Age | Commit message (Collapse) | Author | Files | Lines |
|
The config_file_version should never be changed by the API, so we
will hide the option inside the SSSDConfig API and remove it from
the schema.
Guarantee that the config file is of the correct version
|
|
|
|
The 'Unable to load' debug message is now only shown when the backend
target is given explicitly in the config file. I the other case we
let the caller decided how to handle this error condition.
|
|
|
|
|
|
|
|
|
|
|
|
Also fic sdap_get_generic_send() to be a bit more "generic" :-)
Also figs bugs within it.
This patch allow us 2 good things.
A) we check that the server effectively supports GSSAPI auth before we try to
use it.
B) against IPA it substantially cuts delays when the server is offline because
it uses a 5 second async timeout on the connection and doesn't try to do a
slow synchronous kinit+sasl_bind if the server is not even available.
|
|
Do not replicate every and each option we may want to set in ipa.
Just read out ldap and krb provider options (added reference in the manual too,
and removed mention of ipa specific timeout values, use ldap options for that)
Avoid calling auth module initialization twice, just pass the auth context to
the chpass module too.
Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be
used for both users and groups. the user and group search bases can still be set
separately if necessary but they are now optional and set to be identical to
SDAP_SEARCH_BASE if not explicitly specified in the configuration.
|
|
|
|
|
|
This patch uses a wrapper to kill the ldap connection when we are marked
offline. This also makes sure we do not try to reuse a bad connection handler
after a fatal error.
|
|
Changeset 3a21103f61bf9b60256cc2d0da54b757b634319f moved the wrong
option to the domain list, and also didn't update the unit tests.
|
|
Add a way to make changes to the most recent format of config
files. Use it to remove all traces of Data Provider from the config file
which is being migrated.
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Nested groups weren't properly handled.
Add 2 pass strategy to update groups memberships
Stuff work as expected when enumeration is enabled now.
|
|
Fix copy/paste error that picked up the wrong request structure to pass down.
This was causing the talloc code that checks for the right signature to fail and
abort as the 2 request structures have different state structures attacched.
|
|
Also remove references to the DP service from the sssd.conf
manpages.
|
|
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
This rewrite should also fix a segfault in the code that may happen when
exiting in case of error conditions. The previous code was attaching the
transaction handle to llreq structure and then calling prepare_reply() from
within the request handlers which could ultimately free the preq and
llreq and handle before the transaction request was actually completed
by tevent.
|
|
If the pointer stays around, zero it when it is freed, so we do not risk
access to released memory in case of bugs.
|
|
|
|
Also fix some debug message levels
|
|
We were not copying IPA named options to the ldap id options list.
So the ldap_id provider was always using just the default settings.
|
|
Configuration files before 0.5.0 did not enforce provider= in local
domains it did special-case by domain name (LOCAL). Our script was
relying on provider= value, this patch adds the special-casing in case
the domain was called LOCAL.
|
|
Update gettext strings
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
|
|
Create and populate user directories on useradd, delete them on userdel
Fixes: #212
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also include talloc.h, tevent.h and ldb.h as system headers in util.h.
|
|
* The resolv test case can now test for TXT and SRV resolving by
specifying -t host and -s host respectively. The -n flag must still be
passed in to enable network tests.
* Added test for the little complicated resolv_copy_hostent() function.
* Leak checking using the new tests common functions.
* Fix indentation for test_internet, since the whole function was
modified to be able to handle SRV and TXT replies.
* Initialize the debug variable in main().
Also removed one unused variable in krb5_utils-tests.c
|
|
The leak_check_setup() and leak_check_teardown() functions can be added
to a test case with tcase_add_checked_fixture(). They will make sure
that all tests are checked for memory leaks. However, since talloc is
hierarchical and automatically frees the children, this will not catch
all cases, but might still be helpful.
The check_leaks(ctx, bytes) function takes a talloc context as an
argument and the number of bytes it should be using up (children
included). The total byte size used up by the context is determined by
the talloc_total_size() function. If the size doesn't agree,
check_leaks() will print out a talloc report on the context and makes
the current test fail.
The check_leaks_push() and check_leaks_pop() both take a talloc context
as an argument. Every time push is called, the context is "pushed" onto
an internal stack and it's current size is noted. When the context is
later "poped", the pop function will make sure that the size is the same
as when it was pushed. It will also check that it's not called
out-of-order or if the stack isn't empty.
|
|
C-ares either returned a malloc-ed memory or it automatically freed the
memory after out callback has returned. This patch will make sure that
anything that the resolv_* function return is allocated by talloc and
can be safely freed by talloc_free().
This will break the resolv tests to the point they will not be
compilable. This will be addressed in a later patch with other
improvements to the tests.
|
|
|
|
|
|
|
|
Go offline in case of hard errors too. It makes no sense to keep trying too
often when you have bad credentials for example.
Also delay starting the enumeration thread so that we finish initializations
first (bind to ldap is still a blocking operation and this may interfere with
clients/monitor registrations).
|
|
|
|
First step generate ldap options from ipa options.
Add sssd-ipa man page too.
|
|
|
|
|