summaryrefslogtreecommitdiff
path: root/server/responder
AgeCommit message (Collapse)AuthorFilesLines
2009-08-12Eliminate unnecessary explicit timeout for DP account requestsStephen Gallagher1-33/+19
D-BUS handles timeouts itself and reports DBUS_ERROR_NO_REPLY if a timeout fires, so we can rely on this instead of having an explicit timeout ourselves. Furthermore, the two timeouts present a potential race condition.
2009-08-11Change the why DP clients identifySimo Sorce9-143/+69
Mirrors what we have done with the monitor.
2009-08-11Change services identification mechanismSimo Sorce4-150/+24
Let services identify themselves voiluntarily as the first operation instead of polling from the monitor. Also consolidate some common functions and make them available as monitor helpers.
2009-08-11Make child processes exit when parent diesJakub Hrozek2-0/+12
The child processes call prctl() and when their parent process is killed, they are sent SIGTERM using prctl. This is currently Linux-specific, for non-Linuxes, a similar effect is achieved by catching a set of common termination signals and sending SIGTERM to the process group.
2009-08-11Make socket paths a compile-time optionStephen Gallagher2-2/+0
Previously, we had hardcoded the paths for the NSS, PAM and private PAM sockets to /var/lib/sss/pipes. With this patch, we will specify the sockets with --with-pipe-path.
2009-08-10Simplify interfaces initializationSimo Sorce9-100/+86
Make as much as possible static, and remove use of talloc_reference and allocation/deallocation of memory when not necessary. Fix also responder use of rctx->conn, was mistakenly used for both monitor and dp connections.
2009-08-10merge server and connection structuresSimo Sorce2-4/+4
This reduce code duplication as it allows to use one set of watch and timeout functions, and at the same time also allow not to use a secondary structure just to unify these functions.
2009-08-10Cosmetic changesSimo Sorce7-51/+51
Rationalize and rename connection names in preparatoin for merging of server and connection structures.
2009-08-10Remove redundant memory contextsSimo Sorce6-30/+36
Simplify code by removing stuff that is never used or redundant.
2009-08-05Move parsing of names and domains into util/Jakub Hrozek2-120/+1
2009-07-29Address CVE-2009-2410Stephen Gallagher1-1/+1
Fix incorrect error code return in local_handler_callback
2009-07-20Raise debug level for version negotiationSimo Sorce1-2/+2
2009-07-20Implement resInit for monitor, NSS, PAM, DP and the backendsStephen Gallagher2-0/+40
2009-07-03Rework transaction code to use tevent_reqSimo Sorce1-31/+84
This is part of a set of patches to rewrite sysdb to a hopefully better API, that will also let use use tevent_req async style calls to manipulate our cache.
2009-07-03Rename sysdb_req to sysdb_handle.Simo Sorce2-12/+6
This sysdb_req has always really been a transaction handle and not a request. This is part of a set of patches to rewrite transaction support in sysdb to a hopefully better API, that will also let use use tevent_req async style to manipulate our cache.
2009-07-02check pending_return after dbus_connection_send_with_replySumit Bose2-2/+2
2009-07-02added kerberos backend with tevent_req event handlingSumit Bose1-1/+19
2009-06-08fix detection of authentication against LOCAL domainSumit Bose1-3/+9
2009-05-28Fix user enumeration bugSimo Sorce1-4/+0
The previous patch to fix an enumeration bug found with group enumeration inadvertently introduced a bug with user enumeration. Yeah, almost funny!
2009-05-28special-case NSS calls in PAM codeJakub Hrozek1-2/+2
2009-05-27Fix enumerations (bug #42)Simo Sorce1-12/+76
If a backend had all its results filtered in fill_pwent or fill_grent then we would return an empty result, which means "end of results" to the client. Now we return ENOENT and let callers decide what to do. Also make sure we do not grow packets unless we are going to fill them as that's a recipe for killing the client as the size passed to sss_packet_grow is used to determine the size of the final packet.
2009-05-26fix a wrong timeoutSumit Bose1-3/+4
The timeout of the data provider call (in ms) got overwritten by a cache timeout (in s).
2009-05-26Silence warningsSimo Sorce3-6/+10
2009-05-26Do not fire up backend search when the data provider is localJakub Hrozek2-14/+18
2009-05-18Move actual password caching into sysdbSimo Sorce4-126/+2
Convert auth modules to do the caching themselves
2009-05-18Prevent accepting blank passwordsSimo Sorce1-0/+7
2009-05-18Fix crypt functions to not use static buffers.Simo Sorce2-18/+16
Also fix style, clarify, and simplify some logic.
2009-05-15added new pam client protocolSumit Bose1-1/+132
2009-05-15added more flexible handling of client protocolSumit Bose4-2/+63
- allow different protocol versions for PAM and NSS - support more than one protocol version in the responder
2009-05-14added check for NULL valuesSumit Bose2-9/+1
- allow unspecified value in struct pam_data to be NULL - check if domain structure is initialized in pam_reply
2009-05-06Fix some more return paths using uninitalized retSimo Sorce1-3/+3
2009-04-29Fix use of uninitialized return variableSimo Sorce1-5/+5
2009-04-28handle other pam calls when offlineSumit Bose1-0/+10
2009-04-28Use different attribute for cached passwords change timeSumit Bose1-2/+2
2009-04-28change PAM timeout the match NSS timeSumit Bose2-3/+1
2009-04-27Use different attribute for cached passwordsSimo Sorce1-3/+3
This fixes a bug with legacy backends where the cached password would be cleared on a user update. Using a different attribute we make sure a userPassword coming from the remote backend does not interfere with a cachedPassword (and vice versa).
2009-04-27Eliminate segfault on NSS and PAM responder startup.Stephen Gallagher1-0/+4
If the data provider is not yet available when NSS and PAM start, they will generate a segmentation fault when trying to configure their automatic reconnection to the Data Provider. I've now added code in sss_dp_init() to detect whether the dp_ctx is NULL and return EIO.
2009-04-27fix for pam proxy chauthtokSumit Bose1-0/+1
When a user from a domain served by the proxy backend changes his password with passwd the passwd command asks for the old password, but it is not validated by the pam_chauthtok call in the proxy backend, because it is running as root. If the request is coming the unpriviledged socket we now call pam_authenticate explicitly before pam_chauthtok.
2009-04-23removed length of unused element from packet size calculationSumit Bose1-1/+1
The domain name is no longer send as an element on its own, but if set as a member of the response array. If the user was not found pd->domain is NULL and strlen will seg-fault.
2009-04-22fix for a seq fault when pam_reply_delay is called.Sumit Bose1-2/+2
see https://fedorahosted.org/sssd/ticket/25
2009-04-17Force user check and discover user's domainSimo Sorce6-297/+593
Force a user lookup against the users domain provider. If a user domain is not specified search though all non fully qualifying domains. Perform authentication against the corrent domain auth backend, based on the user's domain found in the lookup if one was not specified. Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM responder too now.
2009-04-16Fix by_id enumeration with multiple domainsSimo Sorce1-0/+10
We need to stop parsing domains as soon as a caaandidate is found and let the callback search additional domains if the id is not found. Should fix ticket #21
2009-04-14Add common function to retrieve comma sep. listsSimo Sorce1-11/+13
Also convert all places where we were using custom code to parse config arguments. And fix a copy&paste error in nss_get_config
2009-04-14Make reconnection to the Data Provider a global settingStephen Gallagher2-7/+4
Previously, every DP client was allowed to set its own "retries" option. This option was ambiguous, and useless. All DP clients will now use a global option set in the services config called "reconnection_retries"
2009-04-14Add reconnection code between the NSS responder and the Data providerStephen Gallagher1-1/+52
2009-04-13Fix a couple of segfaults and timeout checksSimo Sorce2-31/+14
2009-04-13Fix segfaults when passing an unknown domainSimo Sorce1-9/+20
Also setting dctx->domain to NULL is a recipe for segfaults :-) Assign dctx->domain only when dom actually holds a domain pointer.
2009-04-13Implement credentials caching in pam responder.Simo Sorce8-373/+494
Implement credentials caching in pam responder. Currently works only for the proxy backend. Also cleanup pam responder code and mode common code in data provider. (the data provider should never include responder private headers)
2009-04-13Always pass full domain infoSimo Sorce1-1/+1
Change sysdb to always passwd sss_domain_info, not just the domain name. This way domain specific options can always be honored at the db level.
2009-04-09Serialize requests vs backends.Simo Sorce1-544/+702
This way we do not waste resources starting searching for users/groups in multiple backends when the first one has the answer. Also prevents possible race conditions where a user named the same way is found in multiple backends and the wrong one is returned.