summaryrefslogtreecommitdiff
path: root/server/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2010-02-16Add test for number of options in IPA and LDAP backendsJakub Hrozek2-5/+5
2010-02-16Synchronize IPA and LDAP optionsJakub Hrozek1-2/+4
2010-02-12Don't pass a variable as format to talloc_asprintf()Martin Nagy1-1/+1
This practice is not recommended and can also be dangerous.
2009-12-17disable password migration codeSumit Bose1-2/+2
2009-12-10Consolidate code for splitting strings by separatorJakub Hrozek1-3/+2
There were two functions for parsing strings by a separator. This patch consolidates on the one previously used in confdb. This also allows stripping the tokens of whitespace. Fixes: #319
2009-12-07Add offline support for ipa_accessSumit Bose2-17/+134
2009-12-03Setup ldap child logging from IPA backendJakub Hrozek1-0/+7
Fixes: #296
2009-11-25Split helpers for child processesJakub Hrozek1-1/+2
Moves several functions out of providers/krb5 hierarchy into a separate module so it can be shared by the ldap child.
2009-11-25In IPA, the realm is always the domain uppercased.Simo Sorce1-2/+7
2009-11-25Fix internal options numbers testSimo Sorce1-12/+24
Unfortunately since we changed the defines to an enum the preprocessor test stopped working. Turn tests into runtime tests that will abort the process.
2009-11-23Read KDC info from file instead from environmentSumit Bose3-14/+34
Then name or IP adress of the KDC is written into the pubconf directory into a file named kdcinfo.REALM. The locator plugin will then read this file and pass the data to the kerberos libraries.
2009-11-20Add initial failover support for ldap and ipaSimo Sorce4-48/+183
The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
2009-11-20Enhance check for remote hostsSumit Bose2-55/+97
2009-11-20Add ipa_authSumit Bose3-1/+347
To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT.
2009-11-20Validate Kerberos credentials with local keytabSumit Bose1-0/+2
2009-11-13Fix option name krb5_changepw_principalSumit Bose1-1/+1
2009-11-12Fix inconsistent use of krb5_ccname_templateSumit Bose1-1/+1
2009-11-12Add support for host, source host and user categorySumit Bose1-8/+54
This patch add support for the host, source host and user category 'all'. All other category values are ignored so far. With the patch the interpretation of an empty memberUser and empty sourceHost and externalHost is changed to 'not applicable'.
2009-11-10Add cleanup taskSimo Sorce1-1/+2
2009-11-10Add check for access-time rules to ipa_access.Sumit Bose3-0/+73
2009-11-09Fix tevent_req error checking.Simo Sorce1-18/+3
When possible using a macro that correctly deals with tstate
2009-11-09IPA time rules parsing routinesJakub Hrozek2-0/+1242
2009-11-07Fix buildSimo Sorce1-4/+8
2009-11-07added access module of IPA providerSumit Bose3-2/+1681
2009-11-03Rename sdap_id_map to sdap_attr_mapSimo Sorce1-2/+15
Also start adding some infrastructure to use the USN counter when available. In particular add a place to add generic attrs mapping, ie attributes that are neither user nor group specific.
2009-11-02set ipa_hostname if not given in config fileSumit Bose1-0/+20
2009-10-29Tidy up ipa optionsSimo Sorce3-149/+169
Do not replicate every and each option we may want to set in ipa. Just read out ldap and krb provider options (added reference in the manual too, and removed mention of ipa specific timeout values, use ldap options for that) Avoid calling auth module initialization twice, just pass the auth context to the chpass module too. Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be used for both users and groups. the user and group search bases can still be set separately if necessary but they are now optional and set to be identical to SDAP_SEARCH_BASE if not explicitly specified in the configuration.
2009-10-27Move responsibility for entry expiration timeoutSimo Sorce2-5/+5
The providers are now responsible for determining how long a cached entry is considered valid. The default is the same as before (600s)
2009-10-26Copy option overrides.Simo Sorce1-0/+26
We were not copying IPA named options to the ldap id options list. So the ldap_id provider was always using just the default settings.
2009-10-22Fix setting the schema in the ipa providerSimo Sorce1-0/+3
2009-10-22update ipa auth options to new option schemeSumit Bose3-110/+133
2009-10-20Start implementing ipa specific options.Simo Sorce3-5/+398
First step generate ldap options from ipa options. Add sssd-ipa man page too.
2009-10-16Add first basic IPA providerSimo Sorce1-0/+233