Age | Commit message (Collapse) | Author | Files | Lines |
|
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
|
|
|
|
|
|
This will blackout any request to the backend for 15 seconds, then
will allow again to retry.
|
|
Convert auth modules to do the caching themselves
|
|
|
|
|
|
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
|
|
|
|
|
ldap backend
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
This became obsolete when we moved all functions to sysdb.
|
|
The ldap_ prefix should be considered reserved namespace for ldap librraies
Renaming all ldap_* internal stuff to sdap_, in some cases also move from
ldap_be_ to sdap_ as the reason for _be_ was just clearly a name space
conflict (ldap_be_init, etc..)
|
|
Makes LOCAL a normal backend removing some special handling.
Fix/Add id range filtering and name filtering
Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within
sysdb and was causing getxxent calls to fail completely.
Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and
causing some unwanted failures.
Change sysdb to always return the uid number when searching member entries so
that id range filtering can be perfomed also in group searhes (does not work
with legacy backends)
|
|
|
|
Now it can load from scratch default configuration that is valid for all
daemons.
First thing, make it possible for each daemon/provider to set its own debug
level in its configuration entry.
|
|
|
|
Per discussion with the desktop team, using the org.freedesktop
interface name will simplify adoption, as potential users won't
feel like they're pulling in a FreeIPA dependency.
|
|
|
|
enable --without-tests
|
|
|
|
dependencies based on the latest samba code.
Convert all references to the old events library to use the
renamed tevent library.
|
|
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
Also move responders under server/responder with shared code
in server/responder/common
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
sbus_message_handler is not responsible anymore for sending
back data in any case.
Transfer this responsibility to the handler function called.
This way both synchronous and asynchronous funstions use the
interface the same way and can properly free memory referenced
by the reply after the send buffer has been filled in and all
copies are done in sbus_conn_send_reply()
|
|
This reverts commit 13421cbe0af4343f9d110600755ffa756690b282.
Conflicts:
server/infopipe/infopipe.c
server/infopipe/infopipe.h
While this solution fixed the contingent memory problem it introduced
other problems in handling asynchronous replies.
Reverting in preparation for a different way to solve it.
Conflicts have been taken care of.
|
|
dbus_message_append_args() adds a reference to memory that is not
copied to the outgoing message until dbus_connection_send() is
called. Since we compile our reply messages in functions and then
return the reply, we need a mechanism for deleting allocated
memory after invoking dbus_connection_send. I have changed the
arguments to sbus_msg_handler_fn so that it takes a talloc ctx
containing the sbus_message_handler_ctx and a pointer to a reply
object. We can now allocate memory as a child of the reply context
and free it after calling dbus_connection_send.
|
|
types of domains: modern and legacy
modern uses member/meberof, legacy uses memberUid for group
memberships.
Rework the proxy backend to use the legacy style as that's the
format the data comes in (trying to convert would require too
many transformations and increased the number of queries).
Add support for fetching groups in nss.
Add support for enumerating users and groups (requires to enable enumeration
in config) both in nss and in the proxy provider.
Remove confdb_get_domain_basedn() and substitute with generic calls in
the nss init function.
Store a domain structure in the btree not the basedn so that we can add
enumeration flags.
Also make sure NSS understand how to make multiple calls on
enumerations, also make passing the domian parameter always
mandatory, passing in domain=* is not valid anymore.
This work fixes also a few memory, degfault, and logic bugs
found while testing all nss functions (there are still some to
fix that are less critical and much harder to find yet).
|
|
|
|
throw away databases
Check version and init main db if empty
|
|
|
|
use the same namespace (sysdb_posix_)
- no need to explicitly start a transaction if only one
operation is performed using a synchronous interface
- split _add_remove_ functions into separate functions,
don't let ldap madness creep into out interfaces
|
|
|
|
is not available immediately or drops the dbus connection.
First step is the nss connection to the data provider.
|
|
not pointers to values.
Check domain is never null (or dbus will abort).
|
|
able to call the reloadConfig DBUS method on any or all of its children to force them to reread their configuration from the confdb.
|
|
rename everything with the sysdb suffix.
|
|
It makes no sense to have internal attribute names user configurable,
remove that option and use macros internally.
Also now always pass the domain name to all nss_ldb_* calls.
|
|
|
|
libnss library through config directives on the domain object
|
|
I was finally able to get a getpwnam() request go through sssd,
hit the remote ldap server and get the answer back with
'getent passwd foo'
Yupiee!
|
|
and caches the result in LDAP.
Still chasing a bug that does not let NSS known that the BE was successful.
This makes NSS timeout the client and not return any results yet.
|
|
Add helper functions to connect to the data provider.
Add some plumbing to the ldap provider (still untested).
|
|
|