Age | Commit message (Collapse) | Author | Files | Lines |
|
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
|
Function create_pam_data() should be only one way how to create new
struct pam_data, because it also initialize destructor to created
object.
|
|
https://fedorahosted.org/sssd/ticket/1784
|
|
https://fedorahosted.org/sssd/ticket/1784
1. initialization (main-req), returns members of input group
2. evaluate group members (group)
3. perform individual search (no-deref) or dereference attribute (deref)
4a. no-deref
1. perform a lookup depending on the type of the member object
2. all direct members are evaluated first
3. then we step down in nesting level and evaluate nested groups
4b. deref
1. perform a dereference lookup on member attribute
2. all direct members are evaluated first
3. then we step down in nesting level and evaluate nested groups
Tevent request flow:
main-req
|
group
|------------------------|
no-deref deref
| |
|----|------|---------| |
user group unknown recurse recurse
/ \ | | | ... | | | ...
user group group group
|
|
https://fedorahosted.org/sssd/ticket/812
Update the monitor code to be using the new libnl3 API.
Changed configure option
--with-libnl
By default, it tries to build with libnl3, if not found, then with
libnl1, if this isn't found either, build proceeds without libnl, just
with warning.
Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given
version, if not found, configure ends with error.
|
|
https://fedorahosted.org/sssd/ticket/1848
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1841
|
|
https://fedorahosted.org/sssd/ticket/1660
|
|
|
|
const char const * --> const char *const
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1575
The hierarchy is now:
main_ctx -> responder_ctx -> specific_ctx
where specific_ctx is one of sudo, pam, etc.
|
|
|
|
Print warning if sysdb-tests or sysdb-ssh test are run
individually and LDB_MODULES_PATH was not set.
https://fedorahosted.org/sssd/ticket/1820
|
|
Also fixed typo.
|
|
Some of the tests (such as the sysdb tests) are highly I/O limited.
By running them on a ramdisk, we can significantly speed up the
test runs when doing a distcheck or RPM build.
https://fedorahosted.org/sssd/ticket/1840
|
|
It is possible to enable/disable checking in LDB memberof plugin
whether it was built against the same version of LDB that is present
on the system. This feature is turned off by default
and enabled in Fedora/RHEL spec file.
https://fedorahosted.org/sssd/ticket/1813
|
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
Also simplify sdap_access_send to avoid completely fake _send() routines.
|
|
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
|
|
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
|
|
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
|
|
Option ipa_selinux_refresh is added to basic ipa options.
|
|
Reuse cached SELinux maps when they are requested
within time interval (in this patch it is hardcoded to
be 5 seconds).
https://fedorahosted.org/sssd/ticket/1744
|
|
The SELinux processing was distributed between provider and
pam responder which resulted in hard to maintain code. This
patch moves the logic to provider.
IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because
the provider also writes the content of selinux login
file to disk (which was done by responder before).
https://fedorahosted.org/sssd/ticket/1743
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
https://fedorahosted.org/sssd/ticket/1738
|
|
|
|
|
|
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
https://fedorahosted.org/sssd/ticket/1811
|
|
|
|
Header file "providers.h" is not included in any other
file and function "dp_process_init" declared in this header file
has no implementation.
Header file protos.h is not also included in any other file and even
hole content is commented out.
|
|
Function open_debug_file_ex() set flag FD_CLOEXEC to opened
file according to the value of third parameter.
Removed duplicity of unsetting FD_CLOEXEC after calling function
open_debug_file_ex()
|
|
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
|
|
This condition is invalid because different_realm is not set, when
EINVAL is returned. It can make the test fail sometimes.
|
|
https://fedorahosted.org/sssd/ticket/1833
state is expected to be a pointer
|
|
|
|
We were not properly detecting that cmocka was unavailable. It was
expecting an empty value and getting "no" instead. This patch
corrects the expectation, so we will now skip building and running
cmocka tests on platforms that do not have it available.
Also, we were missing the cmocka header files in the distribution
tarball, so 'make distcheck' was failing.
|
|
|
|
I think it logically belongs there and allows to better exercise the
responder commands from unit tests.
|