| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
When possible using a macro that correctly deals with tstate
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Fix copy/paste error that picked up the wrong request structure to pass down.
This was causing the talloc code that checks for the right signature to fail and
abort as the 2 request structures have different state structures attacched.
|
|
This rewrite should also fix a segfault in the code that may happen when
exiting in case of error conditions. The previous code was attaching the
transaction handle to llreq structure and then calling prepare_reply() from
within the request handlers which could ultimately free the preq and
llreq and handle before the transaction request was actually completed
by tevent.
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
|
|
These functions were used when reconnecting to the DP after losing
the connection. Since there is no DP any longer, there's no reason
to have these functions.
|
|
The way we were processing errors from the provider caused offline
authentication to stop working. Previously the problem was masked
by a bug in the data provider that always returned "Success" for any
operation no matter what the actual return code was. when DP got
removed the bug became evident.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
This converts a great many configuration options to the new
standard format.
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
|
|
- the client sends the PID as uint32_t and sssd will use uint32_t too
- fix a possible type issue where a uint32_t is sent as int32 in internal
dbus communication
|
|
Fixes: #138
|
|
The special persistent local database retains the original name.
All other backends now have their own cache-NAME.ldb file.
|
|
Remove redundant reconnection code that was interfeering with the sbus
reconnection code.
Consolidate include files for sbus relates operations.
Make pamsrv code similar to nsssrv code.
|
|
Many of the functions in responder_dp.c were originally NSS-
specific and were moved there from the NSS responder code. Since
they are now generic to any responder, rename them to sss_dp_*
|
|
Mirrors what we have done with the monitor.
|
|
Let services identify themselves voiluntarily as the first operation
instead of polling from the monitor.
Also consolidate some common functions and make them available as monitor
helpers.
|
|
The child processes call prctl() and when their parent process is
killed, they are sent SIGTERM using prctl. This is currently
Linux-specific, for non-Linuxes, a similar effect is achieved by
catching a set of common termination signals and sending SIGTERM to the
process group.
|
|
Previously, we had hardcoded the paths for the NSS, PAM and
private PAM sockets to /var/lib/sss/pipes. With this patch, we
will specify the sockets with --with-pipe-path.
|
|
Make as much as possible static, and remove use of talloc_reference and
allocation/deallocation of memory when not necessary.
Fix also responder use of rctx->conn, was mistakenly used for both
monitor and dp connections.
|
|
Rationalize and rename connection names in preparatoin for merging of server and
connection structures.
|
|
Simplify code by removing stuff that is never used or redundant.
|
|
Fix incorrect error code return in local_handler_callback
|
|
|
|
This is part of a set of patches to rewrite sysdb to a hopefully better
API, that will also let use use tevent_req async style calls to manipulate
our cache.
|
|
This sysdb_req has always really been a transaction handle and not
a request.
This is part of a set of patches to rewrite transaction support in sysdb to a
hopefully better API, that will also let use use tevent_req async style to
manipulate our cache.
|
|
|
|
|
|
|
|
|
|
The timeout of the data provider call (in ms) got overwritten by a cache
timeout (in s).
|
|
Convert auth modules to do the caching themselves
|
|
|
|
Also fix style, clarify, and simplify some logic.
|
|
|
|
- allow different protocol versions for PAM and NSS
- support more than one protocol version in the responder
|
|
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
|
|
|
|
|
|
|
This fixes a bug with legacy backends where the cached password would be cleared
on a user update.
Using a different attribute we make sure a userPassword coming from the remote
backend does not interfere with a cachedPassword (and vice versa).
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
The domain name is no longer send as an element on its own, but
if set as a member of the response array. If the user was not found
pd->domain is NULL and strlen will seg-fault.
|
|
see https://fedorahosted.org/sssd/ticket/25
|
