Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
To avoid blocking in a synchronous call, the TGT is saved in a separate
process
Fixes: #277
|
|
Moves several functions out of providers/krb5 hierarchy into a separate
module so it can be shared by the ldap child.
|
|
|
|
|
|
|
|
Unfortunately since we changed the defines to an enum the preprocessor test
stopped working.
Turn tests into runtime tests that will abort the process.
|
|
|
|
When I converted fill_grent to speed up enumerations I left out this check
by mistake.
|
|
|
|
Then name or IP adress of the KDC is written into the pubconf directory
into a file named kdcinfo.REALM. The locator plugin will then read this
file and pass the data to the kerberos libraries.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
|
|
|
|
|
|
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
When using high debug levels or valgrind the code maybe slow enough that these
timeouts were too strict.
|
|
This way we do not need to check for id ranges on every search.
|
|
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
|
If you want to turn verbosity back on, just set the environment
variable CK_VERBOSITY=verbose
|
|
|
|
To support IPA DS to Kerberos password migration a seperate
authentication target is added. It calls the Kerberos authentication
target and in the case of a 'Preauthentication Error' the LDAP
authentication target. On success the Kerberos target is called again to
request the TGT.
|
|
Thanks to Marko Myllynen for spotting this.
|
|
- save current ccache file to sysdb
- use the saved ccache file if the user has running processes
- create an empty ccache if offline
- return enviroment variables if offline
|
|
In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
|
|
With the previous code in domains with many users and enumeration enable we
would eventually end up making thousands of individual searches for entries in
the clean-up process.
Change the code to do a full enumeration before a cleanup so we do one single
big search to update all entries and only then search for entries to purge.
This also fixes the fact that the cleanup task was running at every enumeration
instead of running every "ldap_purge_cache_timeout" seconds.
|
|
|
|
|
|
Incorporates changes we made to v2 after 0.6, or that were missed by the
original upgrade script:
* removes magic_private_groups option
* removes libPath option
* changes provider=files to provider=proxy proxy_lib_name=files
* changes store-legacy-passwords to store_legacy_passwords
|
|
* splitlist is a function
* shared SSSDConfigObject to reduce code duplication
* added missing exception class
* fixed some typos
* remove extra 'pass' in unittests
* use assertRaises in unittests
|
|
With this patch, SSSDConfigAPI is able to keep comments and ordering of
sections.
Fixes: #226
|
|
With this patch, the upgrade script we use for changing the config files
is able to keep ordering and comments.
Fixes: #249
|
|
Provides a convenient wrapper around ipachangeconf that is closer
API-wise to ConfigParser
|
|
|
|
After completing an upgrade successfully, we were still falling
into the "version not found" case. We should be exiting the
function after performing the upgrade.
|
|
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An initgroups call refreshes both the user and the user's groups, this is ideal
for pam so that we don't need addiotnal initgroups calls (initgroups calls are
cached too now) during the login process.
|
|
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
|
This slipped through in previous patches.
Fixes #283
|