summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-05-11Bumping version to 1.8.91 for 1.9.0 beta 1 releaseStephen Gallagher1-1/+1
2012-05-11Updating translations for 1.9.0 beta 1 releaseStephen Gallagher28-11714/+22049
2012-05-11build: resolve link failureJan Engelhardt1-0/+1
libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line /lib64/libdl.so.2: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make[2]: *** [sssd_be] Error 1 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2012-05-11SYSDB: Handle user and group renames betterJakub Hrozek2-7/+182
Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.
2012-05-11Bad check for id_provider=local and access_provider=permitAriel Barria2-2/+2
documentation-access_provider Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2012-05-10sysdb: return proper error code from sysdb_sudo_purge_allJakub Hrozek1-1/+1
2012-05-10Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek1-1/+57
https://fedorahosted.org/sssd/ticket/949
2012-05-10subdomains: Fix error handling in Data ProviderJakub Hrozek1-19/+37
The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.
2012-05-10Send the correct enumeration requestJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1329
2012-05-10LDAP: Handle very large Active Directory groupsStephen Gallagher6-45/+273
Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher17-39/+62
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-10SYSDB: Add better error logging to sysdb_set_entry_attr()Stephen Gallagher1-2/+8
2012-05-09NSS: Add default_shell optionStephen Gallagher7-1/+33
This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289
2012-05-09NSS: Add fallback_homedir optionStephen Gallagher9-6/+68
This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250
2012-05-09Try all KDCs when getting TGT for LDAPJakub Hrozek1-15/+18
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-05-09Clearer documentation for use_fully_qualified_namesStef Walter1-0/+5
* Previously only the side effect was described.
2012-05-07Only reset kpasswd server status when performing a chpass operationJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1316
2012-05-07krb5 locator: Do not leak addrinfoJakub Hrozek1-0/+2
2012-05-07Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek1-4/+9
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
2012-05-07Kerberos locator: Include the correct krb5.h header fileJakub Hrozek2-2/+14
https://fedorahosted.org/sssd/ticket/1325
2012-05-07Fix typo in debug messagePavel Březina1-1/+1
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter4-0/+181
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter2-2/+4
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter2-3/+8
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-05-04SSSDConfigAPI: Fix missing option in testsStephen Gallagher1-0/+2
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny9-52/+119
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-05-04Fix endian issue in SID conversionSumit Bose3-10/+18
Since the byte-order is only important when dealing with the binary SID the sub-auth values are stored in host order and are only converted while reading or writing the binary SID.
2012-05-03LDAP: Add support for enumeration of ID-mapped users and groupsStephen Gallagher1-31/+102
2012-05-03MAN: Add manpage for ID mappingStephen Gallagher3-0/+214
2012-05-03LDAP: Treat groups with unmappable SIDs as non-POSIX groupsStephen Gallagher1-9/+12
2012-05-03LDAP: Add helper function to map IDsStephen Gallagher5-119/+81
This function will also auto-create a new ID map if the domain has not been seen previously.
2012-05-03LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵Stephen Gallagher2-0/+16
entries
2012-05-03LDAP: Add helper routine to convert LDAP blob to SID stringStephen Gallagher5-68/+195
2012-05-03LDAP: Map the user's primaryGroupIDStephen Gallagher8-12/+73
2012-05-03LDAP: Enable looking up id-mapped groups by GIDStephen Gallagher1-2/+45
2012-05-03LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher2-29/+125
2012-05-03LDAP: Enable looking up id-mapped users by UIDStephen Gallagher1-6/+43
2012-05-03LDAP: Allow automatically-provisioning a domain and rangeStephen Gallagher1-3/+43
If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well.
2012-05-03LDAP: Add routine to extract domain SID from an object SIDStephen Gallagher4-2/+52
Also makes the domain prefix macros from sss_idmap public.
2012-05-03LDAP: Allow setting a default domain for id-mapping slice 0Stephen Gallagher7-0/+48
2012-05-03LDAP: Add autorid compatibility modeStephen Gallagher7-8/+20
2012-05-03LDAP: Enable looking up ID-mapped users by nameStephen Gallagher3-9/+56
2012-05-03LDAP: Initialize ID mapping when configuredStephen Gallagher2-0/+10
2012-05-03LDAP: Add ID mapping range settingsStephen Gallagher6-0/+19
2012-05-03LDAP: Add helper routines for ID-mappingStephen Gallagher3-2/+340
2012-05-03SYSDB: Add sysdb routines for ID-mappingStephen Gallagher3-0/+347
2012-05-03LDAP: Add id-mapping optionStephen Gallagher6-0/+6
2012-05-03LDAP: Add objectSID config optionStephen Gallagher8-0/+47
2012-05-03Read sysdb attribute name, not LDAP attribute map nameJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1320
2012-05-03SSH: Add dp_get_host_send to common responder codeJakub Hrozek9-52/+211
Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176