Age | Commit message (Collapse) | Author | Files | Lines |
|
We will allow 5s per DNS server, no retries.
|
|
Fixes: #378
|
|
Fixes CVE-2010-0014
|
|
|
|
|
|
The timeout handler was not a child of the request so it could fire even though
the request was already freed.
The code wouldn't use async writes to the children so it could incur in a short
write with no way to detect or recover from it.
Also fixed style of some helper functions to pass explicit paramters instead of
a general structure.
Add common code to do async writes to pipes.
Fixed async write issue for the krb5_child as well.
Fix also sdap_kinit_done(), a return statement was missing and we were mixing
SDAP_AUTH and errno return codes in state->result
Remove usless helper function that just replicates talloc_strndup()
|
|
Do not handle a missing ccache file as inactive by default, check if
there are still active processes of the user.
|
|
|
|
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
|
|
|
|
The DEBUG level of the result should not be lower than the DEBUG
level of the request. It generates too much noise when enumerate
is enabled or initgroups deals with groups with large numbers of
users.
|
|
The logic of selecting the server to fail over to was changed so
that we start from the server next to the one that didn't work the last
time. This is because the status of a server that failed last time might
get reset before we try another one. This can cause that we try to use
the nonworking server repeatedly, not giving a chance to other servers.
Fixes: #321
|
|
There were two problems with the code. We were using
fo_set_server_status() instead of fo_set_port_status() when we failed to
connect to a service. This is a problem because if two services use the
same server, or we want to use one server with two different ports,
marking the whole server as bad is incorrect. The other problem was that
be_resolve_server_done() was comparing the hostent structures -- these
are, however, equal across multiple server:port pairs with the same
server addresses.
Fixes: #321
|
|
There were two functions for parsing strings by a separator. This patch
consolidates on the one previously used in confdb. This also allows
stripping the tokens of whitespace.
Fixes: #319
|
|
The macro STATUS_DIFF() was wrong causing the result to always be lower
than 0, therefore the timeout was never reached.
Fixes: #302
|
|
These were very useful for debugging and hopefully still will be in the
future.
|
|
Fixes: #294
|
|
Application like krb5-auth-dialog might get confused if there is a
credential cache file without any credentials in it. This patch adds an
expired credential where only the client and the server principal are
set. The client principal is the user's principal and the server
principal corresponds to a TGT principal of the realm the user belongs
to.
|
|
|
|
|
|
|
|
When using GSSAPI we need a valid service ticket to talk to the LDAP
server. If the ticket is expired the LDAP client returns with 'Can't
contact LDAP server'. Currently we set the backend offline if this error
occurs although the server is still available. This patch checks if the
TGT is expired and tries to renew the credentials before going offline.
|
|
Search the local db to find the local DN using the original DN as search key.
This way we do not have to rely on weak and faulty heuristicts based on DN
names.
Add a few helper functions in the process and change the way we pass members to
sysdb_store_group_send(), instead of passing users and groups list, just add
member DNs to the other sysdb attrs.
|
|
|
|
|
|
Fixes: #296
|
|
|
|
|
|
|
|
To avoid blocking in a synchronous call, the TGT is saved in a separate
process
Fixes: #277
|
|
Moves several functions out of providers/krb5 hierarchy into a separate
module so it can be shared by the ldap child.
|
|
|
|
Unfortunately since we changed the defines to an enum the preprocessor test
stopped working.
Turn tests into runtime tests that will abort the process.
|
|
|
|
Then name or IP adress of the KDC is written into the pubconf directory
into a file named kdcinfo.REALM. The locator plugin will then read this
file and pass the data to the kerberos libraries.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
|
|
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
When using high debug levels or valgrind the code maybe slow enough that these
timeouts were too strict.
|
|
This way we do not need to check for id ranges on every search.
|
|
|
|
To support IPA DS to Kerberos password migration a seperate
authentication target is added. It calls the Kerberos authentication
target and in the case of a 'Preauthentication Error' the LDAP
authentication target. On success the Kerberos target is called again to
request the TGT.
|
|
- save current ccache file to sysdb
- use the saved ccache file if the user has running processes
- create an empty ccache if offline
- return enviroment variables if offline
|
|
With the previous code in domains with many users and enumeration enable we
would eventually end up making thousands of individual searches for entries in
the clean-up process.
Change the code to do a full enumeration before a cleanup so we do one single
big search to update all entries and only then search for entries to purge.
This also fixes the fact that the cleanup task was running at every enumeration
instead of running every "ldap_purge_cache_timeout" seconds.
|
|
|
|
|
|
|
|
|
|
|