summaryrefslogtreecommitdiff
path: root/server/responder
AgeCommit message (Collapse)AuthorFilesLines
2010-02-10Make return values more specific during password changeSumit Bose1-34/+52
- return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password change operation fails - send a message to the user if the system is offline and the password cannot be changed
2010-02-10Send a message to the user if the login is delayedSumit Bose1-3/+24
2010-02-05Added option to use libcrypto instead of NSS.George McCollister1-1/+1
crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that all usage of NSS and related libraries has been switched to libcrypto. I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number generator is not seeded manually and thus relies on seeding done automatically by libcrypto. On some systems without /dev/urandom seeding may not be performed. See http://www.openssl.org/docs/crypto/RAND_add.html. Signed-off-by: George McCollister <georgem@novatech-llc.com>
2010-02-02Warn the user if authentication happens offlineSumit Bose1-1/+19
2010-02-02Add offline failed login counterSumit Bose1-6/+7
2010-02-01Avoid 'PAM' at the beginning of define and enum namesSumit Bose2-17/+17
2010-01-25Fix size error on 64-bit systemsStephen Gallagher1-1/+1
2010-01-22Pointers to non 32 bit aligned data were being cast to uint32_t *George McCollister2-9/+11
uint32_t pointers must point to 32 bit aligned data on ARM. Instead of padding the data to force it into alignment I altered the code to memcpy the data to an aligned location. I'd appreciate any and all feedback especially on whether I took the best approach. pam_test_client auth and pam_test_client acct now work on my armeb-xscale-linux-gnueabi target. Signed-off-by: George McCollister <georgem@opteron.novatech-llc.com>
2010-01-20Fix a double free bugSumit Bose1-3/+0
2010-01-20Add sysdb request to authenticate against a cached passwordSumit Bose4-216/+59
The code for authentication against a cached password is moved from the pam responder to a generic sysdb tevent request. The new code can be used by other components of sssd to verify passwords on their own. Tests for the sysdb_cache_password and sysdb_cache_auth request are added and some unneeded or unused code and variables are removed.
2010-01-05Don't free timer events within the handler.Simo Sorce1-16/+12
Tevent frees timer handlers once done, so freeing the timer within the event is going to cause double frees. Just attach the timer event to the request it depends on and make sure to steal it on NULL if we are going to free the request from within the handler.
2009-12-18Fix broken password changes for local usersStephen Gallagher1-1/+6
2009-12-18Handle chauthtok with PAM_PRELIM_CHECK separatelySumit Bose1-0/+6
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
2009-12-17Add DEBUG messages to getpwnam_callback and getpwuid_callbackStephen Gallagher1-0/+4
This matches the DEBUG logging available for groups.
2009-12-08dhash: Add private pointer for delete callbackSimo Sorce1-1/+1
Also pass a flag to the delete callback to tell it if this is a normal entry removal or we are cleaning up the tbale definitively.
2009-12-08Fix potential uninitialized value error in responder_dp.cStephen Gallagher1-1/+1
If we fell into the default case of the switch statement, we would attempt to talloc_free() a random memory location. This patch guarantees that sdp_req is NULL if it has not been initialized.
2009-12-08Fix potential uninitialized value errors in nsssrv_cmd.cStephen Gallagher1-1/+2
2009-12-03Use the custom password field in groups too.Simo Sorce1-3/+5
Groups also need to honor the settable password field and use * by default.
2009-12-03Use memberuid and not member in group enumerationsSimo Sorce1-53/+8
This allows for correctly reporting nested group members, while at the same time not paying a too high price for caluclating nested groups at runtime e very time a search is made.
2009-11-23Fix ticket #289Simo Sorce1-0/+18
When I converted fill_grent to speed up enumerations I left out this check by mistake.
2009-11-23Speed up user requests while offlineStephen Gallagher4-15/+25
This adds a new boolean option to sss_dp_send_acct_req() called fast_reply. If we make a request to the backends and we are currently offline, this option will determine whether we should immediately return from the cache (acceptable for NSS requests) or potentially wait for an online check to complete (required for PAM requests).
2009-11-20Filter by id range before actually storing entries.Simo Sorce1-16/+0
This way we do not need to check for id ranges on every search.
2009-11-20Optimize sysdb_enumgrentSimo Sorce1-172/+178
This brings down the time needed to enumerate my group database from 2.4 seconds to 0.15 seconds.
2009-11-18Make the password field configurable in NSSJakub Hrozek3-4/+14
Per the discussion on sssd-devel list, nss_sss should not return a hardcoded value but this should rather be configurable to allow whatever the OS or distribution thinks is the best for the particular case. Fixes: #266
2009-11-18Change the pam code to perform an initgroups callSimo Sorce1-1/+1
An initgroups call refreshes both the user and the user's groups, this is ideal for pam so that we don't need addiotnal initgroups calls (initgroups calls are cached too now) during the login process.
2009-11-18Change initgroups code to use and check the cacheSimo Sorce1-196/+98
We were previously always ending up contacting the backend because we had no way to know if an initgroups call for the same user had ever been called. Add attribute to hold this information and rely on backends to update it. If they don't we fallback to the previous behvior of asking the backend.
2009-11-12Change var name to make its use more clear.Simo Sorce2-7/+7
Change memctx to make clear it should be used only when a callback is being used.
2009-11-12Fix check_cache bug in dealing with the callbackSimo Sorce1-97/+104
Also rework check_cache so that the operations it makes are more explicit. Also add comments about why we are doing something. Should make the code easier to understand in future (took quite some time and discussion on IRC to understand exactly how this function was behaving and to find the callback passing bug).
2009-11-09Fix segfault on unknown user/domainStephen Gallagher1-2/+2
2009-11-09Fix tevent_req error checking.Simo Sorce1-6/+1
When possible using a macro that correctly deals with tstate
2009-11-05Update midpoint refresh logic to be relative to cache timeoutStephen Gallagher3-9/+24
2009-10-27Move responsibility for entry expiration timeoutSimo Sorce4-26/+12
The providers are now responsible for determining how long a cached entry is considered valid. The default is the same as before (600s)
2009-10-27Fix segfaultSimo Sorce1-1/+1
Fix copy/paste error that picked up the wrong request structure to pass down. This was causing the talloc code that checks for the right signature to fail and abort as the 2 request structures have different state structures attacched.
2009-10-26Use standard coding practice to set last loginSimo Sorce1-90/+128
This rewrite should also fix a segfault in the code that may happen when exiting in case of error conditions. The previous code was attaching the transaction handle to llreq structure and then calling prepare_reply() from within the request handlers which could ultimately free the preq and llreq and handle before the transaction request was actually completed by tevent.
2009-10-22Add support for offline auth cache timeoutStephen Gallagher4-3/+192
This adds a new option (offline_credentials_expiration) to the [PAM] section of the sssd.conf If the user does not perform an online authentication within the timeout (in days), they will be denied auth once the timeout passes.
2009-10-22Add pam_ctx (similar to nss_ctx) for storing global PAM configStephen Gallagher2-5/+25
2009-10-15Remove two unused functions.Stephen Gallagher2-18/+0
These functions were used when reconnecting to the DP after losing the connection. Since there is no DP any longer, there's no reason to have these functions.
2009-10-15Fix offline authenticationSimo Sorce1-16/+3
The way we were processing errors from the provider caused offline authentication to stop working. Previously the problem was masked by a bug in the data provider that always returned "Success" for any operation no matter what the actual return code was. when DP got removed the bug became evident.
2009-10-09Remove DP processSimo Sorce6-72/+121
Turn the backend process into data provider servers Make Frontends (pam, nss) directly attach to the backends
2009-10-06Remove unused btreemap codeStephen Gallagher4-4/+0
We have converted to using dhash in place of btreemap everywhere in the code.
2009-10-05Make dp requests more robustSimo Sorce1-36/+109
This should fix #218 It should also prevent us from leaking memory in case the original request times out and should prevent races with the callbacks beeing freed after sdp_req is freed and thus dereferencing freed memory in the callbacks detructors.
2009-09-29Fix infinite loop with empty group enumerationStephen Gallagher1-13/+15
Loop control variable was not being incremented. I also converted a goto loop into a do...while loop to make it easier to follow the logic.
2009-09-25Send debug messages to logfileJakub Hrozek2-2/+6
Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. Changes the initscript to log to files by default.
2009-09-25Upgrade confdb to version 2Stephen Gallagher4-30/+47
This converts a great many configuration options to the new standard format.
2009-09-23Revert "Use syslog for logging error conditions in SSSD"Stephen Gallagher9-104/+88
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d. Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made use of the SYSLOG_ERROR() macro, so those portions of that code also needed to be reverted.
2009-09-21Use syslog for logging error conditions in SSSDJakub Hrozek9-88/+104
This is just a band-aid until ELAPI is fully functional and ready to use.
2009-09-14make cli_pid mandatory and increase version number of pam protocolSumit Bose1-1/+25
2009-09-14Let the PAM client send its PIDSumit Bose1-0/+19
- the client sends the PID as uint32_t and sssd will use uint32_t too - fix a possible type issue where a uint32_t is sent as int32 in internal dbus communication
2009-09-11Fix getgrnam and getgrgid callsSimo Sorce1-7/+9
The patch that added check_cache() broke them, no results returned for any group with actual members ...
2009-09-11Add copyright noticesJakub Hrozek2-0/+42
Fixes: #138