Age | Commit message (Collapse) | Author | Files | Lines |
|
- return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password
change operation fails
- send a message to the user if the system is offline and the password
cannot be changed
|
|
|
|
Older versions of openLDAP do not provide a connection callback. This
patch adds a configure check to see if the callback is available and
activates the old way of handling the file description of the LDAP
connection. This also means that it is not possible to follow referrals.
|
|
|
|
It can be overridden in the sssd.conf or on the commandline with
--debug-timestamps=0
|
|
|
|
|
|
|
|
The timeout handler was not a child of the request so it could fire even though
the request was already freed.
The code wouldn't use async writes to the children so it could incur in a short
write with no way to detect or recover from it.
Also fixed style of some helper functions to pass explicit paramters instead of
a general structure.
Add common code to do async writes to pipes.
Fixed async write issue for the krb5_child as well.
Fix also sdap_kinit_done(), a return statement was missing and we were mixing
SDAP_AUTH and errno return codes in state->result
Remove usless helper function that just replicates talloc_strndup()
|
|
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
|
|
The DEBUG level of the result should not be lower than the DEBUG
level of the request. It generates too much noise when enumerate
is enabled or initgroups deals with groups with large numbers of
users.
|
|
There were two problems with the code. We were using
fo_set_server_status() instead of fo_set_port_status() when we failed to
connect to a service. This is a problem because if two services use the
same server, or we want to use one server with two different ports,
marking the whole server as bad is incorrect. The other problem was that
be_resolve_server_done() was comparing the hostent structures -- these
are, however, equal across multiple server:port pairs with the same
server addresses.
Fixes: #321
|
|
There were two functions for parsing strings by a separator. This patch
consolidates on the one previously used in confdb. This also allows
stripping the tokens of whitespace.
Fixes: #319
|
|
Fixes: #294
|
|
|
|
When using GSSAPI we need a valid service ticket to talk to the LDAP
server. If the ticket is expired the LDAP client returns with 'Can't
contact LDAP server'. Currently we set the backend offline if this error
occurs although the server is still available. This patch checks if the
TGT is expired and tries to renew the credentials before going offline.
|
|
Search the local db to find the local DN using the original DN as search key.
This way we do not have to rely on weak and faulty heuristicts based on DN
names.
Add a few helper functions in the process and change the way we pass members to
sysdb_store_group_send(), instead of passing users and groups list, just add
member DNs to the other sysdb attrs.
|
|
|
|
|
|
Fixes: #296
|
|
To avoid blocking in a synchronous call, the TGT is saved in a separate
process
Fixes: #277
|
|
|
|
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
When using high debug levels or valgrind the code maybe slow enough that these
timeouts were too strict.
|
|
This way we do not need to check for id ranges on every search.
|
|
With the previous code in domains with many users and enumeration enable we
would eventually end up making thousands of individual searches for entries in
the clean-up process.
Change the code to do a full enumeration before a cleanup so we do one single
big search to update all entries and only then search for entries to purge.
This also fixes the fact that the cleanup task was running at every enumeration
instead of running every "ldap_purge_cache_timeout" seconds.
|
|
|
|
|
|
|
|
|
|
When possible using a macro that correctly deals with tstate
|
|
The counter was not set so we were storing only the first user for each
anumeration.
|
|
The size of sdap_async.c was unmanageable.
This patch splits it into a generic file with common infrastructure calls,
a file that handles connection calls and a file for id related calls.
|
|
Split enum task in a separate file.
|
|
This code removes redundancies in the code.
both users and groups enumeration code use the same search generic search
function now.
Also the code to save users and groups have been unified across all callers.
|
|
This call was failing and was defective because it didn't properly handle the
various different schemas we support.
Now the function does 2 things:
- Updates the user entry to make sure it is still valid
- Retrieves every group the user is member of
|
|
This remove redundant code and also allows the generic search to be used to use
maps to convert attributes.
|
|
Also change the interface of sdap_save_user_send() so that it can be more
easily reused like it was done for sdap_save_group_send().
|
|
|
|
|
|
Also start adding some infrastructure to use the USN counter when available.
In particular add a place to add generic attrs mapping, ie attributes that are
neither user nor group specific.
|
|
|
|
Also fic sdap_get_generic_send() to be a bit more "generic" :-)
Also figs bugs within it.
This patch allow us 2 good things.
A) we check that the server effectively supports GSSAPI auth before we try to
use it.
B) against IPA it substantially cuts delays when the server is offline because
it uses a 5 second async timeout on the connection and doesn't try to do a
slow synchronous kinit+sasl_bind if the server is not even available.
|
|
Do not replicate every and each option we may want to set in ipa.
Just read out ldap and krb provider options (added reference in the manual too,
and removed mention of ipa specific timeout values, use ldap options for that)
Avoid calling auth module initialization twice, just pass the auth context to
the chpass module too.
Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be
used for both users and groups. the user and group search bases can still be set
separately if necessary but they are now optional and set to be identical to
SDAP_SEARCH_BASE if not explicitly specified in the configuration.
|
|
This patch uses a wrapper to kill the ldap connection when we are marked
offline. This also makes sure we do not try to reuse a bad connection handler
after a fatal error.
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Nested groups weren't properly handled.
Add 2 pass strategy to update groups memberships
Stuff work as expected when enumeration is enabled now.
|
|
|
|
Go offline in case of hard errors too. It makes no sense to keep trying too
often when you have bad credentials for example.
Also delay starting the enumeration thread so that we finish initializations
first (bind to ldap is still a blocking operation and this may interfere with
clients/monitor registrations).
|