| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This patch adds a utility called sss_groupshow that allows user to
print properties of a group in the local domain.
Fixes: #306
|
|
Some reformatting to stay within 79 char line length.
Better definition of server vs. machine usage in failover section.
|
|
We support installed access providers as well as permit and deny
|
|
|
|
If the domain heartbeat time was explicitly set in the
configuration to 0, we would enter a tight loop in the heartbeat
check and never answer requests from the child processes.
|
|
Fixes: #309
|
|
Mainly typo fixes and grammar updates.
Application of RH doc styles where appropriate.
|
|
To avoid blocking in a synchronous call, the TGT is saved in a separate
process
Fixes: #277
|
|
|
|
Thanks to Marko Myllynen for spotting this.
|
|
|
|
|
|
|
|
- use the correct private data for each PAM task
- make proxy_pam_target a mandatory option for auth, chpass and access
|
|
* do not mention the sbus_timeout parameter at all
* document the config_file_version parameter
* different wording for negative cache
|
|
|
|
Do not replicate every and each option we may want to set in ipa.
Just read out ldap and krb provider options (added reference in the manual too,
and removed mention of ipa specific timeout values, use ldap options for that)
Avoid calling auth module initialization twice, just pass the auth context to
the chpass module too.
Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be
used for both users and groups. the user and group search bases can still be set
separately if necessary but they are now optional and set to be identical to
SDAP_SEARCH_BASE if not explicitly specified in the configuration.
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Also remove references to the DP service from the sssd.conf
manpages.
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
Create and populate user directories on useradd, delete them on userdel
Fixes: #212
|
|
First step generate ldap options from ipa options.
Add sssd-ipa man page too.
|
|
If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.
The option 'deny' is added for the access_provider to explicitly deny
access.
|
|
- if chpass_provider is not given in the configuration file but an
auth_provider and the auth_provider can also handle change password
requests it is used as chpass_provider.
|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
|
|
- add a hint to the man page about permissions on sssd.conf
- add a test if a symbolic link can be opened
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
|
|
|
|
- make the build of the locator plugin optional
- added a man page for the locator plugin
- use krb5.h if krb5/krb5.h cannot be found
- added alternatives for missing functions
- set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version
is lesser than 1.0.0
|
|
|
|
Remove this provider type, as well as any references in the docs and
examples to the "LEGACYLOCAL" migration domain.
Fixes: #165
|
|
|
|
|
|
|
|
The configuration options krb5ccache_dir and krb5ccname_template
are added to the Kerberos provider to create the user's credential
caches the same way as pam_krb5 does. Due to the design of the sssd
and the supported ccache types of MIT Kerberos only files are
allowed.
|
|
|
|
Remove the "legacy" option from examples and man pages.
Legacy is is finally R.I.P
Add docs for ldapSchema in sssd-ldap man page.
|
|
Remove magicPrivateGroups since it's set automatically, use bool values
for enumerate.
Also add a notice about krb5 auth-module with a link to specialized
manpage to sssd.conf(5) similar to what we have for ldap auth-module.
Move both outside proxy domain description.
|
|
|
|
This timeout specifies the lifetime of a cache entry before it is
updated out-of-band. When this timeout is hit, the request will
still complete from cache, but the SSSD will also go and update
the cached entry in the background to extend the life of the
cache entry and reduce the wait time of a future request.
|
|
- older version of libpcre only support the Python syntax (?P<name>)
for named subpatterns
|
|
PCRE_DUPNAMES is a new feature of libpcre 7. It is used in sssd to
make the splitting of fully qualified user names more flexible.
|
|
- making the realm part upper case is now optional and done in the
LDAP backend
- using a username@realm UPN is now optional
|
|
Added man pages sections about user and group attribute mapping.
Added an example configuration to access an AD server.
|
|
- with the boolean option filterUsersInGroups it can be controlled
wether filtered users appear in groups or not.
- fixed an error which prevented the display of groups with filtered
members
- removed some tab indents
|
|
RHEL5 did not support Docbook 4.5, and we are not using
any 4.5 features.
|
