summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-11-20BUILD: Temporary workaround for Kerberos buildStephen Gallagher1-2/+3
This patch extends the Kerberos version check to support Kerberos version 1.11 alpha and later. It is a temporary measure until we can redesign the configure checks for better granularity.
2012-11-19Disable canonicalization during password changesSumit Bose1-2/+43
If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
2012-11-19Fix compare_principal_realm() checkSumit Bose2-9/+9
In case of a short UPN compare_principal_realm() erroneously returns an error.
2012-11-19Just use the service name with krb5_get_init_creds_password()Sumit Bose1-24/+2
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
2012-11-19LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek2-4/+21
2012-11-19LDAP: Checking the principal should not be considered fatalJakub Hrozek1-6/+10
The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
2012-11-19LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek4-91/+95
The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
2012-11-19MAN: document the ldap_sasl_realm optionJakub Hrozek1-0/+13
The option was completely undocumented.
2012-11-19Restart services with a delay in case they are restarted too oftenJakub Hrozek1-14/+59
In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
2012-11-19Handle conversion to fully qualified usernamesSimo Sorce3-1/+98
In subdomains we have to use fully qualified usernames. Unfortunately we have no other good option than simply removing caches for users of subdomains. This is because the memberof plugin does not support the rename operation.
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose3-16/+32
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce10-35/+167
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-19Simplify writing db update functionsSimo Sorce1-421/+192
Add functions to automate setting versions numbers in the db, also decrease chances of error in copying and pasting code, by setting the version number only once when we commence the upgrade.
2012-11-19LDAP: Refactor saving ghost usersJakub Hrozek1-88/+99
2012-11-19LDAP: use the correct memory contextJakub Hrozek1-1/+1
The element being reallocated is part of the "group_attrs" array, not attrs.
2012-11-19LDAP: Fix saving empty groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
2012-11-19LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek1-1/+1
Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
2012-11-19SERVER: Check the return value of waitpidJakub Hrozek1-11/+27
We should at least print an error message and error out if waitpid() fails. https://fedorahosted.org/sssd/ticket/1651
2012-11-19Display more information on DB version mismatchOndrej Kos7-2/+70
https://fedorahosted.org/sssd/ticket/1589 Added check for determining, whether database version is higher or lower than expected. To distinguish it from other errors it uses following retun values (further used for appropriate error message): EMEDIUMTYPE for lower version than expected EUCLEAN for higher version than expected When SSSD or one of it's tools fails on DB version mismatch, new error message is showed suggesting how to proceed.
2012-11-19SUDO: Fix wrong variable checkJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1650
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-19SYSDB: Remove unused macrosJakub Hrozek1-15/+0
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
2012-11-16Provide AM_COND_IF-combatible implementation for old automake systemsJakub Hrozek1-0/+15
AM_COND_IF is a very handy construct that is not present on old automake systems such as the one in RHEL5. The original author of the code is Ralf Corsepius <rc040203 -at- freenet.de>
2012-11-16fix -O3 variable may be uninitialized warningsPavel Březina2-6/+6
2012-11-16MAN: quotation fixOndrej Kos1-1/+1
I noticed that the proxy in auth_provider section of sssd.conf manpage isn't quoted when all others are.
2012-11-15sudo: store rules with no sudoHost attributePavel Březina1-0/+7
https://fedorahosted.org/sssd/ticket/1640 Normal rules requires that sudoHost attribute is present. But this attribute is not mandatory for a special rule named cn=defaults. This patch modifies filter so that we store even rules that doesn't have sudoHost attribute specified. SUDO will then decide whether it is allowed or not.
2012-11-15Add ignore_group_members option.Paul B. Henson9-18/+64
https://fedorahosted.org/sssd/ticket/1376
2012-11-15SUDO: Remove unused variableStephen Gallagher1-1/+0
Eliminates a compiler warning
2012-11-14sudo: print how many rules we are refreshing or returningPavel Březina1-3/+4
2012-11-14sudo: do not send domain name with usernamePavel Březina5-22/+11
This caused troubles with subdomain users and it is not really necessary. This patch does not change the protocol itself, that should be done on the earliest possible occasion. Part of https://fedorahosted.org/sssd/ticket/1616
2012-11-14sudo: support users from subdomainsPavel Březina4-60/+214
https://fedorahosted.org/sssd/ticket/1616
2012-11-14use tmp_ctx in sudosrv_get_sudorules_from_cache()Pavel Březina1-8/+20
2012-11-14sudo: fix missing parameter in two debug messagesPavel Březina1-3/+3
2012-11-14Run IPA subdomain provider if IPA ID provider is configuredSumit Bose4-7/+101
To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
2012-11-14Always start PAC responder if IPA ID provider is configuredSumit Bose3-0/+84
Since the PAC responder is used during the authentication of users from trusted realms it is started automatically if the IPA ID provider is configured for a domain to simplify the configuration. Fixes https://fedorahosted.org/sssd/ticket/1613
2012-11-14Add string_in_list() and add_string_to_list() with testsSumit Bose3-0/+152
string_in_list() and add_string_to_list() are two utilities for NULL terminated strings arrays. add_string_to_list() adds a new string to an existing list or creates a new one with the strings as only item if there is not list. string_in_list() checks if a given string is in the list. It can be used case sensitive or in-sensitive.
2012-11-13SYSDB: Do not touch the member attribute during conversion to ghost usersJakub Hrozek1-11/+0
We attempted to delete the member attributes of groups that contained a particular user during the sysdb upgrade, but obviously, this cannot work for nested groups as the member attribute is present for direct parents only. As a result, we were getting failures during the upgrade. https://fedorahosted.org/sssd/ticket/1631
2012-11-13TESTS: Fix a couple of debug-level settersJakub Hrozek3-3/+3
2012-11-12Include the auth_utils.h header in the distributionJakub Hrozek1-0/+1
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek4-104/+138
2012-11-12KRB5: Rename variable to avoid shadowing a global declarationJakub Hrozek1-4/+4
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’: src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’ shadows a global declaration /usr/include/libgen.h:27: warning: shadowed declaration is here
2012-11-12backend: add PAC to the list of known clientsPavel Březina1-0/+2
2012-11-12subdomains: check request type on one place onlyPavel Březina1-6/+0
The check is now held only in ipa_get_subdomain_account_info_send().
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek3-18/+56
2012-11-10Store the original group DN in the subdomain user objectSumit Bose1-26/+58
For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
2012-11-10Get lists of GIDs to be added and deleted and use themSumit Bose1-3/+89
Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
2012-11-10Add pac_user_get_grp_info() to read current group membershipsSumit Bose2-0/+107
To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
2012-11-10Add diff_gid_lists() with testSumit Bose3-2/+279
This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
2012-11-10Do not remove a group if it has members from subdomainsSumit Bose1-4/+15
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.