| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to
the LDAP provider. Since the AD and the IPA provider use the same code
they support those request now as well.
Besides allowing that users and groups can be searched by the SID as
well the new request allows to search users and groups in one run, i.e.
if there is not user matching the search criteria groups are searched as
well.
|
|
To allow mapping of SIDs to names or POSIX IDs and back the related
attributes must be read from the FreeIPA directory server.
|
|
This patch add a basic check if the SID returned by the LDAP server is
in a string representation. If not it is assumed that a binary SID was
returned by the LDAP server which is converted into a string
representation which is returned to the caller.
|
|
Because we now always want to store SIDs in the IPA provider, we also need
to always initialize the ID mapping context.
|
|
realmd needs to be able to tag various domains with basic info
when it configures a domain.
|
|
It was mentioned in the manpages, but not accepted by the API
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
The current PySequence_Check() also catches single strings with the
effect that the string is split into characters which are send as
arguments to SSSD individually.
With this patch only tuples and lists are treated as sequences.
|
|
SSSD 1.10 and later will no longer support RHEL 5, so we should be
using the native hash algorithm on the newer versions of RPM by
default.
|
|
Recommended way to create SRPM is to run make (prerelease-)srpm.
But in previous case make file have to be generated, therefore
configure script should not fail. (all sssd required dependencies have to be
installed)
Script make_srpm.sh can be runned without running configure, script can be
runned only from git repository.
https://fedorahosted.org/sssd/ticket/1927
|
|
|
|
https://fedorahosted.org/sssd/ticket/1785
nscd.conf file is now checked for the presence of caching settings for
databases controlled by SSSD. Syslog warning is now written only if NSCD
is running with interfering configuration or if configuration file
couldn't be loaded.
New configure option added to support non-standard locations
--with-nscd-conf=PATH (defaultly set to /etc/nscd.conf)
This is just a workaround until the following bugzilla is resolved:
https://bugzilla.redhat.com/show_bug.cgi?id=963908
|
|
Preparation for the following patch which will include the nscd.c in the
monitor code due to newly introduced function for checking the nscd
configuration file.
|
|
https://fedorahosted.org/sssd/ticket/1934
|
|
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
In function ad_subdomains_get_netlogon_done:
If variable "reply_count" is zero then variable "reply" will not be
initialized. Therefore we should not continue.
|
|
https://fedorahosted.org/sssd/ticket/1772
SAFEALIGN macros have been renamed in this patch to
make it easy to pick the right macro when data is copied
from byte buffer to a variable or vice versa.
The renamed macros are placed in new header file to
avoid code duplication (the old ones were defined in
two files, one for the client code and one for the rest
of sssd).
|
|
|
|
https://fedorahosted.org/sssd/ticket/1909
|
|
Added missing variable in DEBUG macro call.
|
|
Instead of continuing to use the initial upn if enterprise principals
are used if should always be replaced. The enterprise principal
is stored in the credential cache and without knowing it the
ccache_for_princ() calls to determine the location of the credential
cache will fail.
Fixes https://fedorahosted.org/sssd/ticket/1921
|
|
Header file selinux/selinux.h was removed in commit 245cc346 from file
ipa_selinux.c, because it breaks build without selinux. But new
error was introduced. This patch fixes compilation with selinux and include
header file selinux/selinux.h only if both macros
exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR.
Now ipa_selinux.c should be correctly built with and without selinux.
|
|
In commit 46222e5191473f9a46aec581273eb2eef22e23be we removed a very
similar DEBUG message while moving the whole piece of code to the idmap
library. But it turned out that the DEBUG message was useful while
testing the functionality, so this patch adds it back.
|
|
Compilation fail if ./configure is called with arguments
--with-selinux --with-semanage and selinux header files are not
installed. We didn't not catch this in fedora, because krb5-devel depends on
libselinux-devel, but other distribution can package it differently.
And API from selinux.h is not used in file ipa_selinux.c
|
|
https://fedorahosted.org/sssd/ticket/1905
https://fedorahosted.org/sssd/ticket/1914
This patch allows tuples as well as lists as input and adds support for
Unicode objects as input and always returns the results as Unicode
objects.
|
|
https://fedorahosted.org/sssd/ticket/1922
Since we always store the SID now, we need to always initialize the ID
mapping object in LDAP provider as well. Some users might want to
configure the LDAP provider with ID mapping, not the AD provider itself.
|
|
https://fedorahosted.org/sssd/ticket/1910
|
|
https://fedorahosted.org/sssd/ticket/1915
|
|
The tests_set_cwd() function was called twice in the dyndns unit test.
|
|
s/IPA/AD/
|
|
https://fedorahosted.org/sssd/ticket/1912
SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains
users are in cn=sub.domain,cn=sysdb. When we search for rules for
subdomain users we have to switch domain context to parent.
|
|
If sss_nss_getsidbyid() fails free() will try to work on an
uninitialized value.
|
|
|
|
|
|
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
|
Try to parse names in the form user@domain first, as that's what sss_ssh_*
send in requests when the --domain option is used. Do not parse host names
using domain-specific regular expression.
|
|
This function allows initializing sss_names_ctx using a regular expression and
fully qualified format string specified in its arguments.
|
|
|
|
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
|
|
|
|
|
|
If enterprise principals are enabled (which is the default in the AD
provider), then the returned UPN might be slightly different from
the one SSSD constructs before attempting the login. This patch makes
SSSD only check if the principal is the same when the enterprise
principals are disabled.
|
|
Because we now always store SIDs in the LDAP provider, we also need to
always initialize the ID mapping context even if ID mapping itself is
off.
|
|
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
|
|
|
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
|
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
