summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-05-26Handle Krb5 password expiration warningSumit Bose4-176/+213
2010-05-26Try all servers during Kerberos authJakub Hrozek1-23/+104
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
2010-05-24Display name of PAM action in pam_print_data()Stephen Gallagher1-1/+23
2010-05-23Do not modify IPA_DOMAIN when setting Kerberos realmSumit Bose1-6/+20
2010-05-21Remove bash-isms from configure macrosPetter Reinholdtsen3-14/+14
2010-05-21Copy-edit and format review sssd.confDavid O'Brien1-18/+27
Updated EntryCache*Timeout to the correct values. Fixed one missed EntryCacheTimeout Added notes about perf hit of using enumeration.
2010-05-20Revert "Copy pam data from DBus message"Stephen Gallagher3-75/+54
This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.
2010-05-20Add enumerate details to the manpage and examplesStephen Gallagher2-3/+21
2010-05-20Copy pam data from DBus messageSumit Bose3-54/+75
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.
2010-05-20Defer sbus_dispatch() for 30ms during reconnectSumit Bose1-1/+2
2010-05-20Add a better error message for TLS failuresStephen Gallagher1-3/+32
2010-05-18Update pt translationRui Gouveia1-8/+8
2010-05-17Adding support for explicit 32/64 types (attempt 2).Dmitri Pal5-5/+400
This is a reworked patch to add support for explicit 32 and 64 bit values in the config files.
2010-05-16Add ldap_krb5_ticket_lifetime optionSumit Bose12-13/+57
2010-05-16Allow Debian/Ubuntu build to pass --install-layout=deb to setup.pyPetter Reinholdtsen2-4/+13
2010-05-16Don't report a fatal error for an HBAC denialStephen Gallagher1-1/+1
2010-05-16Add dynamic DNS updates to FreeIPAStephen Gallagher14-14/+716
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-16Properly set up SIGCHLD handlersStephen Gallagher6-46/+116
Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
2010-05-16New version of IPA auth and password migrationSumit Bose4-199/+400
The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
2010-05-16Make Kerberos authentication a tevent_reqSumit Bose2-215/+345
To allow other providers to include Kerberos authentication the main part is put into a tevent request.
2010-05-16SSSDConfigAPI fixesJakub Hrozek4-6/+10
* add forgotten ldap_dns_service option * sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir) * ldap_uri is no longer mandatory for LDAP provider - the default is to use service discovery with no address set now. Ditto for krb5_kdcip and ipa_server
2010-05-10Updating pt translationRui Gouveia1-89/+35
2010-05-07Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher14-716/+14
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
2010-05-07Add dynamic DNS updates to FreeIPAStephen Gallagher14-14/+716
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-07Use service discovery in backendsJakub Hrozek17-36/+224
Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
2010-05-07Add callback when the ID provider switches from offline to onlineStephen Gallagher4-0/+174
Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
2010-05-07Add more warnings about nearly expired passwordsSumit Bose1-5/+66
For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
2010-05-07Add retry option to pam_sssSumit Bose2-92/+164
2010-05-07Compare the full service nameSumit Bose1-1/+2
2010-05-07Create kdcinfo and kpasswdinfo file at startupSumit Bose3-1/+50
2010-05-07Clean up kdcinfo and kpasswdinfo files when exitingStephen Gallagher5-3/+59
2010-05-07Fix memory hierarchy in the ipa timerulesJakub Hrozek1-4/+4
2010-05-07Split pam_data utilities into a separate fileSumit Bose3-35/+62
2010-05-07Improve the offline authentication messageJakub Hrozek1-2/+2
2010-05-07Make krb5_kpasswd available for any krb5 providerStephen Gallagher3-1/+5
Previously, the option krb5_kpasswd was only available if 'chpass_provider = krb5' was specified explicitly. Now it will be available also if 'auth_provider = krb5'. This option was also missing from the IPA options, so I have added it there as well
2010-05-07Use all available servers in LDAP providerJakub Hrozek3-14/+91
2010-05-07Add a README fileJakub Hrozek1-0/+37
2010-05-07Fix segfault in GSSAPI reconnect codeStephen Gallagher2-57/+41
Also clean up some duplicated code into a single common routine sdap_account_info_common_done()
2010-05-03Fix a wrong return value in IPA HBACSumit Bose1-2/+2
2010-05-03Avoid freeing sdap_handle too earlySimo Sorce2-18/+46
Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.
2010-05-03Better handle sdap_handle memory from callers.Simo Sorce7-42/+144
Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
2010-05-03Fix uninitialized variableJakub Hrozek1-0/+1
2010-04-30Add dns_resolver_timeout optionStephen Gallagher7-2/+34
We had a hard-coded timeout of five seconds for DNS lookups in the async resolver. This patch adds an option 'dns_resolver_timeout' to specify this value (Default: 5)
2010-04-30Introducing a comment objectDmitri Pal5-6/+804
Comment object will store the comments found in the INI file. It is based on the ref_array interface. Fixing review comments for comment obj.
2010-04-30Extending refarray interfaceDmitri Pal3-1/+563
Added functions to inert, delete, replace swap the array elements. Unit test and docs have been updated accordingly. Fixing review comments for refarray.
2010-04-30Fix wrong return valueSumit Bose1-15/+14
If there was a failure during a password change a wrong return value was send back to the PAM stack.
2010-04-30Remove the NSS_LIBS and KRB5_LIBS variables from sssd.specStephen Gallagher2-4/+0
Due to the way RPM processes the %configure macro, these variables were not actually being passed down to recursive configure invocations. In other words, they were useless. Futhermore, in more recent Fedora versions (13+), some of the dependencies have moved from -lnss to -lnspr4. As a result, it is safer to rely on the complete output of 'pkg-config nss --libs' instead of restricting to -lnss. The downside to this is that it may result in linking unnecessarily against other NSS components such as libsmime3 and libplc4 (among others). However, since these are already dependencies of libnss itself, there should be no risk of them being unavailable on the platform when installed.
2010-04-30Silence warnings with -O2Jakub Hrozek3-12/+26
2010-04-30Support SRV servers in failoverJakub Hrozek5-60/+551
Adds a new failover API call fo_add_srv_server that allows the caller to specify a server that is later resolved into a list of specific servers using SRV requests. Also adds a new failover option that specifies how often should the servers resolved from SRV query considered valid until we need a refresh. The "real" servers to connect to are returned to the user as usual, using the fo_resolve_service_{send,recv} calls. Make SRV resolution work with c-ares 1.6
2010-04-30Remove freed server_common entities from listJakub Hrozek1-1/+24