summaryrefslogtreecommitdiff
path: root/server/responder
AgeCommit message (Collapse)AuthorFilesLines
2009-04-28handle other pam calls when offlineSumit Bose1-0/+10
2009-04-28Use different attribute for cached passwords change timeSumit Bose1-2/+2
2009-04-28change PAM timeout the match NSS timeSumit Bose2-3/+1
2009-04-27Use different attribute for cached passwordsSimo Sorce1-3/+3
This fixes a bug with legacy backends where the cached password would be cleared on a user update. Using a different attribute we make sure a userPassword coming from the remote backend does not interfere with a cachedPassword (and vice versa).
2009-04-27Eliminate segfault on NSS and PAM responder startup.Stephen Gallagher1-0/+4
If the data provider is not yet available when NSS and PAM start, they will generate a segmentation fault when trying to configure their automatic reconnection to the Data Provider. I've now added code in sss_dp_init() to detect whether the dp_ctx is NULL and return EIO.
2009-04-27fix for pam proxy chauthtokSumit Bose1-0/+1
When a user from a domain served by the proxy backend changes his password with passwd the passwd command asks for the old password, but it is not validated by the pam_chauthtok call in the proxy backend, because it is running as root. If the request is coming the unpriviledged socket we now call pam_authenticate explicitly before pam_chauthtok.
2009-04-23removed length of unused element from packet size calculationSumit Bose1-1/+1
The domain name is no longer send as an element on its own, but if set as a member of the response array. If the user was not found pd->domain is NULL and strlen will seg-fault.
2009-04-22fix for a seq fault when pam_reply_delay is called.Sumit Bose1-2/+2
see https://fedorahosted.org/sssd/ticket/25
2009-04-17Force user check and discover user's domainSimo Sorce6-297/+593
Force a user lookup against the users domain provider. If a user domain is not specified search though all non fully qualifying domains. Perform authentication against the corrent domain auth backend, based on the user's domain found in the lookup if one was not specified. Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM responder too now.
2009-04-16Fix by_id enumeration with multiple domainsSimo Sorce1-0/+10
We need to stop parsing domains as soon as a caaandidate is found and let the callback search additional domains if the id is not found. Should fix ticket #21
2009-04-14Add common function to retrieve comma sep. listsSimo Sorce1-11/+13
Also convert all places where we were using custom code to parse config arguments. And fix a copy&paste error in nss_get_config
2009-04-14Make reconnection to the Data Provider a global settingStephen Gallagher2-7/+4
Previously, every DP client was allowed to set its own "retries" option. This option was ambiguous, and useless. All DP clients will now use a global option set in the services config called "reconnection_retries"
2009-04-14Add reconnection code between the NSS responder and the Data providerStephen Gallagher1-1/+52
2009-04-13Fix a couple of segfaults and timeout checksSimo Sorce2-31/+14
2009-04-13Fix segfaults when passing an unknown domainSimo Sorce1-9/+20
Also setting dctx->domain to NULL is a recipe for segfaults :-) Assign dctx->domain only when dom actually holds a domain pointer.
2009-04-13Implement credentials caching in pam responder.Simo Sorce8-373/+494
Implement credentials caching in pam responder. Currently works only for the proxy backend. Also cleanup pam responder code and mode common code in data provider. (the data provider should never include responder private headers)
2009-04-13Always pass full domain infoSimo Sorce1-1/+1
Change sysdb to always passwd sss_domain_info, not just the domain name. This way domain specific options can always be honored at the db level.
2009-04-09Serialize requests vs backends.Simo Sorce1-544/+702
This way we do not waste resources starting searching for users/groups in multiple backends when the first one has the answer. Also prevents possible race conditions where a user named the same way is found in multiple backends and the wrong one is returned.
2009-04-08Change the way we retrieve domainsSimo Sorce7-234/+105
To be able to correctly filter out duplicate names when multiple non-fully qualified domains are in use we need to be able to specify the domains order. This is now accomplished by the configuration paramets 'domains' in the config/domains entry. 'domains' is a comma separated list of domain names. This paramter allows also to have disbaled domains in the configuration without requiring to completely delete them. The domains list is now kept in a linked list of sss_domain_info objects. The first domain is also the "default" domain.
2009-04-07Clean up warnings in SSSDStephen Gallagher3-11/+10
2009-04-07Unify name parsing and reposnder headersSimo Sorce12-243/+328
Use common sss_parse_name function in all responders Simplify responder headers by combining common,cmd,dp in one header and add name parse structure as part of the common responder context.
2009-04-07Use info in the domain entry to determine action.Simo Sorce1-1/+12
This way LOCAL domains backed by files works as expected too. Tested with nss_files + pam_unix
2009-04-01Add way to use files as a proxy backend fro LOCALSimo Sorce1-28/+91
Makes LOCAL a normal backend removing some special handling. Fix/Add id range filtering and name filtering Filters uid=0 and gid=0 in the proxy backend as 0 is invalid within sysdb and was causing getxxent calls to fail completely. Fix nss_ncache_check_xxx calls to avoid dirtying the 'ret' variable and causing some unwanted failures. Change sysdb to always return the uid number when searching member entries so that id range filtering can be perfomed also in group searhes (does not work with legacy backends)
2009-04-01Add a more flexible way to parse and filter names.Simo Sorce5-280/+885
A new nss_parse_name function uses pcre to parse names, this makes it possible, in future, to make the filter user configurable. Add a new filter mechanism to filter out users that uses the negative cache by setting a permanet negative entry. Rework the entry points where the negative cache is checked for.
2009-03-27Fix copy&paste errorSimo Sorce1-1/+1
2009-03-27Fix potential segfault if dp_ctx is still NULL.Simo Sorce2-2/+18
May happen at startup if, for some reason dp is very slow to start and we receive a request before a reconnection is rescheduled in the responder dp reconnection code. This shouldn't happen normally so make it clear with a debug statement.
2009-03-27Make nsssrv use the common responder functionsSimo Sorce10-734/+221
Make nss_ctx a private pointer of the common resp_ctx Use sss_process_init and remove all duplicate functions from nsssrv.c
2009-03-27Fix uninitailized pointer and cut&paste errorSimo Sorce1-1/+5
The structure we copy the domain pointerr on is not zero when allocated. We need to zero it ourselves or we get segfaults later on. A cut&paste error caused us to call the wrong getpw function.
2009-03-26Enable autoreconnection to the Data Provider in PAMStephen Gallagher3-4/+67
2009-03-26Refactor nss_ctx to resp_ctx in respondersStephen Gallagher7-109/+109
2009-03-24Fix buildSimo Sorce2-1/+4
forgot to commit a few changes
2009-03-20Retrieve some options from confdbSimo Sorce3-11/+46
This fixes some old 'Fixme's :)
2009-03-20Enhance server_setupSimo Sorce3-2/+4
Now it can load from scratch default configuration that is valid for all daemons. First thing, make it possible for each daemon/provider to set its own debug level in its configuration entry.
2009-03-20added response type PAM_ENV_ITEM and integrated response data into dbus messagesSumit Bose2-19/+98
2009-03-19use pam_data as main data structure for dbus communicationSumit Bose3-27/+85
2009-03-18Fix getgrent and getpwent callsSimo Sorce1-2/+6
When I converted from using just the domain name to passing down the info structure I goofed how to test if we were willing to attach the local domain to the user/group names or not.
2009-03-13Implement Negative cache for NSSSimo Sorce5-3/+570
As for positive caches, negative caches are implement for all queries except enumerations. Also set the correct requires in sssd.spec as we now depend directly on tdb as well.
2009-03-11remove an unnecessary call to confdbSumit Bose1-8/+4
2009-03-10Fix returning user with missing optional attributes.Simo Sorce1-5/+8
Gecos, homedir and shell are optional, fix the responder not to refuse to return the user completely if they are missing, replace an empty homedir with "/". Also fix fullname vs gecos, and always return gecos for NSS data. On user creation set gecos to the same value as the user Full Name, to help populate the gecos field with data that makes sense.
2009-03-10added generic PAM return messages and a false login delaySumit Bose6-65/+151
2009-03-10Treat uids and gids as 32 bit numbers not 64Simo Sorce1-23/+21
In the nss communication protocol we were treating uids and gids as 64 bit values, but uids and gids are really u32 values, change the protocol to reflect the real size.
2009-03-09Always pass sss_domain_info to sysdb functions.Simo Sorce2-30/+18
2009-03-09Do not duplicate attribute names macros.Simo Sorce1-2/+2
Also shorten names oh other user attributes.
2009-03-09use fixed paths to sockets to make sure clients and server are using the sameSumit Bose6-59/+76
2009-03-06Fix reporting non-default users.Simo Sorce2-301/+314
We need to add the domain when users are not part of the default domain, otherwise name conflicts may happen.
2009-03-05Remove _PW_ and _GR_ from SYSDB_ definesSimo Sorce2-17/+17
Also unify SYSDB_PW_NAME and SYSDB_GR_NAME in SYSDB_NAME and make it "name"
2009-03-05Implement GetCachedUsers in the InfoPipeStephen Gallagher1-2/+2
This function allows a caller to retrieve a list of users who have logged in on the system, specifying an optional minimum last login time to trim the list. I modified sysdb_enumpwent to accept an optional search argument. GetCachedUsers takes advantage of this argument to limit the search by the last login time. I also found and fixed a few additional low-memory conditions around D-BUS message replies.
2009-03-05added password reset by rootSumit Bose1-0/+5
2009-03-05added a privileged pipeSumit Bose6-8/+137
2009-03-04Add enumeration backout period.Simo Sorce3-2/+39
If an enumeration has been requested recently enough, force the nss responder to read from the cache and not go out to each backend and do slow network operations. This greatly improves performances if enumerations are used often. Currently the balcout period is harcoded to 2 min, we will need to make it a configurable option.