summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-12-04Dereference after null check in sss_idmap_sid_to_unixMichal Zidek1-1/+5
https://fedorahosted.org/sssd/ticket/1684
2012-12-04NSS: Fix netgroup midpoint cache refreshJakub Hrozek3-3/+3
https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-12-02IPA: Handle bad results from c-ares lookupStephen Gallagher1-1/+11
In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
2012-12-02sudo: print message if old protocol is usedPavel Březina1-3/+15
2012-12-02avoid versioning libsss_sudoPavel Březina1-3/+4
2012-11-28Monitor quit when not exists no process no stopsAriel O. Barria1-1/+3
https://fedorahosted.org/sssd/ticket/1669
2012-11-28Null pointer dereferenced.Michal Zidek1-96/+100
https://fedorahosted.org/sssd/ticket/1674
2012-11-28Avoid const warnings when deallocating memorySimo Sorce1-1/+1
In some case we allocate and assign data to a const pointer. When we then try to free it we would get a const warning because talloc_free accepts a void, not a const void pointer. Use discard_const to avoid the warning, it is safe in this case.
2012-11-28Avoid duplicating macrosSimo Sorce1-4/+0
This macro is already available in util/util.h which is expicitly included in this file.
2012-11-28Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."Simo Sorce1-5/+1
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774. This commit doesn't really make sense, we are never accessing freed memory as all we are dealing with is a pointer which is never itsef part of the memory we are freeing (if it were, it would be an error in the caller and we shouldn't mask it in this macro).
2012-11-28idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek6-80/+125
When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
2012-11-28Uninitialized pointer readMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1673
2012-11-28sss_cache: Small refactor.Michal Zidek3-58/+72
The logic that checks if sssd_nss is running and then sends SIGHUP to monitor or removes the caches was moved to a function sss_memcache_clear_all() and made public in tools_util.h.
2012-11-26TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek1-0/+248
2012-11-26MEMBEROF: Do not add the ghost attribute to selfJakub Hrozek2-13/+87
When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
2012-11-26debug: print fatal and critical errors if debug level is unresolvedMichal Zidek2-7/+4
If global variable debug_level has value SSSDBG_UNRESOLVED, we should print at least fatal and critical errors. https://fedorahosted.org/sssd/ticket/1345
2012-11-26Save errno before it might be modified.Simo Sorce1-8/+16
The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error.
2012-11-23SYSDB: Don't operate with aliases same as nameOndrej Kos1-0/+6
fixes https://fedorahosted.org/sssd/ticket/1628 When user's alias is same as it's name, don't use it for searching in sysdb, and for deleting.
2012-11-23LDAP: fix uninitialized variableOndrej Kos1-1/+1
initialized variable, was causing build warning
2012-11-22Handle compiling FQDN regular expression with old pcre gracefullyJakub Hrozek1-0/+9
https://fedorahosted.org/sssd/ticket/1661
2012-11-22Fix errors reported by rpmlintJan Cholasta10-29/+19
2012-11-22Use systemd by default on Fedora 16+Jan Cholasta1-2/+60
https://fedorahosted.org/sssd/ticket/1437
2012-11-21MONITOR: Fix off-by-one error in add_string_to_listJakub Hrozek1-1/+4
We need to allocate num_services+2 - one extra space for the new service and one for NULL.
2012-11-20fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek11-27/+91
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-20SYSDB: Use the add_string convenience functions for managing ghost user ↵Jakub Hrozek1-24/+9
attribute Using the convenience function instead of low-level ldb calls makes the code more compact and more readable.
2012-11-20BUILD: Temporary workaround for Kerberos buildStephen Gallagher1-2/+3
This patch extends the Kerberos version check to support Kerberos version 1.11 alpha and later. It is a temporary measure until we can redesign the configure checks for better granularity.
2012-11-19Disable canonicalization during password changesSumit Bose1-2/+43
If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
2012-11-19Fix compare_principal_realm() checkSumit Bose2-9/+9
In case of a short UPN compare_principal_realm() erroneously returns an error.
2012-11-19Just use the service name with krb5_get_init_creds_password()Sumit Bose1-24/+2
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
2012-11-19LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek2-4/+21
2012-11-19LDAP: Checking the principal should not be considered fatalJakub Hrozek1-6/+10
The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
2012-11-19LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek4-91/+95
The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
2012-11-19MAN: document the ldap_sasl_realm optionJakub Hrozek1-0/+13
The option was completely undocumented.
2012-11-19Restart services with a delay in case they are restarted too oftenJakub Hrozek1-14/+59
In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
2012-11-19Handle conversion to fully qualified usernamesSimo Sorce3-1/+98
In subdomains we have to use fully qualified usernames. Unfortunately we have no other good option than simply removing caches for users of subdomains. This is because the memberof plugin does not support the rename operation.
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose3-16/+32
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce10-35/+167
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-19Simplify writing db update functionsSimo Sorce1-421/+192
Add functions to automate setting versions numbers in the db, also decrease chances of error in copying and pasting code, by setting the version number only once when we commence the upgrade.
2012-11-19LDAP: Refactor saving ghost usersJakub Hrozek1-88/+99
2012-11-19LDAP: use the correct memory contextJakub Hrozek1-1/+1
The element being reallocated is part of the "group_attrs" array, not attrs.
2012-11-19LDAP: Fix saving empty groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
2012-11-19LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek1-1/+1
Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
2012-11-19SERVER: Check the return value of waitpidJakub Hrozek1-11/+27
We should at least print an error message and error out if waitpid() fails. https://fedorahosted.org/sssd/ticket/1651
2012-11-19Display more information on DB version mismatchOndrej Kos7-2/+70
https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.
2012-11-19SUDO: Fix wrong variable checkJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1650
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-19SYSDB: Remove unused macrosJakub Hrozek1-15/+0
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649