| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
Add the option to the manual page and the configAPI
https://fedorahosted.org/sssd/ticket/1494
|
|
https://fedorahosted.org/sssd/ticket/1478
|
|
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
|
Adds some option that allows to manually configure a host filter.
ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute
ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces
ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces
ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost
ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Adds the new service map options to the SSSDConfig API and the
manpages.
|
|
Fixes https://fedorahosted.org/sssd/ticket/967
|
|
https://fedorahosted.org/sssd/ticket/1110
Adds new configuration options:
- ldap_sudo_refresh_enabled - enable/disable periodical updates
- ldap_sudo_refresh_timeout - rules timeout (refresh period)
|
|
|
|
https://fedorahosted.org/sssd/ticket/1036
|
|
https://fedorahosted.org/sssd/ticket/1075
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
https://fedorahosted.org/sssd/ticket/978
|
|
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
|
|
These changes are all related to following ticket:
https://fedorahosted.org/sssd/ticket/763
Changes in SSSDConfig.py merge old and new domain record instead of just
deleting the old and inserting the new one. The old approach let to loss
of some information like comments and blank lines in the config file.
Changes in API config were performed so our Python scripts (like
sss_obfuscate) don't add extra config options to the config file.
|
|
https://fedorahosted.org/sssd/ticket/746
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
Over the time a couple of new config options didn't made it into the
config API files. This patch updates the files and removes some
duplications.
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
|
|
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
* add forgotten ldap_dns_service option
* sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir)
* ldap_uri is no longer mandatory for LDAP provider - the default is to
use service discovery with no address set now. Ditto for krb5_kdcip
and ipa_server
|
|
|
