Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
getgrnam()/getgrgid() should return all group members instead of only those
which have already been cached (in sysdb). To achieve this every member
that is currently not in the cache is looked up via LDAP and saved to the
cache.
|
|
Addtional parameter "populate_members" for save_group() and save_groups()
to indicate that the "member" attribute of the groups is populated with
sysdb DNs of the members (instead of LDAP DNs).
|
|
This patch suppresses a 'shadows a global declaration' warning.
|
|
strcasecmp() is defined in strings.h which might not be included under
certain conditions.
|
|
|
|
Each back end can support id, auth or access provider, but each
back end supports different subset of these. Man pages should
describe which providers are supported by each back end.
Ticket: #615
|
|
sss_hash_create() produces a dhash table living in the talloc
hierarchy.
|
|
Erase events on LDAP socket when backend is offline and an event appears on the socket.
Normally this would lead to infinite loop, because event is present on the fd,
but instead of being processed, an error log is written and the program continues to wait
for the event.
Ticket: #599
|
|
When the failover code returns that there are no available servers
while we are marked offline, we were returning an error to the PAM
authentication code. Instead, we should return success with a
result value of SDAP_UNAVAIL so that the PAM responder will mark
the domain offline and attempt offline authentication.
|
|
|
|
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
|
|
|
|
|
|
|
|
|
1) Pam modules should be explicitly built for /lib64/security
2) The krb5 locator plugin is always built; remove the conditional
3) The krb5 locator plugin belongs in the sssd-client package
4) The sss_obfuscate manpage was not packaged
|
|
|
|
|
|
|
|
We were accidentally returning an error when sysdb_getpwnam()
returned zero results internally in sysdb_initgroups(). The
correct behavior here is to return EOK and a result object with
zero entries.
|
|
|
|
We tried to be too clever and only requested the name of the group,
but we require the objectClass to validate the results.
https://fedorahosted.org/sssd/ticket/622
|
|
|
|
This might be useful for examining the test database manually with LDB tools
|
|
When we changed the default min_id to be 1, we forgot about the local
domain. It makes sense to keep the minimum id larger there.
|
|
Use a #define instead of hardcoded string
|
|
This reverts 56d8d19ac9d857580a233d8264e851883b883c67
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/614
|
|
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory.
|
|
Fixes: #585
|
|
Three assignments deleted, two return code inspection added.
Also found and fixed one critical bug caused by dead assignment.
Ticket: #590
|
|
Some assignments deleted, two return value inspections were
added.
Ticket: #589
|
|
Various dead assignments were deleted, some return value inspections
were added.
Ticket: #588
|
|
Dead assignments were deleted. Also prototype of function
sdap_access_decide_offline() has been changed, since its return
code was never used.
Ticket: #586
|
|
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
|
A tool to add obfuscated passwords into the SSSD config file
|
|
|
|
|
|
Adds two utility functions to obfuscate a password and inverse to
extract the cleartext password back.
So far, only NSS-based implementation is provided.
|
|
|
|
A refactoring patch that creates a common util/crypto subdir with
per-implementation subdirectories for each underlying crypto library
supported by SSSD.
|
|
In fail_over.c, there was a small bug causing subrequest to have
wrong parent memory context. This patch fixes it.
|
|
Some config options updated, newly documented 12 new options.
|
|
Two needless assignments were deleted, two were complemented
with code checking function results.
Ticket: #582
|
|
So far, the systemd unit file is only packaged but not used in any of
the packaged spec files.
Fixes: #483
|
|
In function get_pw_name when allocation of memory fails, there
were two codepaths which could cause printing of undefined value.
This patch fixes both cases.
Ticket: #580
|
|
If sysdb_attrs_get_el() call failed in function sdap_save_group(),
it would result in printing an undefined value of variable name.
This is now fixed by initializing the variable.
Ticket: #579
|