Age | Commit message (Collapse) | Author | Files | Lines |
|
The LOCAL provider does not have a mechanism to load alternate
auth, access or chpass backends, nor does it make sense to do so.
This will throw a configuration error if these values are
specified (unless they are explicitly also set to 'local')
|
|
|
|
Put all init functions in their own file so that the other files can be
reused in other providers w/o having them in the way.
|
|
Put all init functions in their own file so that the other files can be reused in
other providers w/o having them in the way.
|
|
There was a double-free here. I removed the free()s within
setup_db, because upon returning to sss_init_tools(), if
ret != EOK, the context is freed as well.
|
|
These functions were used when reconnecting to the DP after losing
the connection. Since there is no DP any longer, there's no reason
to have these functions.
|
|
There were unused functions still being compiled. This will
suppress them until we turn live configuration updates back on.
|
|
On older versions of the python headers, some arguments used
'char *' instead of 'const char *', which means that assigning a
constant string such as "adduser" threw a warning about discarding
qualifiers.
This patch cleans up most of these warnings in this file. There
remain several warnings in the sss_local_methods initialization
that I do not know how to fix.
|
|
|
|
|
|
If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.
The option 'deny' is added for the access_provider to explicitly deny
access.
|
|
- if chpass_provider is not given in the configuration file but an
auth_provider and the auth_provider can also handle change password
requests it is used as chpass_provider.
|
|
|
|
The way we were processing errors from the provider caused offline
authentication to stop working. Previously the problem was masked
by a bug in the data provider that always returned "Success" for any
operation no matter what the actual return code was. when DP got
removed the bug became evident.
|
|
|
|
|
|
If a backend target is not configured the return code is changed
from PAM_SYSTEM_ERR to PAM_MODULE_UNKNOWN and an error message is
sent back to the client.
|
|
The sdap_id_connect_* request tries to bind to an LDAP server with
the default credentials. Only the opts component of the sdap_id_ctx
context is used. A new request sdap_cli_connect_* is created which
expects only the opts pointer as parameter and not the whole context.
This makes it reusable by other providers.
|
|
|
|
|
|
Add getpwnam, getgrnam sync versions
Fix ticket #164: Groupnames in non-local domains
Fix ticket #100: Error Message Modifying a user that doesn't Exist
Fix ticket #214: incorrect error message when MPG already exists
Fix ticket #188: Deleting and modifying users in non-local domain
Fix ticket #120: Adding a user to a full domain gives unhelpful error message
|
|
|
|
|
|
|
|
|
|
|
|
Also adds unit tests for the SSSDConfig API
|
|
|
|
- the patch to handle short read introduced a new variable len to
store the amount of data read. Instead of using this variable
unpack_buffer was called with the old variable ret. Thanks to
mnagy@redhat.com for finding this.
- this patch also fixes a potential error when the message size is
equal to the buffer size.
|
|
- when the kerberos provider was used as a chpass_provider but
not as auth_provider the backend died
|
|
In sssd only local is a native mpg domain, and it is forced.
All other providers will have to unroll mpg users into a user/group pair of
entries in the db. This allows the provider to automatically establish if
the remote server provides mpg users w/o possibily conflicting manual
configurations on the client trying to force an mpg behavior where none
is provided.
|
|
Instead of waiting an arbitrary timeout, start all providers first, and wait for
all of them to reply to the monitor before starting other services.
Add a timeout handler so that services are started even if one of the providers
fails to actually register back to the monitor.
Also fixes services destructors
delist_service was overriding the natural svc destructor.
remove the offending code and make the svc_destructor always try
to remove a service from the service list, if the service is not
listed it will just be a noop.
|
|
Turn the backend process into data provider servers
Make Frontends (pam, nss) directly attach to the backends
|
|
Network timeouts are used in quick operations like bind.
Search timeout is used for operations that can "legally" require more time.
Change defaults to 6 and 60 seconds respectively.
|
|
- password policy request controls are send during bind and change
password extended operation
- the response control is evaluated to see if the password is expired
or will expire, soon
|
|
|
|
We have converted to using dhash in place of btreemap everywhere
in the code.
|
|
This should fix #218
It should also prevent us from leaking memory in case the original request times
out and should prevent races with the callbacks beeing freed after sdp_req is
freed and thus dereferencing freed memory in the callbacks detructors.
|
|
- this patch should fix bug #213, a double free in the sdap timeout handler
|
|
|
|
Similar to Simo's patch that fixed the tools, this one converts the
python bindings to the start_transaction/end_transaction functions.
Also fixes memory hierarchy so that tools_ctx is allocated in every
operation and used as memory context for the operation instead of
self->mem_ctx which simplifies cleanup.
|
|
- add a hint to the man page about permissions on sssd.conf
- add a test if a symbolic link can be opened
|
|
Use this new utility call to ensure that the config file is safe
to read from.
|
|
Always use the network timeout defined in the options.
But raise defaults to 60 seconds or enumerations can easily fail.
|
|
Tools were using nested loops that are illegal.
(and enforced in latest tevent with a nice abort())
Fix them by creating appropriate synchronous transaction calls.
Also fix tools_ctx mem hierarchy setup.
|
|
Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.
|
|
|
|
|
|
Loop control variable was not being incremented.
I also converted a goto loop into a do...while loop to make it
easier to follow the logic.
|
|
SSSD may contain passwords and other sensitive data, make sure we always keep its
permission tight. Also make /etc/sssd permission very strict, just in case,
admins may inadvertently copy an sssd.conf file without checking it's
permissions.
|