| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The previous patch to fix an enumeration bug found with group enumeration
inadvertently introduced a bug with user enumeration.
Yeah, almost funny!
|
|
If a backend had all its results filtered in fill_pwent or fill_grent
then we would return an empty result, which means "end of results" to
the client.
Now we return ENOENT and let callers decide what to do.
Also make sure we do not grow packets unless we are going to fill them
as that's a recipe for killing the client as the size passed to
sss_packet_grow is used to determine the size of the final packet.
|
|
|
|
|
|
- allow different protocol versions for PAM and NSS
- support more than one protocol version in the responder
|
|
|
|
|
|
Force a user lookup against the users domain provider.
If a user domain is not specified search though all non fully qualifying
domains.
Perform authentication against the corrent domain auth backend, based on the
user's domain found in the lookup if one was not
specified.
Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM
responder too now.
|
|
We need to stop parsing domains as soon as a caaandidate is found and let the
callback search additional domains if the id is not found.
Should fix ticket #21
|
|
Also convert all places where we were using custom code to parse
config arguments.
And fix a copy&paste error in nss_get_config
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
|
|
|
|
Also setting dctx->domain to NULL is a recipe for segfaults :-)
Assign dctx->domain only when dom actually holds a domain pointer.
|
|
This way we do not waste resources starting searching for users/groups in
multiple backends when the first one has the answer.
Also prevents possible race conditions where a user named the same way is found
in multiple backends and the wrong one is returned.
|
|
To be able to correctly filter out duplicate names when multiple non-fully
qualified domains are in use we need to be able to specify the domains order.
This is now accomplished by the configuration paramets 'domains' in the
config/domains entry. 'domains' is a comma separated list of domain names.
This paramter allows also to have disbaled domains in the configuration without
requiring to completely delete them.
The domains list is now kept in a linked list of sss_domain_info objects.
The first domain is also the "default" domain.
|
|
|
|
Use common sss_parse_name function in all responders
Simplify responder headers by combining common,cmd,dp in one header and
add name parse structure as part of the common responder context.
|
|
Makes LOCAL a normal backend removing some special handling.
Fix/Add id range filtering and name filtering
Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within
sysdb and was causing getxxent calls to fail completely.
Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and
causing some unwanted failures.
Change sysdb to always return the uid number when searching member entries so
that id range filtering can be perfomed also in group searhes (does not work
with legacy backends)
|
|
A new nss_parse_name function uses pcre to parse names, this makes
it possible, in future, to make the filter user configurable.
Add a new filter mechanism to filter out users that uses the negative cache by
setting a permanet negative entry.
Rework the entry points where the negative cache is checked for.
|
|
May happen at startup if, for some reason dp is very slow to start and we
receive a request before a reconnection is rescheduled in the responder dp
reconnection code.
This shouldn't happen normally so make it clear with a debug statement.
|
|
Make nss_ctx a private pointer of the common resp_ctx
Use sss_process_init and remove all duplicate functions from nsssrv.c
|
|
The structure we copy the domain pointerr on is not zero when allocated.
We need to zero it ourselves or we get segfaults later on.
A cut&paste error caused us to call the wrong getpw function.
|
|
forgot to commit a few changes
|
|
This fixes some old 'Fixme's :)
|
|
Now it can load from scratch default configuration that is valid for all
daemons.
First thing, make it possible for each daemon/provider to set its own debug
level in its configuration entry.
|
|
When I converted from using just the domain name to passing down the info
structure I goofed how to test if we were willing to attach the local domain to
the user/group names or not.
|
|
As for positive caches, negative caches are implement for all queries
except enumerations.
Also set the correct requires in sssd.spec as we now depend directly on tdb as
well.
|
|
Gecos, homedir and shell are optional, fix the responder not to refuse to return
the user completely if they are missing, replace an empty homedir with "/".
Also fix fullname vs gecos, and always return gecos for NSS data.
On user creation set gecos to the same value as the user Full Name, to help
populate the gecos field with data that makes sense.
|
|
In the nss communication protocol we were treating uids and gids as 64 bit
values, but uids and gids are really u32 values, change the protocol to reflect
the real size.
|
|
|
|
|
|
We need to add the domain when users are not part of the default
domain, otherwise name conflicts may happen.
|
|
Also unify SYSDB_PW_NAME and SYSDB_GR_NAME in SYSDB_NAME and make it "name"
|
|
This function allows a caller to retrieve a list of users who have
logged in on the system, specifying an optional minimum last login
time to trim the list.
I modified sysdb_enumpwent to accept an optional search argument.
GetCachedUsers takes advantage of this argument to limit the search
by the last login time.
I also found and fixed a few additional low-memory conditions
around D-BUS message replies.
|
|
If an enumeration has been requested recently enough, force the
nss responder to read from the cache and not go out to each backend
and do slow network operations. This greatly improves performances
if enumerations are used often.
Currently the balcout period is harcoded to 2 min, we will need to make
it a configurable option.
|
|
Avoid uninitialized memory messages in valgrind (in _btreemap_get_keys).
Do not free memory we just stored in the btree (in confdb_get_domains_list).
Streamline confdb_get_domains() and remove extra calls when we already have
all the information handy.
Do not store basedn in domain info, the base dn is always calculated out of
the domain name.
Remove the "provider" attribute, it was really used only to distinguish between
LOCAL and other domains, directly check for LOCAL as a special case instead.
|
|
The NSS provider, the Data Provider backends and the InfoPipe all
need access to the domain map provided by the confdb. Instead of
reimplimenting it in multiple places, it is now provided in a pair
of helper functions from the confdb.
confdb_get_domains() returns a domain map by reference. Always
returns the most up-to-date set of domains from the confdb.
confdb_get_domains_list() returns an array of strings of all the
domain names. Always returns the most up-to-date set of domains
from the confdb.
This patch also modifies the btreemap_get_keys() function to
better handle memory and report allocation failures.
|
|
This is necessary because in ldb only 1 transaction per context is possible
and all operations (or new transactions) are nested within it.
Will revisit this later when ldb will addresses the problem.
|
|
dependencies based on the latest samba code.
Convert all references to the old events library to use the
renamed tevent library.
|
|
Also move responders under server/responder with shared code
in server/responder/common
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
