summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-01-15Make sysdb_domain_dn() require a domain.Simo Sorce6-7/+10
2013-01-15Make sysdb_netgroup_base_dn() require a domain.Simo Sorce3-5/+9
2013-01-15Make sysdb_netgroup_dn() require a domain explictly.Simo Sorce4-9/+11
2013-01-15Make sysdb_group_dn() require a domain explictly.Simo Sorce6-18/+20
2013-01-15Make sysdb_user_dn() require a domain explictly.Simo Sorce6-15/+17
2013-01-15Remove the sysdb_ctx_get_domain() function.Simo Sorce5-19/+16
We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).
2013-01-15Refactor single domain initializationSimo Sorce12-60/+60
Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.
2013-01-15Refactor sysdb initializationSimo Sorce6-170/+25
Change the way sysdbs are initialized. Make callers responsible for providing the list of domains. Remove the returned array of sysdb contexts, it was used only by sss_cache and not really necessary there either as that tool can easily iterate the domains. Make sysdb ctx children of their respective domains. Neither sysdb context nor domains are ever freed until a program is done so there shouldn't be any memory hierarchy issue. As plus we simplify the code by removing a destructor and a setter function.
2013-01-15The Big sysdb/domain split-up!Simo Sorce1-1/+1
This commit is the first of a complex work of untangling domain and sysdb. It turns out the idea of keeping a reference to the domain within the sysdb was a poor one so we need to split the domain out and change all functions that needs one to get it explicitly from their callers.
2013-01-14Use new sysdb_search_service() in sss_cacheSimo Sorce1-35/+4
Also fixes https://fedorahosted.org/sssd/ticket/1754
2013-01-14let ldap_backup_chpass_uri workPavel Březina1-2/+4
https://fedorahosted.org/sssd/ticket/1760
2013-01-14Fix LDAP authentication - invalid password lengthPavel Březina1-1/+1
sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
2013-01-10Change pam data auth tokens.Simo Sorce21-473/+533
Use the new authtok abstraction and interfaces throught the code.
2013-01-10Add authtok utility functions.Simo Sorce3-0/+384
These functions allow handling of auth tokens in a completely opaque way, with clear semantics and accessor fucntions that guarantee consistency, proper access to data and error conditions.
2013-01-10Add function to safely wipe memory.Simo Sorce2-0/+18
This is useful for wiping passwords, as it prevents the compiler from optimizing out a memset to zero before a free()
2013-01-10Code can only check for cached passwordsSimo Sorce5-36/+45
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
2013-01-10Fix sdap reinit.Simo Sorce1-82/+89
This set of functions had a few important issues: 1. the base_dn was always NULL, as the base array was never actually used to construct any DN. This means each function searched the whole database multiple times. It would try to remove SYSDB_USN from all database entries 3 times. Then it would try to find non updated entries another 3 times and delete them, arguably find empty results the last 2 times. 2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it should not be used anywhere but within sysdb. Do this by using existing functions instead of using ldb calls directly. This is important to keep sysdb as conistent and self-contained as possible.
2013-01-10Use sysdb_search_service() for all svc queriesSimo Sorce2-78/+56
2013-01-10Add sysdb_search_service() helper functionSimo Sorce2-0/+63
2013-01-09AD: Add user as a direct member of his primary groupJakub Hrozek1-8/+109
In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
2013-01-09AD: replace GID/UID, do not add another oneJakub Hrozek4-7/+41
The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
2013-01-09Revert "Add a default section to a switch-statement"Simo Sorce1-12/+8
This reverts commit d698499602461b98fd56f2d550f80c6cb25f12a9. And adds the correct fix. Also makes the function static,as it is used nowehere else.
2013-01-09Add a default section to a switch-statementSumit Bose1-0/+3
Besides adding the missing default this patch suppresses a compiler warning about ret being uninitialized.
2013-01-08Remove dead netgroup functionsSimo Sorce3-419/+0
2013-01-08Remove unhelpful vtable from sss_cacheSimo Sorce1-24/+30
Using a vtable like this has various drawacks, including the fact prototypes are not checked by the compiler so the code could silently break and still compile fine (in fact I found this out changing one of the prototypes). A switch statement is also better because it catches if the enum changed and won't risk allowing to access the table out of bounds.
2013-01-08IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek3-4/+6
It is not a map, but a default context. The name should reflect that.
2013-01-08SELINUX: Process maps even when offlineJakub Hrozek1-226/+429
Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
2013-01-08SYSDB: Split a function to read all SELinux mapsJakub Hrozek2-23/+49
2013-01-08SYSDB: Remove duplicate selinux definesJakub Hrozek3-5/+2
2013-01-08Refactor gid handling in the PAC responderSumit Bose4-105/+238
Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
2013-01-08PAC responder: check if existing user differsSumit Bose3-13/+64
If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
2013-01-08Add tests for get_gids_from_pac()Sumit Bose2-0/+257
2013-01-08Use hash table to collect GIDs from PAC to avoid dupsSumit Bose1-18/+86
To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
2013-01-08Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXISTSumit Bose1-0/+1
Currently only the LDB error code indicating that an entry already exists is translated to EEXIST. To make debugging easier and return a better indication of the reason for an error in the logs this patch translates the LDB error code for an already existing attribute or value to EEXIST as well.
2013-01-08Read remote groups from PACSumit Bose1-3/+52
Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
2013-01-08Remote groups do not have an original DN attributeSumit Bose1-40/+34
Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
2013-01-08Save domain and GID for groups from the configured domainSumit Bose3-17/+47
Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.
2013-01-08Always get user data from PACSumit Bose1-7/+7
Currently some user specific data from the PAC is only read when the user is not already in the cache. Since some of this information is needed later on, e.g. the domain SID the user belongs to, with this patch the data is read always from the PAC.
2013-01-08Update domain ID for local domain as wellSumit Bose1-2/+14
Currently only the flat name of the configured domain is updated if it is not already set. This patch updates the domain ID as well. This is typically the case when trust support is enabled on the server side while sssd is running.
2013-01-08IDMAP: add sss_idmap_smb_sid_to_unix()Sumit Bose2-0/+39
To avoid a conversion on the caller side a new call is added to libsss_idmap which converts a Samba dom_sid structure to a Posix ID.
2013-01-08Add find_domain_by_id()Sumit Bose3-0/+91
Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
2013-01-08Use struct pac_grp instead of gid_t for groups from PACSumit Bose4-26/+36
To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.
2013-01-08Potential resource leak in sss_nss_mc_get_recordJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1748
2013-01-07sudo smart refresh: fix debug messagePavel Březina1-1/+1
2013-01-07sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina1-5/+12
https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
2013-01-07memcache: make MC_PTR_TO_SLOT() more readablePavel Březina1-2/+1
2013-01-07explicit null dereferenced in sss_nss_mc_get_record()Pavel Březina1-0/+5
https://fedorahosted.org/sssd/ticket/1724
2013-01-07memcache: add macro that validates record lengthPavel Březina2-2/+7
2013-01-07sss_userdel and sss_groupdel with use_fully_qualified_namesMichal Zidek1-15/+50
If use_fully_qualified_names is used, we need to pass fqdn to sss_mmap_cache_*_invalidate.
2013-01-07SYSDB: split sysdb_add_userOndrej Kos1-125/+176
The function itself was very long (more than 300 lines) and hard to read, this patch splits it to three logical blocks.