summaryrefslogtreecommitdiff
path: root/server/providers
AgeCommit message (Collapse)AuthorFilesLines
2009-12-15fail over: Change the first server pick logicMartin Nagy1-5/+26
The logic of selecting the server to fail over to was changed so that we start from the server next to the one that didn't work the last time. This is because the status of a server that failed last time might get reset before we try another one. This can cause that we try to use the nonworking server repeatedly, not giving a chance to other servers. Fixes: #321
2009-12-15Don't consider one address with different port numbers as the sameMartin Nagy6-21/+38
There were two problems with the code. We were using fo_set_server_status() instead of fo_set_port_status() when we failed to connect to a service. This is a problem because if two services use the same server, or we want to use one server with two different ports, marking the whole server as bad is incorrect. The other problem was that be_resolve_server_done() was comparing the hostent structures -- these are, however, equal across multiple server:port pairs with the same server addresses. Fixes: #321
2009-12-10Consolidate code for splitting strings by separatorJakub Hrozek3-11/+7
There were two functions for parsing strings by a separator. This patch consolidates on the one previously used in confdb. This also allows stripping the tokens of whitespace. Fixes: #319
2009-12-09Correctly restart server status after the timeoutMartin Nagy1-1/+1
The macro STATUS_DIFF() was wrong causing the result to always be lower than 0, therefore the timeout was never reached. Fixes: #302
2009-12-09Add some debugging statements to fail_over and resolverMartin Nagy1-2/+60
These were very useful for debugging and hopefully still will be in the future.
2009-12-09Reduce code duplication between LDAP child and Kerberos childJakub Hrozek4-234/+160
Fixes: #294
2009-12-08Add dummy credentials to an empty ccache fileSumit Bose1-2/+54
Application like krb5-auth-dialog might get confused if there is a credential cache file without any credentials in it. This patch adds an expired credential where only the client and the server principal are set. The client principal is the user's principal and the server principal corresponds to a TGT principal of the realm the user belongs to.
2009-12-07Fix bug #311, properly set callback attributeSimo Sorce1-0/+1
2009-12-07Allow nesting to fix #310Simo Sorce1-0/+1
2009-12-07Add offline support for ipa_accessSumit Bose2-17/+134
2009-12-07Try to renew Kerberos credentialsSumit Bose5-2/+189
When using GSSAPI we need a valid service ticket to talk to the LDAP server. If the ticket is expired the LDAP client returns with 'Can't contact LDAP server'. Currently we set the backend offline if this error occurs although the server is still available. This patch checks if the TGT is expired and tries to renew the credentials before going offline.
2009-12-07Fix nested group membershipsSimo Sorce2-154/+189
Search the local db to find the local DN using the original DN as search key. This way we do not have to rely on weak and faulty heuristicts based on DN names. Add a few helper functions in the process and change the way we pass members to sysdb_store_group_send(), instead of passing users and groups list, just add member DNs to the other sysdb attrs.
2009-12-07Resolve nested groups also when rfc2307bis is usedSimo Sorce1-68/+2
2009-12-03Check LDAP structure before calling ldap_unbind_ext()Sumit Bose1-1/+3
2009-12-03Setup ldap child logging from IPA backendJakub Hrozek4-45/+54
Fixes: #296
2009-12-01Immediately return a krb5 change password request when offlineSumit Bose1-0/+7
2009-11-25Remove unneeded debugging codeSumit Bose1-9/+0
2009-11-25Fix an internal error when cache_credentials=FALSESumit Bose1-1/+4
2009-11-25Get TGT in a child process.Jakub Hrozek8-164/+1060
To avoid blocking in a synchronous call, the TGT is saved in a separate process Fixes: #277
2009-11-25Split helpers for child processesJakub Hrozek7-174/+261
Moves several functions out of providers/krb5 hierarchy into a separate module so it can be shared by the ldap child.
2009-11-25In IPA, the realm is always the domain uppercased.Simo Sorce1-2/+7
2009-11-25Fix internal options numbers testSimo Sorce1-12/+24
Unfortunately since we changed the defines to an enum the preprocessor test stopped working. Turn tests into runtime tests that will abort the process.
2009-11-23Really check return value from pam_set_itemSumit Bose1-3/+3
2009-11-23Read KDC info from file instead from environmentSumit Bose8-44/+357
Then name or IP adress of the KDC is written into the pubconf directory into a file named kdcinfo.REALM. The locator plugin will then read this file and pass the data to the kerberos libraries.
2009-11-23Speed up user requests while offlineStephen Gallagher2-37/+77
This adds a new boolean option to sss_dp_send_acct_req() called fast_reply. If we make a request to the backends and we are currently offline, this option will determine whether we should immediately return from the cache (acceptable for NSS requests) or potentially wait for an online check to complete (required for PAM requests).
2009-11-23Make backend request type a bitfieldStephen Gallagher3-5/+5
2009-11-23Add ldap_pwd_policy optionSumit Bose4-45/+92
2009-11-20Add initial failover support for ldap and ipaSimo Sorce19-68/+845
The retun values are still not directly used with ldap libraries that still do their own name resolution, but this patch introduces a very basic framework to have a multiple providers in one domain use and share a single failover service if they want to.
2009-11-20Raise some timeoutsSimo Sorce1-2/+2
When using high debug levels or valgrind the code maybe slow enough that these timeouts were too strict.
2009-11-20Filter by id range before actually storing entries.Simo Sorce2-15/+86
This way we do not need to check for id ranges on every search.
2009-11-20Enhance check for remote hostsSumit Bose2-55/+97
2009-11-20Add ipa_authSumit Bose4-1/+350
To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT.
2009-11-20Improve handling of ccache filesSumit Bose3-202/+597
- save current ccache file to sysdb - use the saved ccache file if the user has running processes - create an empty ccache if offline - return enviroment variables if offline
2009-11-20Better behavior on cleanupSimo Sorce4-20/+44
With the previous code in domains with many users and enumeration enable we would eventually end up making thousands of individual searches for entries in the clean-up process. Change the code to do a full enumeration before a cleanup so we do one single big search to update all entries and only then search for entries to purge. This also fixes the fact that the cleanup task was running at every enumeration instead of running every "ldap_purge_cache_timeout" seconds.
2009-11-20Validate Kerberos credentials with local keytabSumit Bose7-39/+252
2009-11-18Failover fixes and additionsSimo Sorce2-6/+24
2009-11-18Store initgr expire time on initgr callSimo Sorce1-6/+17
2009-11-13Fix option name krb5_changepw_principalSumit Bose2-2/+2
2009-11-12Make 'permit' the default for the access targetSumit Bose1-13/+4
2009-11-12Fix double free case.Simo Sorce1-1/+3
2009-11-12Fixes for proxy providerSumit Bose1-6/+23
- use the correct private data for each PAM task - make proxy_pam_target a mandatory option for auth, chpass and access
2009-11-12Fix inconsistent use of krb5_ccname_templateSumit Bose2-2/+2
2009-11-12Try to fix offline loginsSimo Sorce1-12/+6
2009-11-12Add support for host, source host and user categorySumit Bose1-8/+54
This patch add support for the host, source host and user category 'all'. All other category values are ignored so far. With the patch the interpretation of an empty memberUser and empty sourceHost and externalHost is changed to 'not applicable'.
2009-11-10Add cleanup taskSimo Sorce7-156/+912
2009-11-10Refactor delete functions and add a fewSimo Sorce1-20/+17
Refactor user/group delete functions so that they can be used without a transaction (they autostart an operation). Add user and group search function where a subfilter can be specified.
2009-11-10Add check for access-time rules to ipa_access.Sumit Bose3-0/+73
2009-11-10Simplify krb5 child handlerSumit Bose1-17/+18
Currently the Kerberos child handler evaluates the siginfo_t structure to wait for a specific child. This scheme is prone to error, especially when there are more than one child process active, and can produce missleading debug message. This patch simplifies the scheme as it waits for any child.
2009-11-09Fix tevent_req error checking.Simo Sorce10-183/+72
When possible using a macro that correctly deals with tstate
2009-11-09Fix enumerationsSimo Sorce1-2/+6
The counter was not set so we were storing only the first user for each anumeration.