| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
|
|
This option describes the time between refreshes of the HBAC rules
on the IPA server.
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
https://fedorahosted.org/sssd/ticket/551
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
https://fedorahosted.org/sssd/ticket/850
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
These changes are all related to following ticket:
https://fedorahosted.org/sssd/ticket/763
Changes in SSSDConfig.py merge old and new domain record instead of just
deleting the old and inserting the new one. The old approach let to loss
of some information like comments and blank lines in the config file.
Changes in API config were performed so our Python scripts (like
sss_obfuscate) don't add extra config options to the config file.
|
|
https://fedorahosted.org/sssd/ticket/746
|
|
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
|
|
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
Over the time a couple of new config options didn't made it into the
config API files. This patch updates the files and removes some
duplications.
|
|
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
|
|
|
|
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
|
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
|
|
Previously, we were just copying the script into the libexec dir
during installation. However, this causes problems for packaging
multilib on several distributions.
https://fedorahosted.org/sssd/ticket/641
|
|
|
|
There is no longer a need to have nested Makefiles and configure
scripts. This patch combines the src/ Makefile and configure.ac
into the root.
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
|
|
We will now eliminate any unknown options and providers to
guarantee that the domain is safe for use.
|
|
Fixes: #531
|
|
Also update manpage for min_id/max_id to be more clear about how
it relates to primary GID.
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
* add forgotten ldap_dns_service option
* sync IPA and LDAP options (ldap_pwd_policy and ldap_tls_cacertdir)
* ldap_uri is no longer mandatory for LDAP provider - the default is to
use service discovery with no address set now. Ditto for krb5_kdcip
and ipa_server
|
