Age | Commit message (Collapse) | Author | Files | Lines |
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
First step generate ldap options from ipa options.
Add sssd-ipa man page too.
|
|
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
This converts a great many configuration options to the new
standard format.
|
|
- the client sends the PID as uint32_t and sssd will use uint32_t too
- fix a possible type issue where a uint32_t is sent as int32 in internal
dbus communication
|
|
|
|
Remove redundant reconnection code that was interfeering with the sbus
reconnection code.
Consolidate include files for sbus relates operations.
Make pamsrv code similar to nsssrv code.
|
|
Mirrors what we have done with the monitor.
|
|
|
|
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Per discussion with the desktop team, using the org.freedesktop
interface name will simplify adoption, as potential users won't
feel like they're pulling in a FreeIPA dependency.
|
|
Also move responders under server/responder with shared code
in server/responder/common
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
types of domains: modern and legacy
modern uses member/meberof, legacy uses memberUid for group
memberships.
Rework the proxy backend to use the legacy style as that's the
format the data comes in (trying to convert would require too
many transformations and increased the number of queries).
Add support for fetching groups in nss.
Add support for enumerating users and groups (requires to enable enumeration
in config) both in nss and in the proxy provider.
Remove confdb_get_domain_basedn() and substitute with generic calls in
the nss init function.
Store a domain structure in the btree not the basedn so that we can add
enumeration flags.
Also make sure NSS understand how to make multiple calls on
enumerations, also make passing the domian parameter always
mandatory, passing in domain=* is not valid anymore.
This work fixes also a few memory, degfault, and logic bugs
found while testing all nss functions (there are still some to
fix that are less critical and much harder to find yet).
|
|
|
|
|
|
is not available immediately or drops the dbus connection.
First step is the nss connection to the data provider.
|
|
Add helper functions to connect to the data provider.
Add some plumbing to the ldap provider (still untested).
|
|
events.h -> tevent.h
|
|
:-)
|
|
and frontends (pam, nss, ... modules) can connect to.
|
|
same config option can be used for the nss service
|
|
Changing the default SBUS locations to be configure script parameters
|
|
|
|
initial connection to the monitor service within the child services. It will create the D-BUS connection to the monitor and configure the service to handle the mandatory getIdentity and ping methods.
|
|
|
|
To start the dameon now you need to pass the option -s monitor
Still have some problems communicating with children.
|
|
This currently breacks the dameon because of a problem with
destroying the monitor dbus server in the children after
fork()
|