Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Then name or IP adress of the KDC is written into the pubconf directory
into a file named kdcinfo.REALM. The locator plugin will then read this
file and pass the data to the kerberos libraries.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
|
|
|
|
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
When using high debug levels or valgrind the code maybe slow enough that these
timeouts were too strict.
|
|
This way we do not need to check for id ranges on every search.
|
|
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
|
If you want to turn verbosity back on, just set the environment
variable CK_VERBOSITY=verbose
|
|
|
|
To support IPA DS to Kerberos password migration a seperate
authentication target is added. It calls the Kerberos authentication
target and in the case of a 'Preauthentication Error' the LDAP
authentication target. On success the Kerberos target is called again to
request the TGT.
|
|
Thanks to Marko Myllynen for spotting this.
|
|
- save current ccache file to sysdb
- use the saved ccache file if the user has running processes
- create an empty ccache if offline
- return enviroment variables if offline
|
|
In building the DN string we weren't correctly escaping the value of the RDN
component. This patches fixes that.
|
|
With the previous code in domains with many users and enumeration enable we
would eventually end up making thousands of individual searches for entries in
the clean-up process.
Change the code to do a full enumeration before a cleanup so we do one single
big search to update all entries and only then search for entries to purge.
This also fixes the fact that the cleanup task was running at every enumeration
instead of running every "ldap_purge_cache_timeout" seconds.
|
|
|
|
|
|
Incorporates changes we made to v2 after 0.6, or that were missed by the
original upgrade script:
* removes magic_private_groups option
* removes libPath option
* changes provider=files to provider=proxy proxy_lib_name=files
* changes store-legacy-passwords to store_legacy_passwords
|
|
* splitlist is a function
* shared SSSDConfigObject to reduce code duplication
* added missing exception class
* fixed some typos
* remove extra 'pass' in unittests
* use assertRaises in unittests
|
|
With this patch, SSSDConfigAPI is able to keep comments and ordering of
sections.
Fixes: #226
|
|
With this patch, the upgrade script we use for changing the config files
is able to keep ordering and comments.
Fixes: #249
|
|
Provides a convenient wrapper around ipachangeconf that is closer
API-wise to ConfigParser
|
|
|
|
After completing an upgrade successfully, we were still falling
into the "version not found" case. We should be exiting the
function after performing the upgrade.
|
|
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
|
|
|
|
|
|
|
|
|
|
An initgroups call refreshes both the user and the user's groups, this is ideal
for pam so that we don't need addiotnal initgroups calls (initgroups calls are
cached too now) during the login process.
|
|
We were previously always ending up contacting the backend because we had no
way to know if an initgroups call for the same user had ever been called.
Add attribute to hold this information and rely on backends to update it.
If they don't we fallback to the previous behvior of asking the backend.
|
|
This slipped through in previous patches.
Fixes #283
|
|
|
|
|
|
|
|
Change memctx to make clear it should be used only when a callback is being
used.
|
|
|
|
Also rework check_cache so that the operations it makes are more explicit.
Also add comments about why we are doing something.
Should make the code easier to understand in future (took quite some time and
discussion on IRC to understand exactly how this function was behaving and to
find the callback passing bug).
|
|
|
|
- use the correct private data for each PAM task
- make proxy_pam_target a mandatory option for auth, chpass and access
|
|
|
|
|
|
This patch add support for the host, source host and user category
'all'. All other category values are ignored so far. With the patch the
interpretation of an empty memberUser and empty sourceHost and
externalHost is changed to 'not applicable'.
|
|
|
|
Refactor user/group delete functions so that they can be used without a
transaction (they autostart an operation).
Add user and group search function where a subfilter can be specified.
|
|
|
|
Currently the Kerberos child handler evaluates the siginfo_t structure
to wait for a specific child. This scheme is prone to error, especially
when there are more than one child process active, and can produce
missleading debug message. This patch simplifies the scheme as it waits
for any child.
|
|
|