Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
Instead of exporting internal structures, expose an initilizer function
like the autofs code and initialize everything inside the
ipa_subdomains.c file.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
|
I am all for readable names, but there is a tradeof between expressing purpose
and compactness.
|
|
Something like this:
sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb;
really is not readable, and we always discourage using obfuscated C, please
refrain in future.
|
|
|
|
The debuf message was trying to print the number of returned entries, but no
integer was provided.
Return ENOENT as the error for when there are no entries, not EINVAL.
|
|
|
|
|
|
|
|
|
|
Declaring a bunch of structures as const and then wrapping all uses in
discard_const_p() is a bit silly. Remove all these useless decorations.
|
|
Rename the structure to use a standard name prefix so it is properly
name-spaced, in preparation for changing the structure itself.
|
|
|
|
|
|
The SSSD subpackages were not calling ldconfig even though they contain
shared libraries.
|
|
|
|
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
|
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
|
|
|
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for the primary server functionality into LDAP
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for the primary server functionality
into krb5 provider. No backup servers are added at the moment,
just the basic support is in place.
|
|
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for marking existing connections as being
disconnected. Each such connection can't be used for new queries and a
new one has to be created instead if necessary. This will ensure that
pending operations will end gracefully during reconnection. Also all new
queries to the server we are reconnecting to will use another (probably
newly created) connection.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
This patch adds two support functions for adding reconnection callbacks
and invoking such callbacks. The concept of reconnection is simple: stop
using current connection for for new queries to the server without
actually going offline.
|
|
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data
type of sasl_minssf from int to ber_len_t. Unfortunately, default
value of ldap_sasl_minssf is -1 but ber_len_t is defined as
unsigned long. This made SASL mechanism inoperative.
|
|
The host record will be fetched if HBAC is used as access provider since
the record is already downloaded and it can be trusted to be valid.
|
|
If HBAC is active, SELinux code will reuse them instead of downloading
them from the server again.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1420
sudoHost attribute may contain hostname or fqdn of the machine.
Sudo itself supports only one hostname and its fqdn - the one that
is returned by gethostbyname().
This patch implements autoconfiguration of hostname and fqdn if
it has not been set manually by ldap_sudo_hostnames option.
|
|
https://fedorahosted.org/sssd/ticket/1418
|
|
|
|
|
|
|
|
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
In case of error the request wasn't freed and the callback just ended.
|
|
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
|
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|
|
This function is no longer necessary since sysdb interface for copying
elements has been implemented.
|
|
|
|
SSH utilities were included in see also section even if SSSD is
built without SSH support.
|
|
https://fedorahosted.org/sssd/ticket/1368
|
|
This patch adds the possibility for user/host category attributes to
have more than one value. It also fixes semantically wrong evaluation of
SELinux map priority.
|
|
|