summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-06-10Properly handle read() and write() throughout the SSSDStephen Gallagher9-42/+131
We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.
2010-06-09Add a missing free()Sumit Bose1-0/+1
2010-06-09Add a missing initializerSumit Bose1-1/+1
2010-06-09Add missing break to switch statementJakub Hrozek1-0/+1
Switch statement missing a break causes unintended implicit setting of 'm' options in sss_useradd. Fixes: #512
2010-06-09Allow ldap_access_filter values wrapped in parenthesesStephen Gallagher2-3/+21
2010-06-09Avoid a potential double-freeSumit Bose1-0/+1
2010-06-09Change default min_id to 1Stephen Gallagher4-9/+16
Also update manpage for min_id/max_id to be more clear about how it relates to primary GID.
2010-06-09Disable connection callbacks when going onlineStephen Gallagher3-0/+27
Under certain circumstances, the openldap libraries will continue internally trying to reconnect to a connection lost (as during a cable-pull test). We need to drop the reconnection callbacks when marking the backend offline in order to guarantee that they are not called with an invalid sdap_handle.
2010-06-09Fix Incorrect NULL check in get_server_common()Jakub Hrozek1-1/+1
Fixes: #518
2010-06-09Fix potential NULL dereference in fail_over.cJakub Hrozek1-2/+5
Fixes: #505
2010-06-09Fix realm_str dereferenceJakub Hrozek1-1/+1
Fixes: #508
2010-06-09Fix typo in Makefile.amStephen Gallagher1-1/+1
We weren't properly linking libsss_krb5.so against libkeyutils
2010-06-09Skip empty attributes with warningJakub Hrozek1-0/+4
Fixes: #488
2010-06-06Don't return uninitialized value in proxy providerJakub Hrozek1-1/+4
Fixes: #498
2010-06-06Fix broken build against older versions of OpenLDAPStephen Gallagher2-2/+12
OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version.
2010-06-06Initialize pam_data in Kerberos child.Sumit Bose1-1/+1
2010-06-06Man page fixesJakub Hrozek2-2/+6
Fixes: #496
2010-06-06Remove dead code from the PAM responderJakub Hrozek2-13/+0
2010-06-02Unify sdap and sysdb data handlingSumit Bose1-85/+104
2010-06-02Compare full service nameSumit Bose1-1/+2
2010-06-02Remove service groupsSumit Bose2-193/+7
Because the memberOf attribute is now set for the service objects we do not need to fetch the service groups separately anymore.
2010-06-02Use new schema for HBAC service checksSumit Bose2-21/+641
2010-06-02Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()Sumit Bose1-23/+12
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT.
2010-06-02Add sysdb_attrs_get_string_array()Sumit Bose2-0/+35
2010-06-02Fix typo in MakefileStephen Gallagher1-1/+1
Caused the kerberos provider to not use the kernel keyring
2010-05-27Check ipaEnabledFlagSumit Bose1-5/+23
2010-05-27Remove signal event if child was terminated by a signalSumit Bose2-6/+29
2010-05-27Fix check if LDAP id provider is already initializedSumit Bose1-1/+1
2010-05-27Reset run_online_cb flag even if there are no callbacksSumit Bose1-8/+10
2010-05-27Add ldap_access_filter optionStephen Gallagher15-4/+621
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
2010-05-27Add offline callback to disconnect global SDAP handleSumit Bose4-1/+24
2010-05-27Add krb5 SIGTERM handler to ipa auth providerSumit Bose1-0/+6
2010-05-27Refactor krb5 SIGTERM handler installationSumit Bose3-14/+39
2010-05-27Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLESumit Bose1-6/+6
To allow a fallback to the setting in krb5.conf the locator plugin returns KRB5_PLUGIN_NO_HANDLE in nearly all error conditions. Only if the call back fails the error code of the callback is returned.
2010-05-27Add callback to remove krb5 info files when going offlineSumit Bose6-40/+163
2010-05-27Add run_callbacks flagSumit Bose2-2/+25
2010-05-27Refactor krb5_finalize()Sumit Bose1-12/+27
2010-05-27Add offline callbacksSumit Bose3-1/+32
2010-05-27Refactor data provider callbacksSumit Bose4-142/+188
2010-05-27Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose3-50/+1
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
2010-05-27Support password changes in chpass_provider = proxyStephen Gallagher1-5/+73
We were not passing the old authtok to the pam_chauthtok() function, causing it to return PAM_AUTH_ERR.
2010-05-27Proxy provider PAM handling in child processStephen Gallagher4-138/+1539
This patch adds a new tevent_req to the proxy provider, which will spawn short-lived child processes to handle PAM requests. These processes then call the proxied PAM stack and return the results via SBUS method reply. Once it is returned, the parent process kills the child. There is a maximum of ten child processes running simultaneously, after which requests will be queued for sending once a child slot frees up. The maximum processes will be made configurable at a later date (as this would violate string freeze).
2010-05-27Copy pam data from DBus messageSumit Bose3-54/+75
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.
2010-05-27Fix error reporting for be_pam_handlerStephen Gallagher1-1/+1
2010-05-27Make data provider id_callback publicStephen Gallagher2-2/+3
2010-05-27Move parse_args() to utilSumit Bose3-100/+101
2010-05-26Fix handling of ccache file when going offlineSumit Bose2-32/+76
The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.
2010-05-26Add support for delayed kinit if offlineSumit Bose23-34/+593
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-05-26Handle Krb5 password expiration warningSumit Bose4-176/+213
2010-05-26Try all servers during Kerberos authJakub Hrozek1-23/+104
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.