| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes https://fedorahosted.org/sssd/ticket/1694
|
|
This is used for the new calls back from the data provider.
|
|
This is needed in order to assure the memcache is properly and promptly
cleaned up if a user memberships change on login.
The list of the current groups for the user is sourced before it is
updated and sent to the NSS provider to verify if it has changed after
the update call has been made.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
These functions can be called from the nss responder to invalidate
records that have ceased to exist or that need to be refreshed the
first time an application needs them.
|
|
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
In particular note that we merge ipa_account_info_netgroups_done()
and ipa_account_info_users_done() into a single fucntion called
ipa_account_info_done() that handles both cases
We also remove the auxiliary function ipa_account_info_complete() that
unnecessarily violates the tevent_req style and instead use a new function
named ipa_account_info_error_text() to generate error text.
|
|
Also do not intermix two tevent_req sequences
|
|
|
|
No functionality changes,
just make the code respect the tevent_req style and naming conventions
and enhance readability by adding some helper functions.
|
|
https://fedorahosted.org/sssd/ticket/1686
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1684
|
|
https://fedorahosted.org/sssd/ticket/1683
The result of the percent calculation was always 0 as it used plain
ints. The patch switches to using explicit floats to avoid reintroducing
the bug again even with brackets.
|
|
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
|
In some situations, the c-ares lookup can return NULL instead of
a list of addresses. In this situation, we need to avoid
dereferencing NULL.
This patch adds a log message and sets the count to zero so it is
handled appropriately below.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1669
|
|
https://fedorahosted.org/sssd/ticket/1674
|
|
In some case we allocate and assign data to a const pointer.
When we then try to free it we would get a const warning because talloc_free
accepts a void, not a const void pointer. Use discard_const to avoid the
warning, it is safe in this case.
|
|
This macro is already available in util/util.h which is expicitly included
in this file.
|
|
This reverts commit ff57c6aeb80a52b1f52bd1dac9308a69dc7a4774.
This commit doesn't really make sense, we are never accessing freed
memory as all we are dealing with is a pointer which is never itsef
part of the memory we are freeing (if it were, it would be an error
in the caller and we shouldn't mask it in this macro).
|
|
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
|
https://fedorahosted.org/sssd/ticket/1673
|
|
The logic that checks if sssd_nss is running and then
sends SIGHUP to monitor or removes the caches was moved
to a function sss_memcache_clear_all() and made public in
tools_util.h.
|
|
|
|
When a nested group with ghost users is added, its ghost attribute should
propagate within the nested group structure much like the memberuid
attribute. Unlike the memberuid attribute, the ghost attribute is only
semi-managed by the memberof plugin and added manually to the original
entry.
This bug caused LDB errors saying that attribute or value already exists
when a group with a ghost user was added to the hierarchy as groups were
updated with an attribute they already had.
|
|
If global variable debug_level has value SSSDBG_UNRESOLVED, we should
print at least fatal and critical errors.
https://fedorahosted.org/sssd/ticket/1345
|
|
The DEBUG() macro may, at any time, change and start calling functions that
touch errno. Save errno before logging and then return the saved error.
|
|
fixes https://fedorahosted.org/sssd/ticket/1628
When user's alias is same as it's name, don't use it for searching in
sysdb, and for deleting.
|
|
initialized variable, was causing build warning
|
|
https://fedorahosted.org/sssd/ticket/1661
|
|
|
|
https://fedorahosted.org/sssd/ticket/1437
|
|
We need to allocate num_services+2 - one extra space for the new service
and one for NULL.
|
|
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
attribute
Using the convenience function instead of low-level ldb calls makes the
code more compact and more readable.
|
|
This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.
|
|
If canonicalization is enabled Active Directory KDCs return
'krbtgt/AD.DOMAIN' as service name instead of the expected
'kadmin/changepw' which causes a 'KDC reply did not match expectations'
error.
Additionally the forwardable and proxiable flags are disabled, the
renewable lifetime is set to 0 and the lifetime of the ticket is set to
5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405
and also done by the kpasswd utility.
Fixes: https://fedorahosted.org/sssd/ticket/1405
https://fedorahosted.org/sssd/ticket/1615
|
|
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
|
Currently we add the realm name to change password principal but
according to the MIT Kerberos docs and the upstream usage the realm name
is just ignored.
Dropping the realm name also does not lead to confusion if the change
password request was received for a user of a trusted domain.
|
|
|
|
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
The option was completely undocumented.
|
