Age | Commit message (Collapse) | Author | Files | Lines |
|
We were not properly detecting that cmocka was unavailable. It was
expecting an empty value and getting "no" instead. This patch
corrects the expectation, so we will now skip building and running
cmocka tests on platforms that do not have it available.
Also, we were missing the cmocka header files in the distribution
tarball, so 'make distcheck' was failing.
|
|
|
|
|
|
This code adds a new range of error codes specific to SSSD,
It also provides helper functions to print out error defintions
like you can do with system error messages and the strerror() function.
The sss_strerror() function can accept both the new sssd errors and
system errno_t errors falling back to the system strerror() if the error
code provide is not a valid SSSD error code.
|
|
There is a large amount of duplicated code being linked into multiple
SSSD binaries. Instead of statically linking this code throughout the
SSSD, we should instead create private shared libraries for them and
drop this code on the system only once.
|
|
Fixes build with automake 1.13 or newer.
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
Need to split out the function or new additions to the handler funtion will not
allow simple access tests to compile anymore.
|
|
It was confusing to see the ldap provider own handler mixed with the generic
ldap access code used also by the ipa and ad providers.
So move the ldap provider handler code in its own file.
|
|
|
|
The tools query the responder in order to sync the memcache after
performing changes to the local database. The functions will be reused
by other tools so I split them into a separate functions.
|
|
The upcoming patches will link only users of this file with client libs,
so it's better to have it separate.
There is no functional change in this patch
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
These functions allow handling of auth tokens in a completely opaque way,
with clear semantics and accessor fucntions that guarantee consistency,
proper access to data and error conditions.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1659
|
|
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
|
|
|
|
|
|
|
If the authenticated user comes from a different realm the service
ticket which was returned during the validation of the TGT is used to
extract the PAC which is send to the pac responder for evaluation.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1500
|
|
https://fedorahosted.org/sssd/ticket/1460
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
|
|
|
|
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
|
|
|
|
|
|
|
|
|
|
|
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
|
|
This patch adds support for checking whether a user is expired or
disabled in AD.
|
|
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|
|
This will reduce code duplication between the krb5, ipa and ad
providers
|
|
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|