Age | Commit message (Collapse) | Author | Files | Lines |
|
- return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password
change operation fails
- send a message to the user if the system is offline and the password
cannot be changed
|
|
|
|
crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that
all usage of NSS and related libraries has been switched to libcrypto.
I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both
crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number
generator is not seeded manually and thus relies on seeding done
automatically by libcrypto. On some systems without /dev/urandom
seeding may not be performed.
See http://www.openssl.org/docs/crypto/RAND_add.html.
Signed-off-by: George McCollister <georgem@novatech-llc.com>
|
|
|
|
|
|
|
|
|
|
uint32_t pointers must point to 32 bit aligned data on ARM. Instead of padding the data to force it into alignment I altered the code to memcpy the data to an aligned location. I'd appreciate any and all feedback especially on whether I took the best approach.
pam_test_client auth and pam_test_client acct now work on my armeb-xscale-linux-gnueabi target.
Signed-off-by: George McCollister <georgem@opteron.novatech-llc.com>
|
|
|
|
The code for authentication against a cached password is moved from the
pam responder to a generic sysdb tevent request. The new code can be
used by other components of sssd to verify passwords on their own.
Tests for the sysdb_cache_password and sysdb_cache_auth request are
added and some unneeded or unused code and variables are removed.
|
|
Tevent frees timer handlers once done, so freeing the timer within the event is
going to cause double frees. Just attach the timer event to the request it
depends on and make sure to steal it on NULL if we are going to free the
request from within the handler.
|
|
|
|
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
|
|
This matches the DEBUG logging available for groups.
|
|
Also pass a flag to the delete callback to tell it if this is a normal
entry removal or we are cleaning up the tbale definitively.
|
|
If we fell into the default case of the switch statement, we would
attempt to talloc_free() a random memory location. This patch
guarantees that sdp_req is NULL if it has not been initialized.
|
|
|
|
Groups also need to honor the settable password field and use * by default.
|
|
This allows for correctly reporting nested group members, while at the same
time not paying a too high price for caluclating nested groups at runtime e
very time a search is made.
|
|
When I converted fill_grent to speed up enumerations I left out this check
by mistake.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
This way we do not need to check for id ranges on every search.
|
|
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
|
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
|
An initgroups call refreshes both the user and the user's groups, this is ideal
for pam so that we don't need addiotnal initgroups calls (initgroups calls are
cached too now) during the login process.
|
|
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
|
Change memctx to make clear it should be used only when a callback is being
used.
|
|
Also rework check_cache so that the operations it makes are more explicit.
Also add comments about why we are doing something.
Should make the code easier to understand in future (took quite some time and
discussion on IRC to understand exactly how this function was behaving and to
find the callback passing bug).
|
|
|
|
When possible using a macro that correctly deals with tstate
|
|
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Fix copy/paste error that picked up the wrong request structure to pass down.
This was causing the talloc code that checks for the right signature to fail and
abort as the 2 request structures have different state structures attacched.
|
|
This rewrite should also fix a segfault in the code that may happen when
exiting in case of error conditions. The previous code was attaching the
transaction handle to llreq structure and then calling prepare_reply() from
within the request handlers which could ultimately free the preq and
llreq and handle before the transaction request was actually completed
by tevent.
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
|
|
These functions were used when reconnecting to the DP after losing
the connection. Since there is no DP any longer, there's no reason
to have these functions.
|
|
The way we were processing errors from the provider caused offline
authentication to stop working. Previously the problem was masked
by a bug in the data provider that always returned "Success" for any
operation no matter what the actual return code was. when DP got
removed the bug became evident.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
This should fix #218
It should also prevent us from leaking memory in case the original request times
out and should prevent races with the callbacks beeing freed after sdp_req is
freed and thus dereferencing freed memory in the callbacks detructors.
|
|
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
This converts a great many configuration options to the new
standard format.
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
|
|
- the client sends the PID as uint32_t and sssd will use uint32_t too
- fix a possible type issue where a uint32_t is sent as int32 in internal
dbus communication
|
|
The patch that added check_cache() broke them, no results returned for any group
with actual members ...
|
|
Fixes: #138
|