ticket/807
2011-02-22Fix uninitialized value error in ipa_get_id_options()Stephen Gallagher1-7/+7
Previously, we were only constructing the basedn variable if the ldap_search_base was not specified (which is unlikely to be in use when using the IPA provier). However, if it did happen, constrcuction of the compat search base for netgroups would be using an uninitialized value. Fixes https://fedorahosted.org/sssd/ticket/806
2011-02-22Add krb5_realm to the basic IPA optionsStephen Gallagher2-2/+4
Previously, this was only handled by the internal LDAP and Kerberos providers, but this wasn't available early enough to properly handle setting up the krb5_service for failover and creating the krb5info files.
2011-02-22Check ccache file for renewable TGTs at startupSumit Bose3-0/+241
2011-02-22Allow krb5_realm to override ipa_domainStephen Gallagher3-18/+37
It is possible to set up FreeIPA servers where the Kerberos realm differs from the IPA domain name. We need to allow setting the krb5_realm explicitly to handle this.
2011-02-21IPA provider: remove deleted groups during initgroups()Stephen Gallagher1-3/+112
The IPA provider was not properly removing groups in the cache that the user was no longer a member of. https://fedorahosted.org/sssd/ticket/803
2011-02-21Perform initgroups lookups for all domainsStephen Gallagher1-3/+5
Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.
2011-02-18Remove renewal item if it is not re-addedSumit Bose1-1/+34
2011-02-18Remove cached user entry if initgroups returns ENOENTStephen Gallagher1-0/+11
This behavior was present for getpwnam() but was lacking for initgroups.
2011-02-17Fix for generating lists of translated man pagesSumit Bose1-6/+6
In some automatic build environments the lists of translated man pages were not generated properly because ls put multiple file names into a single single.
2011-02-17Point the IPA provider at the compat tree for netgroupsStephen Gallagher1-0/+19
We don't yet have support for IPA's internal representation of netgroups, so we need to use its compatibility mode for the time being.
2011-02-16Do not attempt to use START_TLS on SSL connectionsStephen Gallagher4-11/+43
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
2011-02-16Fix specfile for RHEL5Stephen Gallagher1-0/+10
RHEL5 uses an old libtool. We need to forcibly remove certain m4 files before running autoreconf to ensure that they get replaced with the appropriate old versions.
2011-02-14Detect the proper location for memberof.soStephen Gallagher1-2/+6
2011-02-14Minor specfile changesStephen Gallagher1-1/+2
We should be using BuildRequires: gettext-devel Also, for best compatibility across multiple RPM-based distros, we should be running autoreconf before configure.
2011-02-14Verify LDAP file descriptor validityStephen Gallagher1-1/+1
2011-02-14Check LDB_MODULES_PATH for sysdbSumit Bose1-0/+9
2011-02-14Introduce sysdb_ldb_connect()Sumit Bose1-45/+42
2011-02-11Use neutral name for functions used by both pam and nssSimo Sorce3-49/+64
2011-02-11Make 'make check' look nice againSumit Bose2-11/+8
With current libldb releases 'make check' will print a lot of 'unable to dlopen' messages although the test will succeed. This patch place the memberof module into a directory of its own to avoid these messages. Additionally this patch introduces TESTS_ENVIRONMENT which allows us to remove the SYSDB_TEST preprocessor definition.
2011-02-11Fix module registration with newer LDB libraries.Stephen Gallagher2-1/+15
2011-02-11Fix cleanup transactionStephen Gallagher1-0/+1
Without setting in_transaction=true, if the sysdb operations threw an error, we wouldn't cancel the transaction.
2011-02-11Clear up -Wunused-but-set-variable warningsStephen Gallagher3-8/+4
2011-02-08Check that the socket is really ours before attempting to close it.Simo Sorce1-13/+42
Fixes: https://fedorahosted.org/sssd/ticket/790
2011-02-04Only print "no matching service rule" when appropriateStephen Gallagher1-6/+6
2011-02-03updating sss_obfuscate man page accordinglyGowrishankar Rajaiyan1-2/+1
2011-02-03removing password option functionalityGowrishankar Rajaiyan1-5/+1
2011-02-03Make SSSDConfig API configuration readableStephen Gallagher1-4/+4
Previously, only root could read these files, but it makes sense to allow non-root users to prototype sssd.conf files.
2011-02-03Gracefully handle permission errors in sss_obfuscateStephen Gallagher1-3/+15
2011-02-03Make the domain argument mandatory in sss_obfuscateStephen Gallagher1-2/+6
It doesn't make sense to set a "default" domain. We should require that the domain always be specified.
2011-02-03Add additional indexing for sysdbStephen Gallagher2-1/+117
Adds an index for dataExpireTimestamp This is used for determining which users need to be removed during the cleanup task. If enumeration is enabled (or huge numbers of users have been cached), the cleanup task runs very slowly due to the non-indexed search. Also adds an index for ONELEVEL lookups, to speed up situations where we would need to request all entries under a particular node in the LDB.
2011-02-03Wrap cleanup task in a sysdb transactionStephen Gallagher1-0/+20
2011-02-03Bumping version to 1.6.0devStephen Gallagher1-1/+1
2011-02-01Sanitize search filters for nested group lookupsStephen Gallagher1-3/+17
2011-01-31Remove LDAP_DEPRECATEDSumit Bose1-1/+0
2011-01-31Fix handling of translated man pages in spec fileSumit Bose1-4/+15
If po4a is not available 'make rpms' will fail because the spec file expects that some translated man pages are present. This patch tries to detect which translated man pages are available and adds them to the corresponding file list.
2011-01-31Update version to 1.5.2devStephen Gallagher1-1/+1
2011-01-27Add option to disable TLS for LDAP authStephen Gallagher5-4/+25
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
2011-01-27Do not fail if attributes are emptySumit Bose1-16/+29
Currently we fail if attributes are empty. But there are some use cases where requested attributes are empty. E.g Active Directory uses an empty member attribute to indicate that a subset of the members are in a range sub-attribute.