| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
|
|
|
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
Create and populate user directories on useradd, delete them on userdel
Fixes: #212
|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
This converts a great many configuration options to the new
standard format.
|
|
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
|
Because the confdb always operates synchronously, it maintains its
own private event context internally. The event context argument
passed to it is never used, so we'll remove it to avoid confusion.
|
|
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
|
|
|
This patch updates the monitor_config_file() functions so that
they can monitor any number of files and invoke a specified
callback whenever they are modified.
When inotify is available, we will add an additional watch
descriptor to the inotify file descriptor.
When inotify is not available, the polling function will simply
loop to check each file in the monitor list.
When changes are discovered in resolv.conf, the monitor will send
a "resInit" signal to all of its known children. They are only
required to handle this function if they need updated DNS
information. Services that do not implement resInit should return
DBUS_ERROR_UNKNOWN_METHOD (rather than timing out) with no ill
effects.
|
|
1) Some text editors will create a new file and move it into place
on top of the existing file. When this happens, the kernel issues
an IN_IGNORE inotify event and automatically removes the watch
descriptor for that file. We'll handle the event and create a new
watch descriptor for the new file. We will attempt to rewatch the
file six times at five-second intervals.
2) Some scripts may append new data to the config file in several
steps (such as calling echo "foo" >> sssd.conf several times). In
order to handle these scripts safely, we'll defer processing of
inotify events for one second after the first is detected. This
should be ample time for the remainder of the script to complete.
|
|
Refactoring the confdb so that the setup code can be linked
separately from the access API. This is being done so that our
plugins do not need to link against the collection and ini_config
libraries.
|
|
|
|
Also convert all places where we were using custom code to parse
config arguments.
And fix a copy&paste error in nss_get_config
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The SSSD now links with the ini_config and collection libraries
in the common directory.
The monitor will track changes to the /etc/sssd/sssd.conf file
using inotify on platforms that support it, or polled every 5
seconds on platforms that do not.
At startup or modification of the conf file, the monitor will
purge the existing confdb and reread it completely from the conf
file, to ensure that there are no lingering entries. It does this
in a transaction, so there should be no race condition with the
client services.
A new option has been added to the startup options for the SSSD.
It is now possible to specify an alternate config file with the
-c <file> at the command line.
|
|
To be able to correctly filter out duplicate names when multiple non-fully
qualified domains are in use we need to be able to specify the domains order.
This is now accomplished by the configuration paramets 'domains' in the
config/domains entry. 'domains' is a comma separated list of domain names.
This paramter allows also to have disbaled domains in the configuration without
requiring to completely delete them.
The domains list is now kept in a linked list of sss_domain_info objects.
The first domain is also the "default" domain.
|
|
Make confdb load a base ldif like sysdb to initialize the db,
makes it simpler to understand at first sight what is the default
configuration.
Make the parameter "command" optional. Derive the default command
from available information.
Make the debug level a global by default so that enabling debug for
all components is as easy as passing just -d X to the sssd binary.
|
|
|
|
Retrieve minID and maxID from domain configuration so that lower
and upper bounds can be set per domain.
Add function that keeps track of the next available id, increments
and returns it on requests, avoiding collisions with existing ids.
|
|
Avoid uninitialized memory messages in valgrind (in _btreemap_get_keys).
Do not free memory we just stored in the btree (in confdb_get_domains_list).
Streamline confdb_get_domains() and remove extra calls when we already have
all the information handy.
Do not store basedn in domain info, the base dn is always calculated out of
the domain name.
Remove the "provider" attribute, it was really used only to distinguish between
LOCAL and other domains, directly check for LOCAL as a special case instead.
|
|
The NSS provider, the Data Provider backends and the InfoPipe all
need access to the domain map provided by the confdb. Instead of
reimplimenting it in multiple places, it is now provided in a pair
of helper functions from the confdb.
confdb_get_domains() returns a domain map by reference. Always
returns the most up-to-date set of domains from the confdb.
confdb_get_domains_list() returns an array of strings of all the
domain names. Always returns the most up-to-date set of domains
from the confdb.
This patch also modifies the btreemap_get_keys() function to
better handle memory and report allocation failures.
|
|
dependencies based on the latest samba code.
Convert all references to the old events library to use the
renamed tevent library.
|
|
|
|
types of domains: modern and legacy
modern uses member/meberof, legacy uses memberUid for group
memberships.
Rework the proxy backend to use the legacy style as that's the
format the data comes in (trying to convert would require too
many transformations and increased the number of queries).
Add support for fetching groups in nss.
Add support for enumerating users and groups (requires to enable enumeration
in config) both in nss and in the proxy provider.
Remove confdb_get_domain_basedn() and substitute with generic calls in
the nss init function.
Store a domain structure in the btree not the basedn so that we can add
enumeration flags.
Also make sure NSS understand how to make multiple calls on
enumerations, also make passing the domian parameter always
mandatory, passing in domain=* is not valid anymore.
This work fixes also a few memory, degfault, and logic bugs
found while testing all nss functions (there are still some to
fix that are less critical and much harder to find yet).
|
|
throw away databases
Check version and init main db if empty
|
|
Changed the "section" feature of confdb.c to use '/'
as a delimiter instead of '.', because this conflicted
with the ability to use dots in domain names.
|
|
|
|
Add utility function in confdb
Make all component fetch the dbus socket from the confdb
|
|
Convert nss responder to use the confdb
|
