Age | Commit message (Collapse) | Author | Files | Lines |
|
Previously, the PAM responses could contain an arbitrary number of
arguments. This is not acceptable by the D-BUS protocol, as there
is no way to introspect it. This patch converts the response
objects to be an array of D-BUS structs.
It also fixes two potential memory leaks by not unref'ing the
reply object if we get an error.
|
|
Previously it was a string being passed and converted into an
integer. It will be more efficient this way (and simpler for other
implementers)
|
|
|
|
If the monitor receives SIGUSR1, it will instruct all providers to
enter offline operation. If any individual provider receives
SIGUSR1, it alone will enter offline operation.
|
|
|
|
|
|
Fixes: #378
|
|
|
|
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
|
|
The 'Unable to load' debug message is now only shown when the backend
target is given explicitly in the config file. I the other case we
let the caller decided how to handle this error condition.
|
|
|
|
If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.
The option 'deny' is added for the access_provider to explicitly deny
access.
|
|
- if chpass_provider is not given in the configuration file but an
auth_provider and the auth_provider can also handle change password
requests it is used as chpass_provider.
|
|
|
|
If a backend target is not configured the return code is changed
from PAM_SYSTEM_ERR to PAM_MODULE_UNKNOWN and an error message is
sent back to the client.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
This converts a great many configuration options to the new
standard format.
|
|
Remove this provider type, as well as any references in the docs and
examples to the "LEGACYLOCAL" migration domain.
Fixes: #165
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
|
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
|
The data provider backends stored a name value besides the domain
name to identify themselves to the data provider. This was the name
of the id provider. Currently the backends can have different
providers for id, authentication etc. So the name may be missleading.
Also when there are more domains with the same id provider the name
is not enough to identify the backend but the domain name is. As a
consequence the backend name is removed completely and only the
domain name is used for identification.
|
|
Remove redundant reconnection code that was interfeering with the sbus
reconnection code.
Consolidate include files for sbus relates operations.
Make pamsrv code similar to nsssrv code.
|
|
This patch introduces provider=files as a valid provider.
Upon loading the backend, its properties in confdb are overwritten to
those that represent legacy local domain.
Also document this in sssd.conf(5) and example config
|
|
Mirrors what we have done with the monitor.
|
|
Let services identify themselves voiluntarily as the first operation
instead of polling from the monitor.
Also consolidate some common functions and make them available as monitor
helpers.
|
|
The child processes call prctl() and when their parent process is
killed, they are sent SIGTERM using prctl. This is currently
Linux-specific, for non-Linuxes, a similar effect is achieved by
catching a set of common termination signals and sending SIGTERM to the
process group.
|
|
Previously, we had hardcoded the paths for the NSS, PAM and
private PAM sockets to /var/lib/sss/pipes. With this patch, we
will specify the sockets with --with-pipe-path.
|
|
Make as much as possible static, and remove use of talloc_reference and
allocation/deallocation of memory when not necessary.
Fix also responder use of rctx->conn, was mistakenly used for both
monitor and dp connections.
|
|
This reduce code duplication as it allows to use one set of watch and timeout
functions, and at the same time also allow not to use a secondary structure just
to unify these functions.
|
|
Rationalize and rename connection names in preparatoin for merging of server and
connection structures.
|
|
Simplify code by removing stuff that is never used or redundant.
|
|
|
|
|
|
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
|
|
Now it can load from scratch default configuration that is valid for all
daemons.
First thing, make it possible for each daemon/provider to set its own debug
level in its configuration entry.
|
|
|
|
|
|
dependencies based on the latest samba code.
Convert all references to the old events library to use the
renamed tevent library.
|