Age | Commit message (Collapse) | Author | Files | Lines |
|
There were inconsistencies between what sssd.conf manpage said
and what the code enforces.
|
|
When refactoring talloc_asprintf calls a check was left behind that
cased the backend to go offline immediately.
|
|
Implements a different mechanism for cleanup task. Instead of just
deleting expired entries, this patch adds a new option
account_cache_expiration for domains. If an entry is expired and the last
login was more days in the past that account_cache_expiration, the entry is
deleted.
Groups are deleted if they are expired and and no user references them
(no user has memberof: attribute pointing at that group).
The parameter account_cache_expiration is not LDAP-specific, so that other
future backends might use the same timeout setting.
Fixes: #391
|
|
|
|
This reverts commit 75a9f18ad8ac6e885ac34cdeebc4d8f8734713f8.
|
|
|
|
Do not attempt to validate expired entries in cache, just delete them.
Also increase the cache timeouts.
Fixes: #331
|
|
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
|
|
|
|
|
Adds a new option that tells resolver which address family to prefer or
use exclusively.
Fixes: #404
|
|
Kerberos-specific options are pulled using dp_get_opts() and defined
in Kerberos subtree. There is no need to keep these in confdb.
|
|
If we're sending a message to the backend, we already know which
domain the request is targeting. Carrying this information is not
useful and confuses the interface.
|
|
This was a holdover from when the DP and the providers were unique
processes. The NSS and PAM registrations do not need to send the
domain, as it is not ambiguous which one they are talking to.
|
|
|
|
|
|
|
|
The Fedora Package Guidelines forbid the use of rpaths
|
|
|
|
|
|
|
|
Merging ba8937d83675c7d69808d1d3df8f823afdc5ce2a left the COPYING
and COPYING.LESSER files in the now-defunct sss_client directory.
This patch moves them into the right location and fixes the spec
file to look for them correctly.
|
|
|
|
|
|
|
|
|
|
|
|
Also update BUILD.txt
|
|
|
|
|
|
|
|
The memcpy calls introduced in the memalign patches are ugly. This patch
hides them behind a set of macros.
|
|
|
|
|
|
|
|
|
|
Previously, the PAM responses could contain an arbitrary number of
arguments. This is not acceptable by the D-BUS protocol, as there
is no way to introspect it. This patch converts the response
objects to be an array of D-BUS structs.
It also fixes two potential memory leaks by not unref'ing the
reply object if we get an error.
|
|
Previously it was a string being passed and converted into an
integer. It will be more efficient this way (and simpler for other
implementers)
|
|
|
|
|
|
Fixes: #398
|
|
ELAPI now lives in its own project at
https://fedorahosted.org/ELAPI
|
|
|
|
|
|
This practice is not recommended and can also be dangerous.
|
|
This patch fixes the following issues:
* man page issues (#395)
* show info on MPGs (#396)
* recursively print indirect members (#397)
* the list of groupnames is comma separated (#398)
* output inconsistencies (#399)
|
|
|
|
Similar to George McCollister's patch to the pam code, this patch fixes
other places in the code where we forced data into 32-bit alignment.
Fixes: #390
|
|
* sssd.conf
* sbus_timeout was used in an example but explained nowhere
* enum_cache_timeout unit was not defined
* same for entry_cache_timeout
* store_legacy_passwords option does not exist anymore
* better example than domain/LOCAL - domain/LDAP which uses krb5/ldap
* sssd.conf(5) listed sssd.conf(5) in SEE ALSO section
* sssd-krb5, sssd-ldap
* these include each other in SEE ALSO section
Fixes: #393
|