Age | Commit message (Collapse) | Author | Files | Lines |
|
The child processes call prctl() and when their parent process is
killed, they are sent SIGTERM using prctl. This is currently
Linux-specific, for non-Linuxes, a similar effect is achieved by
catching a set of common termination signals and sending SIGTERM to the
process group.
|
|
Previously, we had hardcoded the paths for the NSS, PAM and
private PAM sockets to /var/lib/sss/pipes. With this patch, we
will specify the sockets with --with-pipe-path.
|
|
|
|
Make as much as possible static, and remove use of talloc_reference and
allocation/deallocation of memory when not necessary.
Fix also responder use of rctx->conn, was mistakenly used for both
monitor and dp connections.
|
|
This reduce code duplication as it allows to use one set of watch and timeout
functions, and at the same time also allow not to use a secondary structure just
to unify these functions.
|
|
Rationalize and rename connection names in preparatoin for merging of server and
connection structures.
|
|
Simplify code by removing stuff that is never used or redundant.
|
|
|
|
Retrieving ldap results and storing users could sometimes results in race
conditions where the final ldap result was retrieved before the store operations
where finished resulting in the operations to be aborted before termination.
Implement a serialization mechanism per operation.
|
|
|
|
Also add tests
|
|
The sdap_handle might be freed when processing a message.
Rearrange data flow so that the sdap_handle is never used after
a message is processed but a new event (dependent on the handle) is
instead scheduled. If the sdap_handle is freed, the scheduled event
is also removed and not fired
|
|
|
|
|
|
The way openldap libraries work, require to have a single engine per
connection as all replies are read at the same time. So we need to
always read anything that comes in from the wire and then loop to
dispatch results to the requests that are waiting.
|
|
|
|
|
|
|
|
|
|
This uses and exapands the async helpers.
|
|
|
|
This changes the style quite a lot, but the tevent_req style
is much more clear and much less error-prone than the giant
loop we had previously.
|
|
These functions use the tevent_req async model, where a pair
of _send/_recv functions pilot requests, with additional helpers
like _done functions, and where needed multiple stage helpers.
|
|
|
|
|
|
|
|
|
|
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
|
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
|
|
|
|
|
The libPath should be constructed from the libName. There is no
benefit to specifying it separately.
|
|
|
|
|
|
The old function was not used anywhere, and this function uses better
semantics, including not using void ** which gives strict aliasing problems.
Also add a generic password destroy function
|
|
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
|
|
|
|
|
|
This will blackout any request to the backend for 15 seconds, then
will allow again to retry.
|
|
Convert auth modules to do the caching themselves
|
|
|
|
|
|
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
|
|
|
|
|
ldap backend
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|