Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
This should fix #218
It should also prevent us from leaking memory in case the original request times
out and should prevent races with the callbacks beeing freed after sdp_req is
freed and thus dereferencing freed memory in the callbacks detructors.
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
|
|
Similar to Simo's patch that fixed the tools, this one converts the
python bindings to the start_transaction/end_transaction functions.
Also fixes memory hierarchy so that tools_ctx is allocated in every
operation and used as memory context for the operation instead of
self->mem_ctx which simplifies cleanup.
|
|
- add a hint to the man page about permissions on sssd.conf
- add a test if a symbolic link can be opened
|
|
Use this new utility call to ensure that the config file is safe
to read from.
|
|
Always use the network timeout defined in the options.
But raise defaults to 60 seconds or enumerations can easily fail.
|
|
Tools were using nested loops that are illegal.
(and enforced in latest tevent with a nice abort())
Fix them by creating appropriate synchronous transaction calls.
Also fix tools_ctx mem hierarchy setup.
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
|
|
|
|
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
|
|
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
|
|
Update gettext strings
|
|
- this fixes a compiler warning about the redefinition of
SIZEOF_OFF_T in the python bindings, because python is
compiled with large file support.
|
|
Timers always come before fd events, wait 5 microseconds between processing
operations so that tevent has a chance of cactching an fd event in between.
This allows the backend to reply to pings even while processing very large ldap
results (importanty especially during the first enumeration).
|
|
|
|
|
|
Introduces a new option --debug-to-files which makes SSSD output its
debug information to a file instead of stderr, which is still the
default.
Also introduces a new confdb option debug_to_files which does the same,
but can be specified per-service in the config file.
The logfiles are stored in /var/log/sssd by default.
Changes the initscript to log to files by default.
|
|
|
|
|
|
|
|
|
|
This converts a great many configuration options to the new
standard format.
|
|
|
|
The backends do not honor the reloadConfig SBUS message right now,
so if an admin changes the sssd.conf file, it will update only the
monitor, potentially leaving the SSSD as a whole in a bad state.
This patch will simply comment out monitor_config_file() for the
time being until https://fedorahosted.org/sssd/ticket/91 is fixed.
|
|
- make the build of the locator plugin optional
- added a man page for the locator plugin
- use krb5.h if krb5/krb5.h cannot be found
- added alternatives for missing functions
- set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version
is lesser than 1.0.0
|
|
When a laptop is suspended it may be dormant for hours.
Do not check just the kast time a ping was successful, keep a counter with the
failed pings instead.
|
|
|
|
Remove this provider type, as well as any references in the docs and
examples to the "LEGACYLOCAL" migration domain.
Fixes: #165
|
|
|
|
Fixes a segfault seen in the wild with providers=files
|
|
|
|
Allow entering parent groups for groupadd,useradd,usermod as FQDN. Since
members and parents must be from the same domain, error out if we can't
determine the domain of member.
Fixes: #121
|
|
This reverts commit 8c50bd085c0efe5fde354deee2c8118887aae29d.
Amended: commit 1016af2b1b97ad4290ccce8fa462cc7e3c191b2e also made
use of the SYSLOG_ERROR() macro, so those portions of that code
also needed to be reverted.
|
|
Older python versions (such as that used in RHEL5) do not have a
python-config executable to report CFLAGS and LIBS. In order to
support such versions of python, we will duplicate the logic that
python-config would have performed directly in our configure
script
|
|
1) Add get_entry_as_bool function
2) Make all parameters in confdb_get_domain_internal() use macro
names for the attributes. This will make it easer to convert
them to the version 2 config file.
|
|
This is just a band-aid until ELAPI is fully functional and ready to
use.
|
|
Implement a set of python bindings for the sysdb with feature set
similar to what is available in the tools. The primary
consumers would be applications like system-config-users.
Resolves: Ticket #102
|
|
Instead of working directly with async code in tools, create synchronous
wrappers that could be used by tools and python bindings.
Also resolves many issues with code duplication in tools and thus fixes
ticket #87
|
|
Move parameter parsing in tools before attempting to do anything that
might fail - so that we have debug_level set correctly for potential
error messages. That allows printing the --help and --usage messages
without being root.
Fix code duplicates in tools and refactor its code a little to lay
ground for decoupling the synchronous interfaces.
Remove some legacy tools leftovers, re-add sensible error message on
removing nonexistent users/groups which was removed by accident.
Fixes: Trac ticket #75
Fix typo in groupdel: fixes ticket #136
|
|
|
|
|
|
There was a chance that groups w/o members could end up causing a failure to
store the group. This would happen in case the structure used by glibc to fill
up the group data was "dirty". Always memset structures before passing them to
te libc and also check if there are any members, before calling the async
function.
Finally add some tracing at level 7 so that it is easier to follow what is going
on in case of touble.
|
|
|
|
|
|
|
|
Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.
|