Age | Commit message (Collapse) | Author | Files | Lines |
|
The local provider needs no backend, so we'll create a special
provider entry for it called "local" that will not attempt to
retrieve provider configuration but will remain in the service
list so it can be updated when the config file changes.
|
|
|
|
- allow different protocol versions for PAM and NSS
- support more than one protocol version in the responder
|
|
Provides a set of make rules for generating UNIX manual pages from
DocBook 4.5 source as well as sample manpage for sss_useradd.
Automatic generation of manual pages during "make" process is
tunable with config parameter "--with-manpages". To rebuild the man
pages separately, use the "make doc" target. Before building, the
manpages are validated using a DTD schema.
|
|
We need to ensure that configure fails with an error if the popt
development libraries are not present or if ldb module support is
not available.
|
|
Fixes: RHBZ #498462
|
|
|
|
- allow unspecified value in struct pam_data to be NULL
- check if domain structure is initialized in pam_reply
|
|
|
|
Refactoring the confdb so that the setup code can be linked
separately from the access API. This is being done so that our
plugins do not need to link against the collection and ini_config
libraries.
|
|
|
|
Use tevent signal handling facilities for handlong SIGTERM and SIGINT in the monitor.
Remove pidfile on SIGTERM and SIGINT.
Make sssd single-instance by checking if we suceeded in signaling the process in the pidfile.
|
|
|
|
|
|
|
|
In the event that the configuration was corrupt the first time the
SSSD is started, it would write in the special data for attributes
and indexes, but it would fail before writing the version.
Subsequent reloads (even with correct configuration files) would
fail, since they would try again to write the attributes and
indexes and fail since they were already present.
|
|
|
|
|
|
Make shadow-utils base path configurable
Use default values for params, allow configuring them
|
|
|
|
|
|
|
|
|
|
This fixes a bug with legacy backends where the cached password would be cleared
on a user update.
Using a different attribute we make sure a userPassword coming from the remote
backend does not interfere with a cachedPassword (and vice versa).
|
|
|
|
If the data provider is not yet available when NSS and PAM start,
they will generate a segmentation fault when trying to configure
their automatic reconnection to the Data Provider. I've now added
code in sss_dp_init() to detect whether the dp_ctx is NULL and
return EIO.
|
|
|
|
|
|
ldap backend
|
|
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
|
|
The domain name is no longer send as an element on its own, but
if set as a member of the response array. If the user was not found
pd->domain is NULL and strlen will seg-fault.
|
|
- added range check for supplied UIDs and GIDs
- initialize pc_gid to 0 to trigger gid generation
|
|
see https://fedorahosted.org/sssd/ticket/25
|
|
|
|
Force a user lookup against the users domain provider.
If a user domain is not specified search though all non fully qualifying
domains.
Perform authentication against the corrent domain auth backend, based on the
user's domain found in the lookup if one was not
specified.
Also move the NSS-DP functions in COMMON-DP as they are reused by the PAM
responder too now.
|
|
Add code to check if the file has changed since the last update was performed.
Avoid dumping and reloading the config ldb if the modification time of the
configuration file has not changed at all.
|
|
We need to stop parsing domains as soon as a caaandidate is found and let the
callback search additional domains if the id is not found.
Should fix ticket #21
|
|
Also convert all places where we were using custom code to parse
config arguments.
And fix a copy&paste error in nss_get_config
|
|
Previously, every DP client was allowed to set its own "retries"
option. This option was ambiguous, and useless. All DP clients
will now use a global option set in the services config called
"reconnection_retries"
|
|
Also remove the [services/infopipe] section, since we're not
shipping InfoPipe yet, and that would be confusing.
|
|
|
|
|
|
|
|
|
|
|
|
Also setting dctx->domain to NULL is a recipe for segfaults :-)
Assign dctx->domain only when dom actually holds a domain pointer.
|
|
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
|
|
Change sysdb to always passwd sss_domain_info, not just the domain name.
This way domain specific options can always be honored at the db level.
|
|
The SSSD now links with the ini_config and collection libraries
in the common directory.
The monitor will track changes to the /etc/sssd/sssd.conf file
using inotify on platforms that support it, or polled every 5
seconds on platforms that do not.
At startup or modification of the conf file, the monitor will
purge the existing confdb and reread it completely from the conf
file, to ensure that there are no lingering entries. It does this
in a transaction, so there should be no race condition with the
client services.
A new option has been added to the startup options for the SSSD.
It is now possible to specify an alternate config file with the
-c <file> at the command line.
|
|
Fixes requested during code review
|