Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1032
|
|
https://fedorahosted.org/sssd/ticket/1786
Since we need to support the old interface as well, the configure scritp
is modified and correct ini interface is chosen.
|
|
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.
If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.
To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.
Fixes https://fedorahosted.org/sssd/ticket/1842
|
|
https://fedorahosted.org/sssd/ticket/812
Update the monitor code to be using the new libnl3 API.
Changed configure option
--with-libnl
By default, it tries to build with libnl3, if not found, then with
libnl1, if this isn't found either, build proceeds without libnl, just
with warning.
Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given
version, if not found, configure ends with error.
|
|
|
|
It is possible to enable/disable checking in LDB memberof plugin
whether it was built against the same version of LDB that is present
on the system. This feature is turned off by default
and enabled in Fedora/RHEL spec file.
https://fedorahosted.org/sssd/ticket/1813
|
|
|
|
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
|
This patch extends the Kerberos version check to support Kerberos
version 1.11 alpha and later. It is a temporary measure until we
can redesign the configure checks for better granularity.
|
|
|
|
krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher.
To allow sssd to be compiled on platform with lower version of MIT
Kerberos a replacement call is added. Please note that on those
platform the replacement call will only return an error. If the
krb5_find_authdata functionality is really needed on those platform it
must be implemented by a different patch.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1317
|
|
|
|
https://fedorahosted.org/sssd/ticket/1492
|
|
|
|
|
|
This adds only the basic outline of the PAC responder, it won't support
any operations, it will just start and initialize itself.
|
|
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
|
https://fedorahosted.org/sssd/ticket/1325
|
|
We will now use the autodetected location if available, or else
fall back to a value provided by --with-nscd in configure and
finally resort to a hard-coded default of /usr/sbin/nscd.
|
|
|
|
For older platforms, do not add the 'realm' line in
the update message
|
|
|
|
|
|
|
|
|
|
|
|
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
|
|
|
|
https://fedorahosted.org/sssd/ticket/898
In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.
Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/837
|
|
Netlink 1.0 and older is buggy and unreliable, occasionally
causing tight-loops. We're no longer going to try to support it.
https://fedorahosted.org/sssd/ticket/755
|
|
|
|
libdhash version 0.4.2 is required because older versions cannot update
hash entries.
|
|
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
There is no longer a need to have nested Makefiles and configure
scripts. This patch combines the src/ Makefile and configure.ac
into the root.
|
|
|
|
Integrates libnl to detect adding routes. When a route is added, the
offline status of all back ends is reset. This patch adds no heuristics
to detect whether back end went offline.
Fixes: #456
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|