summaryrefslogtreecommitdiff
path: root/server/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2009-10-16Always list inputs before outputsSimo Sorce1-8/+11
2009-10-16Move all ldap provider init functionsSimo Sorce5-145/+202
Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
2009-10-15Check for expired passwords in LDAP providerSumit Bose4-23/+425
2009-10-15Return the dp error from the providersSimo Sorce2-26/+47
2009-10-14Move ldap provider configuration into its own fileSimo Sorce6-189/+252
2009-10-14Make options parser available to all providersSimo Sorce6-294/+99
2009-10-14make sdap_id_connect_* independent of sdap_id_ctxSumit Bose3-180/+188
The sdap_id_connect_* request tries to bind to an LDAP server with the default credentials. Only the opts component of the sdap_id_ctx context is used. A new request sdap_cli_connect_* is created which expects only the opts pointer as parameter and not the whole context. This makes it reusable by other providers.
2009-10-13add a replacement if ldap_control_create is missingSumit Bose3-8/+7
2009-10-09Differentiate between search and network timeoutsSimo Sorce3-5/+7
Network timeouts are used in quick operations like bind. Search timeout is used for operations that can "legally" require more time. Change defaults to 6 and 60 seconds respectively.
2009-10-08add support for server side LDAP password policiesSumit Bose3-11/+125
- password policy request controls are send during bind and change password extended operation - the response control is evaluated to see if the password is expired or will expire, soon
2009-10-05remove redundant talloc_freeSumit Bose1-3/+0
- this patch should fix bug #213, a double free in the sdap timeout handler
2009-10-01Fix long timeout on ldap operationSimo Sorce2-5/+14
Always use the network timeout defined in the options. But raise defaults to 60 seconds or enumerations can easily fail.
2009-10-01Initial implementation of sasl bind supportSimo Sorce6-59/+488
Inits krb5 credentials, if sasl mech is GSSAPI. Tested with GSSAPI and host keytab as well as user credentials. Updates also manpages with the new options.
2009-09-25Let backend respond while fetching large resultsSimo Sorce1-2/+11
Timers always come before fd events, wait 5 microseconds between processing operations so that tevent has a chance of cactching an fd event in between. This allows the backend to reply to pings even while processing very large ldap results (importanty especially during the first enumeration).
2009-09-25add new config options ldap_tls_cacert and ldap_tls_cacertdirSumit Bose4-67/+72
2009-09-25Upgrade confdb to version 2Stephen Gallagher1-58/+58
This converts a great many configuration options to the new standard format.
2009-09-23Fix copy&paste of wrong structureSimo Sorce1-2/+2
2009-09-23Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher3-38/+38
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
2009-09-21Use syslog for logging error conditions in SSSDJakub Hrozek3-38/+38
This is just a band-aid until ELAPI is fully functional and ready to use.
2009-09-16Check if SSL/TLS handler is already in placeSumit Bose1-1/+8
Authentication against a LDAP server should always use an encrypted connection. To acchive this the LDAP provider calls ldap_start_tls which will fail if the connection is already encrypted, e.g. if an ldaps tunnel is already established. Because the error message from ldap_start_tls is not specific we check the status with ldap_tls_inplace before calling ldap_start_tls.
2009-09-14Turn ldap driver options into multitypeSimo Sorce6-194/+376
This patch makes basic options multiype, the init function assigns a type from the initialization array, and processes values fetched from confdb accordingly. 4 types are supported so far: string, number, blob and boolean Also convert defines into enums where appropriate. Add fetch functions that check the requested type.
2009-09-14Make the offline status backend-globalSimo Sorce2-55/+29
Add helpers functions to query/set the offline status per backend. Now all providers share the same offline status.
2009-09-11Complete the removal of "legacy" option.Simo Sorce3-24/+192
The code was still dependent on it for the ldap driver. Changed the driver code to depend on the schema type. Fix defaults for user and groups trees. ATM if you use the rfc2307bis schema you have to put users and groups in 2 separate trees (what people does by default anyway. If this limitation will turn to be too hard, we will change this later.
2009-09-11Fix ldap enumeration async taskSimo Sorce1-12/+16
The request was being freed, instead of marking it done and let the callback free it when done. This was causing us to access freed memory, when trying to set the next run. Let the callback add new runs and free the request instead as normally we would do with any other tevent_req async call. Courtesy of valgrind again.
2009-09-11Fix memory mishandling.Simo Sorce1-10/+7
By attaching the reply to a subreq, we ended up freeing the operations list element before we used it to skip to the next one. Do not steal the context and let the unlocking code free the old reply, when it moves onto processing the next one. Got this one with valgrind.
2009-09-10Fix Ldap id backend offline codeSimo Sorce2-14/+83
After the recent changes we lost the capability to actually go offline. Put back code that would mark the backend as offline when timeouts happen. Make sure the enumeration code also obbeys the offline timeout, and contributes in determining if we are offline or not.
2009-09-08Fix two possible uninitialized valuesSimo Sorce1-1/+1
Make counter for used messages explicit.
2009-09-03Avoid crash when timestamp is NULLRalf Haferkamp1-1/+3
Check if the timestamp argument of sdap_save_group_recv is NULL before using it.
2009-09-03Fix initgroups search filter when using rfc2307bisRalf Haferkamp1-2/+2
sdap_get_initgr_process() was using the wrong sdap_id_map struct when creating the searchfilter for the initgroups() call.
2009-09-02Honor enumerate option in ldap_idSimo Sorce1-6/+9
If enumerations are disabled for this domain, then do not start the enumeration task.
2009-08-28check if gid attribute is emptySumit Bose1-0/+6
2009-08-28fix internal order of ldap user mapping optionsSumit Bose1-4/+4
2009-08-27Make enumeration an independent taskSimo Sorce5-68/+693
Always immediately return to DP, and update users/groups in the background. Also implements an optimization to retrieve only changed/new users/groups by filtering using the modifyTimestamp after the first query.
2009-08-27Always save using member/memberOfSimo Sorce1-0/+5
First pass to remove the legacy option and make it just a property of the provider
2009-08-27Initial support for multiple schema typesSimo Sorce1-7/+39
2009-08-27Use the correct structure.Simo Sorce1-2/+2
2009-08-24Do not fail enumerations if a single store failsSimo Sorce1-40/+45
Try as hard as possible to store as much data as we can.
2009-08-24some UPN handling fixesSumit Bose3-5/+37
- making the realm part upper case is now optional and done in the LDAP backend - using a username@realm UPN is now optional
2009-08-21store additional LDAP attributesSumit Bose1-4/+45
If available the original DN and the user principle will be stored in sysdb.
2009-08-19enable usage of defaultBindDnSumit Bose5-9/+48
2009-08-10Do not fail enumerations because of range checksSimo Sorce1-3/+15
2009-08-05Consolidate tevent helpersJakub Hrozek1-17/+0
2009-08-04Fix race condition in sdap codeSimo Sorce2-83/+172
Retrieving ldap results and storing users could sometimes results in race conditions where the final ldap result was retrieved before the store operations where finished resulting in the operations to be aborted before termination. Implement a serialization mechanism per operation.
2009-08-03Fix search replies getting ignoredSimo Sorce1-14/+12
2009-07-24Fix race condition that was causing segfaultsSimo Sorce1-80/+136
The sdap_handle might be freed when processing a message. Rearrange data flow so that the sdap_handle is never used after a message is processed but a new event (dependent on the handle) is instead scheduled. If the sdap_handle is freed, the scheduled event is also removed and not fired
2009-07-21added LDAP change password backend targetSumit Bose3-2/+301
2009-07-20Rework the engine that deals with openldap librariesSimo Sorce3-497/+403
The way openldap libraries work, require to have a single engine per connection as all replies are read at the same time. So we need to always read anything that comes in from the wire and then loop to dispatch results to the requests that are waiting.
2009-07-20add infrastructure to handle new backend targetsSumit Bose2-9/+10
2009-07-10fixed the default value for tls_reqcertSumit Bose1-1/+1
2009-07-08Implement the ldap identity module.Simo Sorce5-709/+1173
This uses and exapands the async helpers.