| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Split enum task in a separate file.
|
|
This code removes redundancies in the code.
both users and groups enumeration code use the same search generic search
function now.
Also the code to save users and groups have been unified across all callers.
|
|
This call was failing and was defective because it didn't properly handle the
various different schemas we support.
Now the function does 2 things:
- Updates the user entry to make sure it is still valid
- Retrieves every group the user is member of
|
|
This remove redundant code and also allows the generic search to be used to use
maps to convert attributes.
|
|
Also change the interface of sdap_save_user_send() so that it can be more
easily reused like it was done for sdap_save_group_send().
|
|
|
|
|
|
Also start adding some infrastructure to use the USN counter when available.
In particular add a place to add generic attrs mapping, ie attributes that are
neither user nor group specific.
|
|
|
|
Also fic sdap_get_generic_send() to be a bit more "generic" :-)
Also figs bugs within it.
This patch allow us 2 good things.
A) we check that the server effectively supports GSSAPI auth before we try to
use it.
B) against IPA it substantially cuts delays when the server is offline because
it uses a 5 second async timeout on the connection and doesn't try to do a
slow synchronous kinit+sasl_bind if the server is not even available.
|
|
Do not replicate every and each option we may want to set in ipa.
Just read out ldap and krb provider options (added reference in the manual too,
and removed mention of ipa specific timeout values, use ldap options for that)
Avoid calling auth module initialization twice, just pass the auth context to
the chpass module too.
Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be
used for both users and groups. the user and group search bases can still be set
separately if necessary but they are now optional and set to be identical to
SDAP_SEARCH_BASE if not explicitly specified in the configuration.
|
|
This patch uses a wrapper to kill the ldap connection when we are marked
offline. This also makes sure we do not try to reuse a bad connection handler
after a fatal error.
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Nested groups weren't properly handled.
Add 2 pass strategy to update groups memberships
Stuff work as expected when enumeration is enabled now.
|
|
|
|
Go offline in case of hard errors too. It makes no sense to keep trying too
often when you have bad credentials for example.
Also delay starting the enumeration thread so that we finish initializations
first (bind to ldap is still a blocking operation and this may interfere with
clients/monitor registrations).
|
|
|
|
|
|
Put all init functions in their own file so that the other files can be reused in
other providers w/o having them in the way.
|
|
|
|
|
|
|
|
|
|
The sdap_id_connect_* request tries to bind to an LDAP server with
the default credentials. Only the opts component of the sdap_id_ctx
context is used. A new request sdap_cli_connect_* is created which
expects only the opts pointer as parameter and not the whole context.
This makes it reusable by other providers.
|
|
|
|
Network timeouts are used in quick operations like bind.
Search timeout is used for operations that can "legally" require more time.
Change defaults to 6 and 60 seconds respectively.
|
|
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
Always use the network timeout defined in the options.
But raise defaults to 60 seconds or enumerations can easily fail.
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
Timers always come before fd events, wait 5 microseconds between processing
operations so that tevent has a chance of cactching an fd event in between.
This allows the backend to reply to pings even while processing very large ldap
results (importanty especially during the first enumeration).
|
|
|
|
This converts a great many configuration options to the new
standard format.
|
|
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.
|
|
This patch makes basic options multiype, the init function assigns
a type from the initialization array, and processes values fetched
from confdb accordingly.
4 types are supported so far: string, number, blob and boolean
Also convert defines into enums where appropriate.
Add fetch functions that check the requested type.
|
|
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
|
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
|
The request was being freed, instead of marking it done and let the callback
free it when done. This was causing us to access freed memory, when trying to
set the next run.
Let the callback add new runs and free the request instead as normally we would
do with any other tevent_req async call.
Courtesy of valgrind again.
|
|
By attaching the reply to a subreq, we ended up freeing the operations list
element before we used it to skip to the next one.
Do not steal the context and let the unlocking code free the old reply, when it
moves onto processing the next one.
Got this one with valgrind.
|
|
After the recent changes we lost the capability to actually go offline.
Put back code that would mark the backend as offline when timeouts happen.
Make sure the enumeration code also obbeys the offline timeout, and
contributes in determining if we are offline or not.
|
|
Make counter for used messages explicit.
|
|
Check if the timestamp argument of sdap_save_group_recv is NULL before
using it.
|
|
sdap_get_initgr_process() was using the wrong sdap_id_map struct
when creating the searchfilter for the initgroups() call.
|
|
If enumerations are disabled for this domain, then do not start the
enumeration task.
|
|
|
|
|
|
Always immediately return to DP, and update users/groups in the background.
Also implements an optimization to retrieve only changed/new users/groups
by filtering using the modifyTimestamp after the first query.
|
