summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-06-02Unify sdap and sysdb data handlingSumit Bose1-85/+104
2010-06-02Compare full service nameSumit Bose1-1/+2
2010-06-02Remove service groupsSumit Bose2-193/+7
Because the memberOf attribute is now set for the service objects we do not need to fetch the service groups separately anymore.
2010-06-02Use new schema for HBAC service checksSumit Bose2-21/+641
2010-06-02Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()Sumit Bose1-23/+12
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT.
2010-06-02Add sysdb_attrs_get_string_array()Sumit Bose2-0/+35
2010-06-02Fix typo in MakefileStephen Gallagher1-1/+1
Caused the kerberos provider to not use the kernel keyring
2010-05-27Check ipaEnabledFlagSumit Bose1-5/+23
2010-05-27Remove signal event if child was terminated by a signalSumit Bose2-6/+29
2010-05-27Fix check if LDAP id provider is already initializedSumit Bose1-1/+1
2010-05-27Reset run_online_cb flag even if there are no callbacksSumit Bose1-8/+10
2010-05-27Add ldap_access_filter optionStephen Gallagher15-4/+621
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
2010-05-27Add offline callback to disconnect global SDAP handleSumit Bose4-1/+24
2010-05-27Add krb5 SIGTERM handler to ipa auth providerSumit Bose1-0/+6
2010-05-27Refactor krb5 SIGTERM handler installationSumit Bose3-14/+39
2010-05-27Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLESumit Bose1-6/+6
To allow a fallback to the setting in krb5.conf the locator plugin returns KRB5_PLUGIN_NO_HANDLE in nearly all error conditions. Only if the call back fails the error code of the callback is returned.
2010-05-27Add callback to remove krb5 info files when going offlineSumit Bose6-40/+163
2010-05-27Add run_callbacks flagSumit Bose2-2/+25
2010-05-27Refactor krb5_finalize()Sumit Bose1-12/+27
2010-05-27Add offline callbacksSumit Bose3-1/+32
2010-05-27Refactor data provider callbacksSumit Bose4-142/+188
2010-05-27Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose3-50/+1
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
2010-05-27Support password changes in chpass_provider = proxyStephen Gallagher1-5/+73
We were not passing the old authtok to the pam_chauthtok() function, causing it to return PAM_AUTH_ERR.
2010-05-27Proxy provider PAM handling in child processStephen Gallagher4-138/+1539
This patch adds a new tevent_req to the proxy provider, which will spawn short-lived child processes to handle PAM requests. These processes then call the proxied PAM stack and return the results via SBUS method reply. Once it is returned, the parent process kills the child. There is a maximum of ten child processes running simultaneously, after which requests will be queued for sending once a child slot frees up. The maximum processes will be made configurable at a later date (as this would violate string freeze).
2010-05-27Copy pam data from DBus messageSumit Bose3-54/+75
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.
2010-05-27Fix error reporting for be_pam_handlerStephen Gallagher1-1/+1
2010-05-27Make data provider id_callback publicStephen Gallagher2-2/+3
2010-05-27Move parse_args() to utilSumit Bose3-100/+101
2010-05-26Fix handling of ccache file when going offlineSumit Bose2-32/+76
The ccache file was removed too early if system is offline but the backend was not already marked offline. Now we remove the ccache file only if the successfully got a new one and it is not the same as the old one.
2010-05-26Add support for delayed kinit if offlineSumit Bose23-34/+593
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-05-26Handle Krb5 password expiration warningSumit Bose4-176/+213
2010-05-26Try all servers during Kerberos authJakub Hrozek1-23/+104
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
2010-05-24Display name of PAM action in pam_print_data()Stephen Gallagher1-1/+23
2010-05-23Do not modify IPA_DOMAIN when setting Kerberos realmSumit Bose1-6/+20
2010-05-21Remove bash-isms from configure macrosPetter Reinholdtsen3-14/+14
2010-05-21Copy-edit and format review sssd.confDavid O'Brien1-18/+27
Updated EntryCache*Timeout to the correct values. Fixed one missed EntryCacheTimeout Added notes about perf hit of using enumeration.
2010-05-20Revert "Copy pam data from DBus message"Stephen Gallagher3-75/+54
This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.
2010-05-20Add enumerate details to the manpage and examplesStephen Gallagher2-3/+21
2010-05-20Copy pam data from DBus messageSumit Bose3-54/+75
Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.
2010-05-20Defer sbus_dispatch() for 30ms during reconnectSumit Bose1-1/+2
2010-05-20Add a better error message for TLS failuresStephen Gallagher1-3/+32
2010-05-18Update pt translationRui Gouveia1-8/+8
2010-05-17Adding support for explicit 32/64 types (attempt 2).Dmitri Pal5-5/+400
This is a reworked patch to add support for explicit 32 and 64 bit values in the config files.
2010-05-16Add ldap_krb5_ticket_lifetime optionSumit Bose12-13/+57
2010-05-16Allow Debian/Ubuntu build to pass --install-layout=deb to setup.pyPetter Reinholdtsen2-4/+13
2010-05-16Don't report a fatal error for an HBAC denialStephen Gallagher1-1/+1
2010-05-16Add dynamic DNS updates to FreeIPAStephen Gallagher14-14/+716
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-16Properly set up SIGCHLD handlersStephen Gallagher6-46/+116
Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
2010-05-16New version of IPA auth and password migrationSumit Bose4-199/+400
The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
2010-05-16Make Kerberos authentication a tevent_reqSumit Bose2-215/+345
To allow other providers to include Kerberos authentication the main part is put into a tevent request.
generated by cgit (git 2.34.1) at 2024-11-17 08:01:35 +0000