summaryrefslogtreecommitdiff
path: root/server/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2009-12-07Fix nested group membershipsSimo Sorce1-143/+129
Search the local db to find the local DN using the original DN as search key. This way we do not have to rely on weak and faulty heuristicts based on DN names. Add a few helper functions in the process and change the way we pass members to sysdb_store_group_send(), instead of passing users and groups list, just add member DNs to the other sysdb attrs.
2009-12-07Resolve nested groups also when rfc2307bis is usedSimo Sorce1-68/+2
2009-12-03Check LDAP structure before calling ldap_unbind_ext()Sumit Bose1-1/+3
2009-12-03Setup ldap child logging from IPA backendJakub Hrozek3-45/+47
Fixes: #296
2009-11-25Get TGT in a child process.Jakub Hrozek8-164/+1060
To avoid blocking in a synchronous call, the TGT is saved in a separate process Fixes: #277
2009-11-23Make backend request type a bitfieldStephen Gallagher1-1/+1
2009-11-23Add ldap_pwd_policy optionSumit Bose4-45/+92
2009-11-20Add initial failover support for ldap and ipaSimo Sorce9-17/+266
The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
2009-11-20Raise some timeoutsSimo Sorce1-2/+2
When using high debug levels or valgrind the code maybe slow enough that these timeouts were too strict.
2009-11-20Filter by id range before actually storing entries.Simo Sorce1-0/+24
This way we do not need to check for id ranges on every search.
2009-11-20Better behavior on cleanupSimo Sorce4-20/+44
With the previous code in domains with many users and enumeration enable we would eventually end up making thousands of individual searches for entries in the clean-up process. Change the code to do a full enumeration before a cleanup so we do one single big search to update all entries and only then search for entries to purge. This also fixes the fact that the cleanup task was running at every enumeration instead of running every "ldap_purge_cache_timeout" seconds.
2009-11-18Store initgr expire time on initgr callSimo Sorce1-6/+17
2009-11-12Fix double free case.Simo Sorce1-1/+3
2009-11-12Try to fix offline loginsSimo Sorce1-12/+6
2009-11-10Add cleanup taskSimo Sorce6-155/+910
2009-11-09Fix tevent_req error checking.Simo Sorce6-117/+45
When possible using a macro that correctly deals with tstate
2009-11-09Fix enumerationsSimo Sorce1-2/+6
The counter was not set so we were storing only the first user for each anumeration.
2009-11-06Split async helpers in multiple filesSimo Sorce5-3285/+3383
The size of sdap_async.c was unmanageable. This patch splits it into a generic file with common infrastructure calls, a file that handles connection calls and a file for id related calls.
2009-11-06Reorganize ldap id provider filesSimo Sorce4-547/+583
Split enum task in a separate file.
2009-11-06Unify code to use the generic search interfaceSimo Sorce1-593/+473
This code removes redundancies in the code. both users and groups enumeration code use the same search generic search function now. Also the code to save users and groups have been unified across all callers.
2009-11-06Fix and enhance initgroups callSimo Sorce1-170/+637
This call was failing and was defective because it didn't properly handle the various different schemas we support. Now the function does 2 things: - Updates the user entry to make sure it is still valid - Retrieves every group the user is member of
2009-11-06Unify parse routines, use maps in generic searchesSimo Sorce4-130/+77
This remove redundant code and also allows the generic search to be used to use maps to convert attributes.
2009-11-06Store the original memberof attributes if anySimo Sorce1-7/+30
Also change the interface of sdap_save_user_send() so that it can be more easily reused like it was done for sdap_save_group_send().
2009-11-06Make useful function more broadly available.Simo Sorce3-30/+30
2009-11-05add replacements for missing Kerberos callsSumit Bose1-8/+8
2009-11-03Rename sdap_id_map to sdap_attr_mapSimo Sorce4-19/+55
Also start adding some infrastructure to use the USN counter when available. In particular add a place to add generic attrs mapping, ie attributes that are neither user nor group specific.
2009-10-30Fix segfault when SASL is not used at allSimo Sorce2-2/+4
2009-10-29Add support to get rootDSE from the LDAP server.Simo Sorce6-121/+398
Also fic sdap_get_generic_send() to be a bit more "generic" :-) Also figs bugs within it. This patch allow us 2 good things. A) we check that the server effectively supports GSSAPI auth before we try to use it. B) against IPA it substantially cuts delays when the server is offline because it uses a 5 second async timeout on the connection and doesn't try to do a slow synchronous kinit+sasl_bind if the server is not even available.
2009-10-29Tidy up ipa optionsSimo Sorce2-2/+29
Do not replicate every and each option we may want to set in ipa. Just read out ldap and krb provider options (added reference in the manual too, and removed mention of ipa specific timeout values, use ldap options for that) Avoid calling auth module initialization twice, just pass the auth context to the chpass module too. Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be used for both users and groups. the user and group search bases can still be set separately if necessary but they are now optional and set to be identical to SDAP_SEARCH_BASE if not explicitly specified in the configuration.
2009-10-28Kill the ldap connection when we go offlineSimo Sorce1-5/+16
This patch uses a wrapper to kill the ldap connection when we are marked offline. This also makes sure we do not try to reuse a bad connection handler after a fatal error.
2009-10-27Move responsibility for entry expiration timeoutSimo Sorce3-5/+11
The providers are now responsible for determining how long a cached entry is considered valid. The default is the same as before (600s)
2009-10-27Add proper support for IPA/AD schemasSimo Sorce4-202/+574
Nested groups weren't properly handled. Add 2 pass strategy to update groups memberships Stuff work as expected when enumeration is enabled now.
2009-10-27store original DN with cached group objects if availableSumit Bose1-0/+16
2009-10-22Better offline/enumeration behaviorSimo Sorce1-10/+12
Go offline in case of hard errors too. It makes no sense to keep trying too often when you have bad credentials for example. Also delay starting the enumeration thread so that we finish initializations first (bind to ldap is still a blocking operation and this may interfere with clients/monitor registrations).
2009-10-22added generic LDAP search sdap_get_generic_send/_recvSumit Bose4-0/+304
2009-10-16Always list inputs before outputsSimo Sorce1-8/+11
2009-10-16Move all ldap provider init functionsSimo Sorce5-145/+202
Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
2009-10-15Check for expired passwords in LDAP providerSumit Bose4-23/+425
2009-10-15Return the dp error from the providersSimo Sorce2-26/+47
2009-10-14Move ldap provider configuration into its own fileSimo Sorce6-189/+252
2009-10-14Make options parser available to all providersSimo Sorce6-294/+99
2009-10-14make sdap_id_connect_* independent of sdap_id_ctxSumit Bose3-180/+188
The sdap_id_connect_* request tries to bind to an LDAP server with the default credentials. Only the opts component of the sdap_id_ctx context is used. A new request sdap_cli_connect_* is created which expects only the opts pointer as parameter and not the whole context. This makes it reusable by other providers.
2009-10-13add a replacement if ldap_control_create is missingSumit Bose3-8/+7
2009-10-09Differentiate between search and network timeoutsSimo Sorce3-5/+7
Network timeouts are used in quick operations like bind. Search timeout is used for operations that can "legally" require more time. Change defaults to 6 and 60 seconds respectively.
2009-10-08add support for server side LDAP password policiesSumit Bose3-11/+125
- password policy request controls are send during bind and change password extended operation - the response control is evaluated to see if the password is expired or will expire, soon
2009-10-05remove redundant talloc_freeSumit Bose1-3/+0
- this patch should fix bug #213, a double free in the sdap timeout handler
2009-10-01Fix long timeout on ldap operationSimo Sorce2-5/+14
Always use the network timeout defined in the options. But raise defaults to 60 seconds or enumerations can easily fail.
2009-10-01Initial implementation of sasl bind supportSimo Sorce6-59/+488
Inits krb5 credentials, if sasl mech is GSSAPI. Tested with GSSAPI and host keytab as well as user credentials. Updates also manpages with the new options.
2009-09-25Let backend respond while fetching large resultsSimo Sorce1-2/+11
Timers always come before fd events, wait 5 microseconds between processing operations so that tevent has a chance of cactching an fd event in between. This allows the backend to reply to pings even while processing very large ldap results (importanty especially during the first enumeration).
2009-09-25add new config options ldap_tls_cacert and ldap_tls_cacertdirSumit Bose4-67/+72