Age | Commit message (Collapse) | Author | Files | Lines |
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
Makes LOCAL a normal backend removing some special handling.
Fix/Add id range filtering and name filtering
Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within
sysdb and was causing getxxent calls to fail completely.
Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and
causing some unwanted failures.
Change sysdb to always return the uid number when searching member entries so
that id range filtering can be perfomed also in group searhes (does not work
with legacy backends)
|
|
|
|
|
|
|
|
dependencies based on the latest samba code.
Convert all references to the old events library to use the
renamed tevent library.
|
|
Also move responders under server/responder with shared code
in server/responder/common
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
types of domains: modern and legacy
modern uses member/meberof, legacy uses memberUid for group
memberships.
Rework the proxy backend to use the legacy style as that's the
format the data comes in (trying to convert would require too
many transformations and increased the number of queries).
Add support for fetching groups in nss.
Add support for enumerating users and groups (requires to enable enumeration
in config) both in nss and in the proxy provider.
Remove confdb_get_domain_basedn() and substitute with generic calls in
the nss init function.
Store a domain structure in the btree not the basedn so that we can add
enumeration flags.
Also make sure NSS understand how to make multiple calls on
enumerations, also make passing the domian parameter always
mandatory, passing in domain=* is not valid anymore.
This work fixes also a few memory, degfault, and logic bugs
found while testing all nss functions (there are still some to
fix that are less critical and much harder to find yet).
|
|
|
|
use the same namespace (sysdb_posix_)
- no need to explicitly start a transaction if only one
operation is performed using a synchronous interface
- split _add_remove_ functions into separate functions,
don't let ldap madness creep into out interfaces
|
|
rename everything with the sysdb suffix.
|
|
|
|
libnss library through config directives on the domain object
|