Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Per discussion with the desktop team, using the org.freedesktop
interface name will simplify adoption, as potential users won't
feel like they're pulling in a FreeIPA dependency.
|
|
Also move responders under server/responder with shared code
in server/responder/common
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
types of domains: modern and legacy
modern uses member/meberof, legacy uses memberUid for group
memberships.
Rework the proxy backend to use the legacy style as that's the
format the data comes in (trying to convert would require too
many transformations and increased the number of queries).
Add support for fetching groups in nss.
Add support for enumerating users and groups (requires to enable enumeration
in config) both in nss and in the proxy provider.
Remove confdb_get_domain_basedn() and substitute with generic calls in
the nss init function.
Store a domain structure in the btree not the basedn so that we can add
enumeration flags.
Also make sure NSS understand how to make multiple calls on
enumerations, also make passing the domian parameter always
mandatory, passing in domain=* is not valid anymore.
This work fixes also a few memory, degfault, and logic bugs
found while testing all nss functions (there are still some to
fix that are less critical and much harder to find yet).
|
|
|
|
|
|
is not available immediately or drops the dbus connection.
First step is the nss connection to the data provider.
|
|
Add helper functions to connect to the data provider.
Add some plumbing to the ldap provider (still untested).
|
|
events.h -> tevent.h
|
|
:-)
|
|
and frontends (pam, nss, ... modules) can connect to.
|
|
same config option can be used for the nss service
|
|
Changing the default SBUS locations to be configure script parameters
|
|
|
|
initial connection to the monitor service within the child services. It will create the D-BUS connection to the monitor and configure the service to handle the mandatory getIdentity and ping methods.
|
|
|
|
To start the dameon now you need to pass the option -s monitor
Still have some problems communicating with children.
|
|
This currently breacks the dameon because of a problem with
destroying the monitor dbus server in the children after
fork()
|