Age | Commit message (Collapse) | Author | Files | Lines |
|
With this call it can be checked if for a given domain algorithmic
mapping is available or if the ID must be read from an external source.
The default if an error occurs or no matching range was found is false,
i.e external mapping, to meet the requirements for simple LDAP based
domains where only external mapping is available.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
When ID are mapped externally it must be checked if the extern ID falls
into the right configured range to avoid ID conflicts.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
Since it is planned that the LDAP based ID providers (LDAP, AD, IPA)
will always use libsss_idmap to map ID or get information about how to
map it, it must be possible to add domains to libsss_idmap which do not
have a SID or where is SID is not known when external mapping is used.
Algorithmic mapping always requires a domain SID.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
The idea is that ranges for IDs from AD can be used in libsss_idmap as
well, but whenever a mapping is requested for this range a specific
error code IDMAP_EXTERNAL is returned to tell SSSD to do
an AD lookup. This way SSSD does not need to inspect the ranges itself
but all is done inside if libsss_idmap.
Fixes https://fedorahosted.org/sssd/ticket/1960
|
|
To be able to detect configuration changes in idranges managed by
FreeIPA an identifier should be stored on the client together with the
other idrange related data.
Fixes https://fedorahosted.org/sssd/ticket/1979
|
|
Currently libss_idmap implicitly assumes that the RID 0 is always mapped
to the first ID of the given range. This is not the case anymore when
multiple ranges are used e.g. for trusted domains in FreeIPA.
A new call sss_idmap_add_domain_ex() was added which can take the first
RID as an argument. This new call will get more options with other
patches hence I didn't change the library version with this patch.
Fixes https://fedorahosted.org/sssd/ticket/1938
|
|
|
|
Before the recent changes, the variable was set to 0 too because it used
to be part of a structure allocated with talloc_zero.
|
|
Calculation of range for domains is moved from
sdap_idmap code to sss_idmap code. Some refactoring
have been done to allow this move.
https://fedorahosted.org/sssd/ticket/1844
|
|
https://fedorahosted.org/sssd/ticket/1861
|
|
https://fedorahosted.org/sssd/ticket/1819
|
|
To avoid a conversion on the caller side a new call is added to
libsss_idmap which converts a Samba dom_sid structure to a Posix ID.
|
|
https://fedorahosted.org/sssd/ticket/1684
|
|
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
|
|
A test to cover this is added as well.
|
|
The samba ndr libraries use struct dom_sid to handle SIDs. Since there
is no public samba library which offers conversion from other
representations, e.g. as string, this is added to libsss_idmap.
To avoid compile-time or run-time dependency to any samba library or
header file the definition of the struct is copied here.
|
|
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is
added to the struct used by libsss_idmap.
|
|
Since the byte-order is only important when dealing with the binary SID
the sub-auth values are stored in host order and are only converted
while reading or writing the binary SID.
|
|
Also makes the domain prefix macros from sss_idmap public.
|
|
Besides as strings it is now possible to use binary SIDs or a struct
containing all SID information. Functions to convert between these
formats are added as well.
|
|
https://fedorahosted.org/sssd/ticket/1271
|
|
|