| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Also rename it to sysdb_attrs_get_el_ext()
|
|
https://fedorahosted.org/sssd/ticket/1455
In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.
The IPA default must be only used if there *are* rules on the server,
but none matches.
|
|
It is not an attribute.
|
|
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion.
|
|
|
|
|
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
|
The debuf message was trying to print the number of returned entries, but no
integer was provided.
Return ENOENT as the error for when there are no entries, not EINVAL.
|
|
|
|
|
|
|
|
|
|
Rename the structure to use a standard name prefix so it is properly
name-spaced, in preparation for changing the structure itself.
|
|
|
|
There was a logic bug in sysdb_search_selinux_usermap_by_username that
resulted in returning the value the variable "ret" had after the last
call to sysdb_attrs_get_uint32_t, which in cases the last rule processed
did not have the requested attributes led to using the default user
context.
|
|
https://fedorahosted.org/sssd/ticket/1379
|
|
|
|
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
|
This function copies all values from one sysdb_attrs structure to
another
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
|
The block that upgraded the version was at a wrong indentation level, so
it never ran if there were no fake users to convert
|
|
It is remotely possible to have sysdb in an inconsistent state that
might need upgrade. Consider scenario when user asks for group
information. Some fake users are added as a part of this operation.
Before users can be fully resolved and stored properly, SSSD is shut
down and upgrade is performed.
In this case we need to go over all fake user records (uidNumber=0) and
replace each of them with ghost record in all group objects that are stated in
its memberof attribute.
|
|
Deleted sysdb_add_fake_user():
This function is no longer used.
Modified sysdb_add_user():
When user object is added to sysdb, it is important to iterate over all
groups that might have its name or any of its aliases as ghost member
and replace this ghost membership by a real one. This will eliminate
duplicite memberships.
|
|
|
|
Fixes a regression in the local domain tools where sss_groupadd no longer
detected a GID duplicate. The check for EEXIST is moved one level up into
more high level function.
The patch also adds the same rename support for users. I found it odd that
we allowed a rename of groups but not users. There is a catch when storing
a user -- his cached password would be gone. I think that renaming a user
is such a rare operation that it's not severe, plus there is a warning in
the logs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There was a bug in finish_upgrade() where it would return EOK if
it succeeded in canceling the transaction due to an error. We
should instead be returning the original error.
|
|
In addition to testing the number of elements, also check the return
value of sysdb_attrs_get_el.
|
|
If the code never entered the loop in get_rm_message, we would return
arbitrary return value.
|
|
This patch fixes bad refactoring - the function used to return value
directly on error and EOK as the last statement. If was then converted
into using goto label, but the last statement was still returning EOK
instead of the value it should.
|
|
|
|
|
