Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
When using GSSAPI we need a valid service ticket to talk to the LDAP
server. If the ticket is expired the LDAP client returns with 'Can't
contact LDAP server'. Currently we set the backend offline if this error
occurs although the server is still available. This patch checks if the
TGT is expired and tries to renew the credentials before going offline.
|
|
Detect if the OS is Fedora, RHEL or SUSE and install the SUSE
start-script on SUSE systems.
|
|
Search the local db to find the local DN using the original DN as search key.
This way we do not have to rely on weak and faulty heuristicts based on DN
names.
Add a few helper functions in the process and change the way we pass members to
sysdb_store_group_send(), instead of passing users and groups list, just add
member DNs to the other sysdb attrs.
|
|
|
|
|
|
|
|
|
|
Level 3 was far too low for mostly-useless messages
|
|
|
|
Groups also need to honor the settable password field and use * by default.
|
|
This allows for correctly reporting nested group members, while at the same
time not paying a too high price for caluclating nested groups at runtime e
very time a search is made.
|
|
This patch adds a new generated attribute to every group that has
direct or indirect members.
This attribute is called memberuid and contains the name of the users
that are directo or indirect members of this group.
This is done to greatly speed up group enumerations when NSS reads groups
off the cache.
|
|
A loop was badly built and was skipping entries.
This left some memberof attributes in place that should have been removed.
|
|
|
|
Fixes: #241
|
|
Fixes: #296
|
|
Mainly typo fixes and grammar updates.
Application of RH doc styles where appropriate.
|
|
Fixes: #235
|
|
Fixes: #268
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To avoid blocking in a synchronous call, the TGT is saved in a separate
process
Fixes: #277
|
|
Moves several functions out of providers/krb5 hierarchy into a separate
module so it can be shared by the ldap child.
|
|
|
|
|
|
|
|
Unfortunately since we changed the defines to an enum the preprocessor test
stopped working.
Turn tests into runtime tests that will abort the process.
|
|
|
|
When I converted fill_grent to speed up enumerations I left out this check
by mistake.
|
|
|
|
Then name or IP adress of the KDC is written into the pubconf directory
into a file named kdcinfo.REALM. The locator plugin will then read this
file and pass the data to the kerberos libraries.
|
|
This adds a new boolean option to sss_dp_send_acct_req() called
fast_reply. If we make a request to the backends and we are
currently offline, this option will determine whether we should
immediately return from the cache (acceptable for NSS requests) or
potentially wait for an online check to complete (required for PAM
requests).
|
|
|
|
|
|
|
|
The retun values are still not directly used with ldap libraries that still do
their own name resolution, but this patch introduces a very basic framework to
have a multiple providers in one domain use and share a single failover
service if they want to.
|
|
When using high debug levels or valgrind the code maybe slow enough that these
timeouts were too strict.
|
|
This way we do not need to check for id ranges on every search.
|
|
This brings down the time needed to enumerate my group database
from 2.4 seconds to 0.15 seconds.
|
|
If you want to turn verbosity back on, just set the environment
variable CK_VERBOSITY=verbose
|
|
|
|
To support IPA DS to Kerberos password migration a seperate
authentication target is added. It calls the Kerberos authentication
target and in the case of a 'Preauthentication Error' the LDAP
authentication target. On success the Kerberos target is called again to
request the TGT.
|
|
Thanks to Marko Myllynen for spotting this.
|