Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
Adds a reusable async request to download the master domain info.
|
|
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
|
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
|
|
https://fedorahosted.org/sssd/ticket/1976
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.
|
|
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
Because we now always store SIDs in the LDAP provider, we also need to
always initialize the ID mapping context even if ID mapping itself is
off.
|
|
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
|
https://fedorahosted.org/sssd/ticket/1032
|
|
https://fedorahosted.org/sssd/ticket/1032
We set a plugin during an initialization of ID provider, which
is an authoritative provider for a plugin choice. The plugin is
set only once. When other provider is initalized (e.g. id = IPA,
sudo = LDAP), we do not overwrite the plugin.
Since sssm_*_id_init() is called from all module constructors,
this patch relies on the fact, that ID provider is initialized
before all other providers.
|
|
|
|
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for checking whether a user is expired or
disabled in AD.
|
|
These new providers take advantage of existing code for the KRB5
provider, providing sensible defaults for operating against an
Active Directory 2008 R2 or later server.
|
|
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|