summaryrefslogtreecommitdiff
path: root/server/providers
AgeCommit message (Collapse)AuthorFilesLines
2009-10-14send a message if a backend target is not configuredSumit Bose1-12/+30
If a backend target is not configured the return code is changed from PAM_SYSTEM_ERR to PAM_MODULE_UNKNOWN and an error message is sent back to the client.
2009-10-14make sdap_id_connect_* independent of sdap_id_ctxSumit Bose3-180/+188
The sdap_id_connect_* request tries to bind to an LDAP server with the default credentials. Only the opts component of the sdap_id_ctx context is used. A new request sdap_cli_connect_* is created which expects only the opts pointer as parameter and not the whole context. This makes it reusable by other providers.
2009-10-13add a replacement if ldap_control_create is missingSumit Bose3-8/+7
2009-10-12fix a wrong argument to unpack_bufferSumit Bose1-18/+40
- the patch to handle short read introduced a new variable len to store the amount of data read. Instead of using this variable unpack_buffer was called with the old variable ret. Thanks to mnagy@redhat.com for finding this. - this patch also fixes a potential error when the message size is equal to the buffer size.
2009-10-09use the correct kerberos context for each targetSumit Bose1-4/+33
- when the kerberos provider was used as a chpass_provider but not as auth_provider the backend died
2009-10-09Remove DP processSimo Sorce7-1259/+241
Turn the backend process into data provider servers Make Frontends (pam, nss) directly attach to the backends
2009-10-09Differentiate between search and network timeoutsSimo Sorce3-5/+7
Network timeouts are used in quick operations like bind. Search timeout is used for operations that can "legally" require more time. Change defaults to 6 and 60 seconds respectively.
2009-10-08add support for server side LDAP password policiesSumit Bose3-11/+125
- password policy request controls are send during bind and change password extended operation - the response control is evaluated to see if the password is expired or will expire, soon
2009-10-06Remove unused btreemap codeStephen Gallagher2-2/+0
We have converted to using dhash in place of btreemap everywhere in the code.
2009-10-05remove redundant talloc_freeSumit Bose1-3/+0
- this patch should fix bug #213, a double free in the sdap timeout handler
2009-10-05handle expired password during authenticationSumit Bose1-2/+25
2009-10-01Fix long timeout on ldap operationSimo Sorce2-5/+14
Always use the network timeout defined in the options. But raise defaults to 60 seconds or enumerations can easily fail.
2009-10-01Initial implementation of sasl bind supportSimo Sorce6-59/+488
Inits krb5 credentials, if sasl mech is GSSAPI. Tested with GSSAPI and host keytab as well as user credentials. Updates also manpages with the new options.
2009-09-25Let backend respond while fetching large resultsSimo Sorce1-2/+11
Timers always come before fd events, wait 5 microseconds between processing operations so that tevent has a chance of cactching an fd event in between. This allows the backend to reply to pings even while processing very large ldap results (importanty especially during the first enumeration).
2009-09-25remove krb5_try_simple_upn option and make it a default fallbackSumit Bose2-9/+1
2009-09-25Send debug messages to logfileJakub Hrozek2-1/+7
Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. Changes the initscript to log to files by default.
2009-09-25fix possible short reads in kerberos providerSumit Bose2-15/+46
2009-09-25add new config options ldap_tls_cacert and ldap_tls_cacertdirSumit Bose4-67/+72
2009-09-25Upgrade confdb to version 2Stephen Gallagher7-120/+88
This converts a great many configuration options to the new standard format.
2009-09-24added support for older MIT kerberos versionssbose3-7/+37
- make the build of the locator plugin optional - added a man page for the locator plugin - use krb5.h if krb5/krb5.h cannot be found - added alternatives for missing functions - set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version is lesser than 1.0.0
2009-09-23Remove provider=filesJakub Hrozek1-56/+0
Remove this provider type, as well as any references in the docs and examples to the "LEGACYLOCAL" migration domain. Fixes: #165
2009-09-23Don't try to use initgroups_dyn if not availableSimo Sorce1-0/+3
Fixes a segfault seen in the wild with providers=files
2009-09-23Fix copy&paste of wrong structureSimo Sorce1-2/+2
2009-09-23Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher8-135/+121
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
2009-09-21Use syslog for logging error conditions in SSSDJakub Hrozek8-121/+135
This is just a band-aid until ELAPI is fully functional and ready to use.
2009-09-17Better handle groups w/o membersSimo Sorce1-6/+122
There was a chance that groups w/o members could end up causing a failure to store the group. This would happen in case the structure used by glibc to fill up the group data was "dirty". Always memset structures before passing them to te libc and also check if there are any members, before calling the async function. Finally add some tracing at level 7 so that it is easier to follow what is going on in case of touble.
2009-09-17Fix copy&paste error.Simo Sorce1-4/+4
2009-09-16Check if SSL/TLS handler is already in placeSumit Bose1-1/+8
Authentication against a LDAP server should always use an encrypted connection. To acchive this the LDAP provider calls ldap_start_tls which will fail if the connection is already encrypted, e.g. if an ldaps tunnel is already established. Because the error message from ldap_start_tls is not specific we check the status with ldap_tls_inplace before calling ldap_start_tls.
2009-09-14added child timeout handlerSumit Bose2-6/+90
2009-09-14fix the wrong usage of an offsetSumit Bose1-1/+1
2009-09-14add krb5ccache_dir and krb5ccname_template optionSumit Bose5-50/+356
The configuration options krb5ccache_dir and krb5ccname_template are added to the Kerberos provider to create the user's credential caches the same way as pam_krb5 does. Due to the design of the sssd and the supported ccache types of MIT Kerberos only files are allowed.
2009-09-14Let the PAM client send its PIDSumit Bose2-4/+8
- the client sends the PID as uint32_t and sssd will use uint32_t too - fix a possible type issue where a uint32_t is sent as int32 in internal dbus communication
2009-09-14Turn ldap driver options into multitypeSimo Sorce6-194/+376
This patch makes basic options multiype, the init function assigns a type from the initialization array, and processes values fetched from confdb accordingly. 4 types are supported so far: string, number, blob and boolean Also convert defines into enums where appropriate. Add fetch functions that check the requested type.
2009-09-14Make the offline status backend-globalSimo Sorce6-215/+94
Add helpers functions to query/set the offline status per backend. Now all providers share the same offline status.
2009-09-11use fork+exec for kerberos helperSumit Bose4-193/+465
2009-09-11add change password target to krb5 backendSumit Bose4-207/+447
2009-09-11Complete the removal of "legacy" option.Simo Sorce4-28/+196
The code was still dependent on it for the ldap driver. Changed the driver code to depend on the schema type. Fix defaults for user and groups trees. ATM if you use the rfc2307bis schema you have to put users and groups in 2 separate trees (what people does by default anyway. If this limitation will turn to be too hard, we will change this later.
2009-09-11Fix ldap enumeration async taskSimo Sorce1-12/+16
The request was being freed, instead of marking it done and let the callback free it when done. This was causing us to access freed memory, when trying to set the next run. Let the callback add new runs and free the request instead as normally we would do with any other tevent_req async call. Courtesy of valgrind again.
2009-09-11Fix memory mishandling.Simo Sorce1-10/+7
By attaching the reply to a subreq, we ended up freeing the operations list element before we used it to skip to the next one. Do not steal the context and let the unlocking code free the old reply, when it moves onto processing the next one. Got this one with valgrind.
2009-09-10Fix Ldap id backend offline codeSimo Sorce2-14/+83
After the recent changes we lost the capability to actually go offline. Put back code that would mark the backend as offline when timeouts happen. Make sure the enumeration code also obbeys the offline timeout, and contributes in determining if we are offline or not.
2009-09-08Split database in multiple filesSimo Sorce1-2/+2
The special persistent local database retains the original name. All other backends now have their own cache-NAME.ldb file.
2009-09-08Fix two possible uninitialized valuesSimo Sorce1-1/+1
Make counter for used messages explicit.
2009-09-03Avoid crash when timestamp is NULLRalf Haferkamp1-1/+3
Check if the timestamp argument of sdap_save_group_recv is NULL before using it.
2009-09-03Fix initgroups search filter when using rfc2307bisRalf Haferkamp1-2/+2
sdap_get_initgr_process() was using the wrong sdap_id_map struct when creating the searchfilter for the initgroups() call.
2009-09-03Fix proxy enumerationSimo Sorce1-86/+123
New tevent library finally outlawed nested loops.
2009-09-02Honor enumerate option in ldap_idSimo Sorce1-6/+9
If enumerations are disabled for this domain, then do not start the enumeration task.
2009-09-02remove the concept of a backend nameSumit Bose3-29/+39
The data provider backends stored a name value besides the domain name to identify themselves to the data provider. This was the name of the id provider. Currently the backends can have different providers for id, authentication etc. So the name may be missleading. Also when there are more domains with the same id provider the name is not enough to identify the backend but the domain name is. As a consequence the backend name is removed completely and only the domain name is used for identification.
2009-08-28check if gid attribute is emptySumit Bose1-0/+6
2009-08-28send SSSD_REALM and SSSD_KDCIP environment to the clientSumit Bose1-2/+31
Currently the kerberos locator plugin needs these two variables to be set to find a KDC which is configured in sssd but not in /etc/krb5.conf.
2009-08-28fix internal order of ldap user mapping optionsSumit Bose1-4/+4