Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-06-09 | Fix potential NULL dereference in fail_over.c | Jakub Hrozek | 1 | -2/+5 | |
Fixes: #505 | |||||
2010-06-09 | Fix realm_str dereference | Jakub Hrozek | 1 | -1/+1 | |
Fixes: #508 | |||||
2010-06-09 | Fix typo in Makefile.am | Stephen Gallagher | 1 | -1/+1 | |
We weren't properly linking libsss_krb5.so against libkeyutils | |||||
2010-06-09 | Skip empty attributes with warning | Jakub Hrozek | 1 | -0/+4 | |
Fixes: #488 | |||||
2010-06-06 | Don't return uninitialized value in proxy provider | Jakub Hrozek | 1 | -1/+4 | |
Fixes: #498 | |||||
2010-06-06 | Fix broken build against older versions of OpenLDAP | Stephen Gallagher | 2 | -2/+12 | |
OpenLDAP < 2.4 used LDAP_OPT_ERROR_STRING. It was changed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4. This patch will allow the TLS error messages to be displayed on either version. | |||||
2010-06-06 | Initialize pam_data in Kerberos child. | Sumit Bose | 1 | -1/+1 | |
2010-06-06 | Man page fixes | Jakub Hrozek | 2 | -2/+6 | |
Fixes: #496 | |||||
2010-06-06 | Remove dead code from the PAM responder | Jakub Hrozek | 2 | -13/+0 | |
2010-06-02 | Unify sdap and sysdb data handling | Sumit Bose | 1 | -85/+104 | |
2010-06-02 | Compare full service name | Sumit Bose | 1 | -1/+2 | |
2010-06-02 | Remove service groups | Sumit Bose | 2 | -193/+7 | |
Because the memberOf attribute is now set for the service objects we do not need to fetch the service groups separately anymore. | |||||
2010-06-02 | Use new schema for HBAC service checks | Sumit Bose | 2 | -21/+641 | |
2010-06-02 | Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el() | Sumit Bose | 1 | -23/+12 | |
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT. | |||||
2010-06-02 | Add sysdb_attrs_get_string_array() | Sumit Bose | 2 | -0/+35 | |
2010-06-02 | Fix typo in Makefile | Stephen Gallagher | 1 | -1/+1 | |
Caused the kerberos provider to not use the kernel keyring | |||||
2010-05-27 | Check ipaEnabledFlag | Sumit Bose | 1 | -5/+23 | |
2010-05-27 | Remove signal event if child was terminated by a signal | Sumit Bose | 2 | -6/+29 | |
2010-05-27 | Fix check if LDAP id provider is already initialized | Sumit Bose | 1 | -1/+1 | |
2010-05-27 | Reset run_online_cb flag even if there are no callbacks | Sumit Bose | 1 | -8/+10 | |
2010-05-27 | Add ldap_access_filter option | Stephen Gallagher | 15 | -4/+621 | |
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com | |||||
2010-05-27 | Add offline callback to disconnect global SDAP handle | Sumit Bose | 4 | -1/+24 | |
2010-05-27 | Add krb5 SIGTERM handler to ipa auth provider | Sumit Bose | 1 | -0/+6 | |
2010-05-27 | Refactor krb5 SIGTERM handler installation | Sumit Bose | 3 | -14/+39 | |
2010-05-27 | Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLE | Sumit Bose | 1 | -6/+6 | |
To allow a fallback to the setting in krb5.conf the locator plugin returns KRB5_PLUGIN_NO_HANDLE in nearly all error conditions. Only if the call back fails the error code of the callback is returned. | |||||
2010-05-27 | Add callback to remove krb5 info files when going offline | Sumit Bose | 6 | -40/+163 | |
2010-05-27 | Add run_callbacks flag | Sumit Bose | 2 | -2/+25 | |
2010-05-27 | Refactor krb5_finalize() | Sumit Bose | 1 | -12/+27 | |
2010-05-27 | Add offline callbacks | Sumit Bose | 3 | -1/+32 | |
2010-05-27 | Refactor data provider callbacks | Sumit Bose | 4 | -142/+188 | |
2010-05-27 | Revert "Create kdcinfo and kpasswdinfo file at startup" | Sumit Bose | 3 | -50/+1 | |
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7. | |||||
2010-05-27 | Support password changes in chpass_provider = proxy | Stephen Gallagher | 1 | -5/+73 | |
We were not passing the old authtok to the pam_chauthtok() function, causing it to return PAM_AUTH_ERR. | |||||
2010-05-27 | Proxy provider PAM handling in child process | Stephen Gallagher | 4 | -138/+1539 | |
This patch adds a new tevent_req to the proxy provider, which will spawn short-lived child processes to handle PAM requests. These processes then call the proxied PAM stack and return the results via SBUS method reply. Once it is returned, the parent process kills the child. There is a maximum of ten child processes running simultaneously, after which requests will be queued for sending once a child slot frees up. The maximum processes will be made configurable at a later date (as this would violate string freeze). | |||||
2010-05-27 | Copy pam data from DBus message | Sumit Bose | 3 | -54/+75 | |
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere. | |||||
2010-05-27 | Fix error reporting for be_pam_handler | Stephen Gallagher | 1 | -1/+1 | |
2010-05-27 | Make data provider id_callback public | Stephen Gallagher | 2 | -2/+3 | |
2010-05-27 | Move parse_args() to util | Sumit Bose | 3 | -100/+101 | |
2010-05-26 | Fix handling of ccache file when going offline | Sumit Bose | 2 | -32/+76 | |
The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one. | |||||
2010-05-26 | Add support for delayed kinit if offline | Sumit Bose | 23 | -34/+593 | |
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used. | |||||
2010-05-26 | Handle Krb5 password expiration warning | Sumit Bose | 4 | -176/+213 | |
2010-05-26 | Try all servers during Kerberos auth | Jakub Hrozek | 1 | -23/+104 | |
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline. | |||||
2010-05-24 | Display name of PAM action in pam_print_data() | Stephen Gallagher | 1 | -1/+23 | |
2010-05-23 | Do not modify IPA_DOMAIN when setting Kerberos realm | Sumit Bose | 1 | -6/+20 | |
2010-05-21 | Remove bash-isms from configure macros | Petter Reinholdtsen | 3 | -14/+14 | |
2010-05-21 | Copy-edit and format review sssd.conf | David O'Brien | 1 | -18/+27 | |
Updated EntryCache*Timeout to the correct values. Fixed one missed EntryCacheTimeout Added notes about perf hit of using enumeration. | |||||
2010-05-20 | Revert "Copy pam data from DBus message" | Stephen Gallagher | 3 | -75/+54 | |
This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1. | |||||
2010-05-20 | Add enumerate details to the manpage and examples | Stephen Gallagher | 2 | -3/+21 | |
2010-05-20 | Copy pam data from DBus message | Sumit Bose | 3 | -54/+75 | |
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere. | |||||
2010-05-20 | Defer sbus_dispatch() for 30ms during reconnect | Sumit Bose | 1 | -1/+2 | |
2010-05-20 | Add a better error message for TLS failures | Stephen Gallagher | 1 | -3/+32 | |