| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
Always use the network timeout defined in the options.
But raise defaults to 60 seconds or enumerations can easily fail.
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
Timers always come before fd events, wait 5 microseconds between processing
operations so that tevent has a chance of cactching an fd event in between.
This allows the backend to reply to pings even while processing very large ldap
results (importanty especially during the first enumeration).
|
|
|
|
This converts a great many configuration options to the new
standard format.
|
|
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.
|
|
This patch makes basic options multiype, the init function assigns
a type from the initialization array, and processes values fetched
from confdb accordingly.
4 types are supported so far: string, number, blob and boolean
Also convert defines into enums where appropriate.
Add fetch functions that check the requested type.
|
|
Add helpers functions to query/set the offline status per backend.
Now all providers share the same offline status.
|
|
The code was still dependent on it for the ldap driver.
Changed the driver code to depend on the schema type.
Fix defaults for user and groups trees.
ATM if you use the rfc2307bis schema you have to put users and groups
in 2 separate trees (what people does by default anyway.
If this limitation will turn to be too hard, we will change this later.
|
|
The request was being freed, instead of marking it done and let the callback
free it when done. This was causing us to access freed memory, when trying to
set the next run.
Let the callback add new runs and free the request instead as normally we would
do with any other tevent_req async call.
Courtesy of valgrind again.
|
|
By attaching the reply to a subreq, we ended up freeing the operations list
element before we used it to skip to the next one.
Do not steal the context and let the unlocking code free the old reply, when it
moves onto processing the next one.
Got this one with valgrind.
|
|
After the recent changes we lost the capability to actually go offline.
Put back code that would mark the backend as offline when timeouts happen.
Make sure the enumeration code also obbeys the offline timeout, and
contributes in determining if we are offline or not.
|
|
Make counter for used messages explicit.
|
|
Check if the timestamp argument of sdap_save_group_recv is NULL before
using it.
|
|
sdap_get_initgr_process() was using the wrong sdap_id_map struct
when creating the searchfilter for the initgroups() call.
|
|
If enumerations are disabled for this domain, then do not start the
enumeration task.
|
|
|
|
|
|
Always immediately return to DP, and update users/groups in the background.
Also implements an optimization to retrieve only changed/new users/groups
by filtering using the modifyTimestamp after the first query.
|
|
First pass to remove the legacy option and make it just a property of the
provider
|
|
|
|
|
|
Try as hard as possible to store as much data as we can.
|
|
- making the realm part upper case is now optional and done in the
LDAP backend
- using a username@realm UPN is now optional
|
|
If available the original DN and the user principle will be stored
in sysdb.
|
|
|
|
|
|
|
|
Retrieving ldap results and storing users could sometimes results in race
conditions where the final ldap result was retrieved before the store operations
where finished resulting in the operations to be aborted before termination.
Implement a serialization mechanism per operation.
|
|
|
|
The sdap_handle might be freed when processing a message.
Rearrange data flow so that the sdap_handle is never used after
a message is processed but a new event (dependent on the handle) is
instead scheduled. If the sdap_handle is freed, the scheduled event
is also removed and not fired
|
|
|
|
The way openldap libraries work, require to have a single engine per
connection as all replies are read at the same time. So we need to
always read anything that comes in from the wire and then loop to
dispatch results to the requests that are waiting.
|
|
|
|
|
|
This uses and exapands the async helpers.
|
|
|
|
This changes the style quite a lot, but the tevent_req style
is much more clear and much less error-prone than the giant
loop we had previously.
|
|
These functions use the tevent_req async model, where a pair
of _send/_recv functions pilot requests, with additional helpers
like _done functions, and where needed multiple stage helpers.
|
|
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
|
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
|
|
|
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
|
|
|
|
|
