Age | Commit message (Collapse) | Author | Files | Lines |
|
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
|
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
|
|
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
|
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
|
To allow to use libsss_nss_idmap from python applications, e.g. the
FreeIPA server, the patch adds pythin bindings to libsss_nss_idmap. The
contributed spec file will place the python bindings in a new package
called libsss_nss_idmap-python.
Alexander Bokovoy <abokovoy@redhat.com> kindly provided the code to
check the type of the python objects and loop over the list entries.
|
|
This patch add a library for client side lookups for a SID or with a
SID through the calls:
- sss_nss_getsidbyname
- sss_nss_getsidbyid
- sss_nss_getnamebysid
- sss_nss_getidbysid
The library is called libsss_nss_idmap and the contributed spec file
will create two new packages libsss_nss_idmap and
libsss_nss_idmap-devel.
|
|
The patch adds 4 new calls to the NSS responder:
- SSS_NSS_GETSIDBYNAME
- SSS_NSS_GETSIDBYID
- SSS_NSS_GETNAMEBYSID
- SSS_NSS_GETIDBYSID
to either return the SIDs of the requested object or map the SID to the
name or the POSIX ID of the related object.
|
|
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
|
|
tests_set_cwd is used and relativepath calculation method is changed and is made general based on
basedir.
|
|
This allows the nss responder to use libsss_idmap to convert between
different SID representations.
|
|
https://fedorahosted.org/sssd/ticket/1032
|
|
Calculation of range for domains is moved from
sdap_idmap code to sss_idmap code. Some refactoring
have been done to allow this move.
https://fedorahosted.org/sssd/ticket/1844
|
|
https://fedorahosted.org/sssd/ticket/1786
Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
|
|
In SSSD, we use dlopen() and dlsym() in two files
src/providers/data_provider_be.c and src/providers/proxy/proxy_init.c.
Hence we should explicitly link with -ldl also in simple_access-tests.
SSSD can be compiled with two crypto libraries nss or libcrypto. NSS has
dependency nspr which depends on "libdl and libpthread" This is a reason why
compilation of test did not fail even if -ldl was not explicitly added to
simple_access_tests_LDADD. But libcrypto doesn't depend on libdl, so in
this case compilation of tests will not be successful.
Upstream nspr 4.9 has two ways have to obtain metainformation about
libraries
pkg-config and own script nspr-config. First one doesn't list "-ldl"
"-lpthread" but second one lists both "-ldl" "-lpthread"
That's also why the Ubuntu maintainer found this bug -- Fedora has got
patched version of nspr, but Debian (Ubuntu) doesn't
|
|
* Remove check-specific failure reporting from common_check.c
* Check-specific abstraction over memleak checks
* Rename common_check.c to leak_check.c
|
|
https://fedorahosted.org/sssd/ticket/1032
|
|
https://fedorahosted.org/sssd/ticket/1032
This plugin mimics the current behaviour.
If discovery_domain is set it is the only domain that is tried.
If discovery_domain is not set, we try to autodetect domain first
and if that fails or SRV lookup on this domain fails, we fallback
to SSSD domain name.
|
|
https://fedorahosted.org/sssd/ticket/1032
Introduces two new error codes:
- ERR_SRV_NOT_FOUND
- ERR_SRV_LOOKUP_ERROR
Since id_provider is authoritative in case of SRV plugin choise,
ability to override the selected pluging during runtime is not
desirable. We rely on the fact that id_provider is initialized
before all other providers, thus the plugin is set correctly.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1784
|
|
Some of the tests (such as the sysdb tests) are highly I/O limited.
By running them on a ramdisk, we can significantly speed up the
test runs when doing a distcheck or RPM build.
https://fedorahosted.org/sssd/ticket/1840
|
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
Header file "providers.h" is not included in any other
file and function "dp_process_init" declared in this header file
has no implementation.
Header file protos.h is not also included in any other file and even
hole content is commented out.
|
|
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
|
|
We were not properly detecting that cmocka was unavailable. It was
expecting an empty value and getting "no" instead. This patch
corrects the expectation, so we will now skip building and running
cmocka tests on platforms that do not have it available.
Also, we were missing the cmocka header files in the distribution
tarball, so 'make distcheck' was failing.
|
|
|
|
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|
|
There is a large amount of duplicated code being linked into multiple
SSSD binaries. Instead of statically linking this code throughout the
SSSD, we should instead create private shared libraries for them and
drop this code on the system only once.
|
|
Fixes build with automake 1.13 or newer.
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
Need to split out the function or new additions to the handler funtion will not
allow simple access tests to compile anymore.
|
|
It was confusing to see the ldap provider own handler mixed with the generic
ldap access code used also by the ipa and ad providers.
So move the ldap provider handler code in its own file.
|
|
|
|
The tools query the responder in order to sync the memcache after
performing changes to the local database. The functions will be reused
by other tools so I split them into a separate functions.
|
|
The upcoming patches will link only users of this file with client libs,
so it's better to have it separate.
There is no functional change in this patch
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
These functions allow handling of auth tokens in a completely opaque way,
with clear semantics and accessor fucntions that guarantee consistency,
proper access to data and error conditions.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1659
|
|
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
|
|