Age | Commit message (Collapse) | Author | Files | Lines |
|
The code for authentication against a cached password is moved from the
pam responder to a generic sysdb tevent request. The new code can be
used by other components of sssd to verify passwords on their own.
Tests for the sysdb_cache_password and sysdb_cache_auth request are
added and some unneeded or unused code and variables are removed.
|
|
Move the upgrade function first and check explicitly for the old ldb name.
Perform upgrades up to v02 first if necessary.
Then proceed as normal letting the normal init functions perform further
upgrades if necessary.
This now works also if there is no "local" provider in the current
configuration.
|
|
|
|
|
|
We were never filling the group attrs because of an inverse return check.
Plus fix a crash bug for using a pointer that is not a memory context.
|
|
|
|
This task allows us to rebuild memberuid and memberof attributes throughout the
database. This way we can upgrade from version 0.4 databases that didn't
generate and store memberuid.
The task can be invoked by adding a speaicl named entry to the ldb file.
The entry dn to use is: @MEMBEROF-REBUILD, the entry has no attributes and any
attribute is ignored at present.
The entry will not be stored in the database but will just trigger the task to
execute a rebuild of the memberof and memberuid attributes
|
|
|
|
Search the local db to find the local DN using the original DN as search key.
This way we do not have to rely on weak and faulty heuristicts based on DN
names.
Add a few helper functions in the process and change the way we pass members to
sysdb_store_group_send(), instead of passing users and groups list, just add
member DNs to the other sysdb attrs.
|
|
|
|
|
|
This allows for correctly reporting nested group members, while at the same
time not paying a too high price for caluclating nested groups at runtime e
very time a search is made.
|
|
|
|
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
|
- save current ccache file to sysdb
- use the saved ccache file if the user has running processes
- create an empty ccache if offline
- return enviroment variables if offline
|
|
In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
|
|
After completing an upgrade successfully, we were still falling
into the "version not found" case. We should be exiting the
function after performing the upgrade.
|
|
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
|
This slipped through in previous patches.
Fixes #283
|
|
|
|
|
|
Refactor user/group delete functions so that they can be used without a
transaction (they autostart an operation).
Add user and group search function where a subfilter can be specified.
|
|
When possible using a macro that correctly deals with tstate
|
|
|
|
modifications to existing users/groups were setting metadata, but creation was
not. Fixes #259
|
|
sysdb_attrs has a lot of methods to add them but very little to get information
out. Start adding a way to retrieve a single valued attribute as a string.
|
|
|
|
|
|
Also start adding some infrastructure to use the USN counter when available.
In particular add a place to add generic attrs mapping, ie attributes that are
neither user nor group specific.
|
|
|
|
|
|
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
If the pointer stays around, zero it when it is freed, so we do not risk
access to released memory in case of bugs.
|
|
Also fix some debug message levels
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
|
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
|
This patch reduces the time needed to enumerate groups of a midsized
domain from 12 seconds to 4.4
Optimizes enumerations by doing only 2 ldb searches and some ordering
instead of a number of searches proportional to the number of groups
|
|
|
|
Provides also an upgrade function.
|
|
First pass to remove the legacy option and make it just a property of the
provider
|
|
|
|
If available the original DN and the user principle will be stored
in sysdb.
|
|
If there was no maxID set for a domain, the search filter to check
whether the UID was available would always return empty (because
no UIDs can be <= 0)
This patch changes the search filter if the maxID is unset so that
it has no upper limit
|
|
|