Age | Commit message (Collapse) | Author | Files | Lines |
|
Move parameter parsing in tools before attempting to do anything that
might fail - so that we have debug_level set correctly for potential
error messages. That allows printing the --help and --usage messages
without being root.
Fix code duplicates in tools and refactor its code a little to lay
ground for decoupling the synchronous interfaces.
Remove some legacy tools leftovers, re-add sensible error message on
removing nonexistent users/groups which was removed by accident.
Fixes: Trac ticket #75
Fix typo in groupdel: fixes ticket #136
|
|
|
|
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
There was a chance that groups w/o members could end up causing a failure to
store the group. This would happen in case the structure used by glibc to fill
up the group data was "dirty". Always memset structures before passing them to
te libc and also check if there are any members, before calling the async
function.
Finally add some tracing at level 7 so that it is easier to follow what is going
on in case of touble.
|
|
|
|
|
|
|
|
|
|
Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.
|
|
This will add a second, optional line to the VERSION file that
will be used by the automated build scripts to create snapshot
versions.
|
|
We were missing two files from the tarball distribution that
prevented autoreconf from running successfully: VERSION and
replace/autoconf-2.60.m4
|
|
Necessary for RPM builds on RHEL5
|
|
Inspired by issue #173 I reviewed the
other function of the interface and
found a lot of problems with its
error handling.
Also made INI use collection public interfaces.
|
|
|
|
|
|
The configuration options krb5ccache_dir and krb5ccname_template
are added to the Kerberos provider to create the user's credential
caches the same way as pam_krb5 does. Due to the design of the sssd
and the supported ccache types of MIT Kerberos only files are
allowed.
|
|
|
|
|
|
- the client sends the PID as uint32_t and sssd will use uint32_t too
- fix a possible type issue where a uint32_t is sent as int32 in internal
dbus communication
|
|
This patch makes basic options multiype, the init function assigns
a type from the initialization array, and processes values fetched
from confdb accordingly.
4 types are supported so far: string, number, blob and boolean
Also convert defines into enums where appropriate.
Add fetch functions that check the requested type.
|
|
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
|
|
|
|
|
|
|
|
|
Remove the "legacy" option from examples and man pages.
Legacy is is finally R.I.P
Add docs for ldapSchema in sssd-ldap man page.
|
|
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
|
The patch that added check_cache() broke them, no results returned for any group
with actual members ...
|
|
|
|
|
|
The request was being freed, instead of marking it done and let the callback
free it when done. This was causing us to access freed memory, when trying to
set the next run.
Let the callback add new runs and free the request instead as normally we would
do with any other tevent_req async call.
Courtesy of valgrind again.
|
|
By attaching the reply to a subreq, we ended up freeing the operations list
element before we used it to skip to the next one.
Do not steal the context and let the unlocking code free the old reply, when it
moves onto processing the next one.
Got this one with valgrind.
|
|
We were talloc_free()-ing the cdb_file string too early.
|
|
This patch eliminates the need to include
collection's private header and uses only
public interface.
|
|
The hashing logic was internal to the collection item.
But if someone wants to effectively deal with
the items and compare the property to a string
he should compare hashes first. But it was not possible
without the provided functions. As a result some
of the ELAPI modules had to take advantage of
knowledge of the item structure. This is bad.
So this patch lays foundation for refactoring
of the ELAPI code that was using internals of the item
directly (file_util.c mostly).
Also patch adds a unit test that was required for
testing new functionality and for ticket #83
|
|
Fixes: #138
|
|
Remove magicPrivateGroups since it's set automatically, use bool values
for enumerate.
Also add a notice about krb5 auth-module with a link to specialized
manpage to sssd.conf(5) similar to what we have for ldap auth-module.
Move both outside proxy domain description.
|
|
We will now parse the config file and validate the confdb contents
before processing the rest of the monitor startup. This will allow
us to return an appropriate error code to the shell if the
configuration is invalid.
|
|
Because the confdb always operates synchronously, it maintains its
own private event context internally. The event context argument
passed to it is never used, so we'll remove it to avoid confusion.
|
|
|
|
|
|
After the recent changes we lost the capability to actually go offline.
Put back code that would mark the backend as offline when timeouts happen.
Make sure the enumeration code also obbeys the offline timeout, and
contributes in determining if we are offline or not.
|
|
This patch adds better options for
copying collections in flat mode.
It allows caller of the interface
to control prefixing of the fields
when one collection is appended to another.
It also avoids creating prefixes when the
collection is simply copied in flat mode.
Also for ELAPI I realized that the most efficient
way to deal with the "resolved" event
(event where all templeted values are actually replaced
with the real values) is to add a callback
capability to a copy collection function
so that the callback can be used to modify
the data (resolve it) while the copy operation
is in progress. This approach eliminates the need
for separate set of lookups after the event
is already copied.
|
|
|
|
|
|
This timeout specifies the lifetime of a cache entry before it is
updated out-of-band. When this timeout is hit, the request will
still complete from cache, but the SSSD will also go and update
the cached entry in the background to extend the life of the
cache entry and reduce the wait time of a future request.
|
|
getpwnam, getpwuid, getgrnam and getgrgid will now use a common
function, check_cache, for determining whether to return a cached
value or to go to the provider.
|
|
- remove unused PAM_LIBS from LDAP and Kerberos provider
- add OPENLDAP_LIBS to LDAP provider
|