summaryrefslogtreecommitdiff
path: root/server/providers
AgeCommit message (Collapse)AuthorFilesLines
2009-11-12Fix double free case.Simo Sorce1-1/+3
2009-11-12Fixes for proxy providerSumit Bose1-6/+23
- use the correct private data for each PAM task - make proxy_pam_target a mandatory option for auth, chpass and access
2009-11-12Fix inconsistent use of krb5_ccname_templateSumit Bose2-2/+2
2009-11-12Try to fix offline loginsSimo Sorce1-12/+6
2009-11-12Add support for host, source host and user categorySumit Bose1-8/+54
This patch add support for the host, source host and user category 'all'. All other category values are ignored so far. With the patch the interpretation of an empty memberUser and empty sourceHost and externalHost is changed to 'not applicable'.
2009-11-10Add cleanup taskSimo Sorce7-156/+912
2009-11-10Refactor delete functions and add a fewSimo Sorce1-20/+17
Refactor user/group delete functions so that they can be used without a transaction (they autostart an operation). Add user and group search function where a subfilter can be specified.
2009-11-10Add check for access-time rules to ipa_access.Sumit Bose3-0/+73
2009-11-10Simplify krb5 child handlerSumit Bose1-17/+18
Currently the Kerberos child handler evaluates the siginfo_t structure to wait for a specific child. This scheme is prone to error, especially when there are more than one child process active, and can produce missleading debug message. This patch simplifies the scheme as it waits for any child.
2009-11-09Fix tevent_req error checking.Simo Sorce10-183/+72
When possible using a macro that correctly deals with tstate
2009-11-09Fix enumerationsSimo Sorce1-2/+6
The counter was not set so we were storing only the first user for each anumeration.
2009-11-09IPA time rules parsing routinesJakub Hrozek2-0/+1242
2009-11-09Check return, zero free hostent, adhere to styleSimo Sorce1-8/+11
2009-11-07Fix buildSimo Sorce1-4/+8
2009-11-07added access module of IPA providerSumit Bose3-2/+1681
2009-11-06Add fail over utility functionsMartin Nagy2-0/+649
These functions should be used by providers to centrally manage lists of servers. Servers are grouped into services and each service has it's own list of servers. If, however, you will try to add a same server into two different services, they will share a common structure. This means that a host will only be resolved once.
2009-11-06Check is ccache structure is initialized before calling krb5_cc_destroySumit Bose1-8/+16
2009-11-06Split async helpers in multiple filesSimo Sorce5-3285/+3383
The size of sdap_async.c was unmanageable. This patch splits it into a generic file with common infrastructure calls, a file that handles connection calls and a file for id related calls.
2009-11-06Reorganize ldap id provider filesSimo Sorce4-547/+583
Split enum task in a separate file.
2009-11-06Unify code to use the generic search interfaceSimo Sorce1-593/+473
This code removes redundancies in the code. both users and groups enumeration code use the same search generic search function now. Also the code to save users and groups have been unified across all callers.
2009-11-06Fix and enhance initgroups callSimo Sorce1-170/+637
This call was failing and was defective because it didn't properly handle the various different schemas we support. Now the function does 2 things: - Updates the user entry to make sure it is still valid - Retrieves every group the user is member of
2009-11-06Unify parse routines, use maps in generic searchesSimo Sorce4-130/+77
This remove redundant code and also allows the generic search to be used to use maps to convert attributes.
2009-11-06Store the original memberof attributes if anySimo Sorce1-7/+30
Also change the interface of sdap_save_user_send() so that it can be more easily reused like it was done for sdap_save_group_send().
2009-11-06Make useful function more broadly available.Simo Sorce3-30/+30
2009-11-05add replacements for missing Kerberos callsSumit Bose4-46/+17
2009-11-03Rename sdap_id_map to sdap_attr_mapSimo Sorce5-21/+70
Also start adding some infrastructure to use the USN counter when available. In particular add a place to add generic attrs mapping, ie attributes that are neither user nor group specific.
2009-11-02Make debug message less irritating.Sumit Bose1-2/+2
The 'Unable to load' debug message is now only shown when the backend target is given explicitly in the config file. I the other case we let the caller decided how to handle this error condition.
2009-11-02set ipa_hostname if not given in config fileSumit Bose1-0/+20
2009-10-30Fix segfault when SASL is not used at allSimo Sorce2-2/+4
2009-10-29Add support to get rootDSE from the LDAP server.Simo Sorce6-121/+398
Also fic sdap_get_generic_send() to be a bit more "generic" :-) Also figs bugs within it. This patch allow us 2 good things. A) we check that the server effectively supports GSSAPI auth before we try to use it. B) against IPA it substantially cuts delays when the server is offline because it uses a 5 second async timeout on the connection and doesn't try to do a slow synchronous kinit+sasl_bind if the server is not even available.
2009-10-29Tidy up ipa optionsSimo Sorce5-151/+198
Do not replicate every and each option we may want to set in ipa. Just read out ldap and krb provider options (added reference in the manual too, and removed mention of ipa specific timeout values, use ldap options for that) Avoid calling auth module initialization twice, just pass the auth context to the chpass module too. Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be used for both users and groups. the user and group search bases can still be set separately if necessary but they are now optional and set to be identical to SDAP_SEARCH_BASE if not explicitly specified in the configuration.
2009-10-28Kill the ldap connection when we go offlineSimo Sorce1-5/+16
This patch uses a wrapper to kill the ldap connection when we are marked offline. This also makes sure we do not try to reuse a bad connection handler after a fatal error.
2009-10-27Move responsibility for entry expiration timeoutSimo Sorce6-18/+38
The providers are now responsible for determining how long a cached entry is considered valid. The default is the same as before (600s)
2009-10-27Add proper support for IPA/AD schemasSimo Sorce4-202/+574
Nested groups weren't properly handled. Add 2 pass strategy to update groups memberships Stuff work as expected when enumeration is enabled now.
2009-10-27store original DN with cached group objects if availableSumit Bose1-0/+16
2009-10-26Copy option overrides.Simo Sorce1-0/+26
We were not copying IPA named options to the ldap id options list. So the ldap_id provider was always using just the default settings.
2009-10-22Add support for offline auth cache timeoutStephen Gallagher1-0/+1
This adds a new option (offline_credentials_expiration) to the [PAM] section of the sssd.conf If the user does not perform an online authentication within the timeout (in days), they will be denied auth once the timeout passes.
2009-10-22Fix setting the schema in the ipa providerSimo Sorce1-0/+3
2009-10-22update ipa auth options to new option schemeSumit Bose3-110/+133
2009-10-22update krb5 option handling to new option schemeSumit Bose7-125/+273
2009-10-22Fix potential memory leaks in the data providerMartin Nagy1-2/+4
2009-10-22Better offline/enumeration behaviorSimo Sorce1-10/+12
Go offline in case of hard errors too. It makes no sense to keep trying too often when you have bad credentials for example. Also delay starting the enumeration thread so that we finish initializations first (bind to ldap is still a blocking operation and this may interfere with clients/monitor registrations).
2009-10-22added generic LDAP search sdap_get_generic_send/_recvSumit Bose4-0/+304
2009-10-20Start implementing ipa specific options.Simo Sorce5-7/+593
First step generate ldap options from ipa options. Add sssd-ipa man page too.
2009-10-16Always list inputs before outputsSimo Sorce1-8/+11
2009-10-16Add first basic IPA providerSimo Sorce1-0/+233
2009-10-16Move all krb5 provider init functionsSimo Sorce4-193/+261
Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
2009-10-16Move all ldap provider init functionsSimo Sorce5-145/+202
Put all init functions in their own file so that the other files can be reused in other providers w/o having them in the way.
2009-10-15Check for expired passwords in LDAP providerSumit Bose4-23/+425
2009-10-15enable debugging of krb5_childSumit Bose3-4/+142