Age | Commit message (Collapse) | Author | Files | Lines |
|
Also add tests
|
|
The sdap_handle might be freed when processing a message.
Rearrange data flow so that the sdap_handle is never used after
a message is processed but a new event (dependent on the handle) is
instead scheduled. If the sdap_handle is freed, the scheduled event
is also removed and not fired
|
|
|
|
|
|
The way openldap libraries work, require to have a single engine per
connection as all replies are read at the same time. So we need to
always read anything that comes in from the wire and then loop to
dispatch results to the requests that are waiting.
|
|
|
|
|
|
|
|
|
|
This uses and exapands the async helpers.
|
|
|
|
This changes the style quite a lot, but the tevent_req style
is much more clear and much less error-prone than the giant
loop we had previously.
|
|
These functions use the tevent_req async model, where a pair
of _send/_recv functions pilot requests, with additional helpers
like _done functions, and where needed multiple stage helpers.
|
|
|
|
|
|
|
|
|
|
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
|
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
|
|
|
|
|
The libPath should be constructed from the libName. There is no
benefit to specifying it separately.
|
|
|
|
|
|
The old function was not used anywhere, and this function uses better
semantics, including not using void ** which gives strict aliasing problems.
Also add a generic password destroy function
|
|
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
|
|
|
|
|
|
This will blackout any request to the backend for 15 seconds, then
will allow again to retry.
|
|
Convert auth modules to do the caching themselves
|
|
|
|
|
|
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
|
|
|
|
|
ldap backend
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The same module may implement both types, but initializatrion will be
nonetheless performed separately, once for the identity module and once for the
authenticator module.
Also change the proxy module to retireve the pam target name from the domain
configuration so that it is possibile to create per-domain pam stacks.
With this modification it is actually possibile to use normal nss and pam
modules to perform a successful authentication (tested only with sudo so far)
Update exmples.
|
|
This became obsolete when we moved all functions to sysdb.
|
|
The ldap_ prefix should be considered reserved namespace for ldap librraies
Renaming all ldap_* internal stuff to sdap_, in some cases also move from
ldap_be_ to sdap_ as the reason for _be_ was just clearly a name space
conflict (ldap_be_init, etc..)
|
|
Makes LOCAL a normal backend removing some special handling.
Fix/Add id range filtering and name filtering
Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within
sysdb and was causing getxxent calls to fail completely.
Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and
causing some unwanted failures.
Change sysdb to always return the uid number when searching member entries so
that id range filtering can be perfomed also in group searhes (does not work
with legacy backends)
|
|
|
|
Now it can load from scratch default configuration that is valid for all
daemons.
First thing, make it possible for each daemon/provider to set its own debug
level in its configuration entry.
|
|
|
|
Per discussion with the desktop team, using the org.freedesktop
interface name will simplify adoption, as potential users won't
feel like they're pulling in a FreeIPA dependency.
|
|
|