| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The function itself was very long (more than 300 lines) and hard to
read, this patch splits it to three logical blocks.
|
|
https://fedorahosted.org/sssd/ticket/1714
The attempt to delete all ghosts for users name and aliases was failing,
resulting into failure of whole user-add operation. In permissive mode,
the attempts to delete non-existent entries are not interpreted as
error.
|
|
We had 2 defines for the same class.
Consolidate and remove confusion.
|
|
|
|
This sysdb API will be used later to invalidate the autofs maps
|
|
|
|
https://fedorahosted.org/sssd/ticket/1712
The timestamp doesn't have to be in the form yyyymmddHHMMSSZ any
more. It can be in any form of generalized time format.
|
|
https://fedorahosted.org/sssd/ticket/1677
|
|
|
|
We've been hitting situations where the sysdb conversion failed.
Unfortunately, the current code doesn't include enough debugging info to
pinpoint the failing entries. This patch adds more DEBUG statements for
each processed entry.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1674
|
|
https://fedorahosted.org/sssd/ticket/1673
|
|
fixes https://fedorahosted.org/sssd/ticket/1628
When user's alias is same as it's name, don't use it for searching in
sysdb, and for deleting.
|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
attribute
Using the convenience function instead of low-level ldb calls makes the
code more compact and more readable.
|
|
In subdomains we have to use fully qualified usernames.
Unfortunately we have no other good option than simply removing
caches for users of subdomains.
This is because the memberof plugin does not support the rename operation.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
Add functions to automate setting versions numbers in the db, also
decrease chances of error in copying and pasting code, by setting
the version number only once when we commence the upgrade.
|
|
https://fedorahosted.org/sssd/ticket/1589
Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected
When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.
|
|
|
|
We attempted to delete the member attributes of groups that contained a
particular user during the sysdb upgrade, but obviously, this cannot
work for nested groups as the member attribute is present for direct
parents only. As a result, we were getting failures during the upgrade.
https://fedorahosted.org/sssd/ticket/1631
|
|
To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.
Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes
|
|
Add a help function which returns the ldb_dn object for the base dn of
the cache.
|
|
Make sure the right sub-tree in the cache is used to search for ranges.
Sub-domain trees do not have range objects only the tree of the parent
domain.
|
|
https://fedorahosted.org/sssd/ticket/1574
|
|
|
|
|
|
|
|
A couple of sysdb functions used "void *" in place of a TALLOC_CTX.
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
|
|
This patch switches from using just key in the RDN to using both key and
value. That is neccessary to allow multiple direct mounts in a single
map.
|
|
https://fedorahosted.org/sssd/ticket/1506
Changes how the new autofs entry objects are handled. Instead of
creating the entry on the cn=autofs,cn=custom level, the entry is
created below the map it belongs to.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
|
|
There's no point in checking if the object already exists because we always
wipe the whole sysdb subtree. We were also immediatelly cancelling the
transaction because we'd jump to goto, even though it was with EOK.
|
|
|
|
|
|
|
|
Also rename it to sysdb_attrs_get_el_ext()
|
|
https://fedorahosted.org/sssd/ticket/1455
In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.
The IPA default must be only used if there *are* rules on the server,
but none matches.
|
|
It is not an attribute.
|
|
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion.
|
|
|
|
|
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
