| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
|
|
If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.
Fixes https://fedorahosted.org/sssd/ticket/2093
|
|
In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of
the forest must be known for a member domain of the forest.
|
|
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name.
|
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
Adds a reusable async request to download the master domain info.
|
|
Remove code duplication.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/2001
|
|
|
|
|
|
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
The parameter was not used at all.
|
|
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
|
|
|
The initialization of ad_sasl_callbacks raised an incompatible pointer
type warning. This was caused because the cyrus-sasl API hasa changed.
The callback function list needs to be cast now.
|
|
This tries to set the ad_compat option for sasl, by working around
the openldap/sasl initialization as openldap does not allow us to pass
down to sasl our own getopt callback.
Resolves:
https://fedorahosted.org/sssd/ticket/2040
|
|
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
|
|
https://fedorahosted.org/sssd/ticket/2023
When the option values are copied using dp_opt_copy_map, the .val member
is used if it's not NULL. At the same time, the bool options are never
NULL, unlike integers or strings that can have special NULL-like values
such as NULL_STRING. This effectively means that when copying a bool
option, the .val member is always used.
But in the AD maps, some .val fields were set differently from the
.def_val fields. The effect was that when the AD subdomain provider was
initialized from IPA subdomain provider using only the defaults, some
options (notably referral chasing) were set to a value that didn't make
sense for the AD provider.
This patch makes sure that for all boolean option, the .val is always
the same as .def_val.
|
|
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
This is needed so we can initialize failover using IPA realm and
on-the-fly discovered DNS domain. The subdomains discovered on-thefly
will use the subdomain name for realm, domain and failover service to
avoid conflicts.
Subtaks of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The IPA subdomain code will perform lookups on its own in the server
mode. For this, the AD provider must offer a way to initialize the
ad_id_ctx for external consumers.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
The information of a subdomain will use magic private groups (mpg) or
not will be stored together with other information about the domain in
the cache.
|
|
new_subdomain() will create a new domain object and should not be used
anymore in the priovder code directly. Instead a reference to the domain
from the common domain object should be used.
|
|
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
|
|
This patch reuses the code from IPA provider to make sure that
domain-realm mappings are written even for AD sub domains.
|
|
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
|
|
https://fedorahosted.org/sssd/ticket/1973
|
|
https://fedorahosted.org/sssd/ticket/1953
|
|
|
|
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
|
|
|
|
sdom was only ever guaranteed to be set when a new domain was being
created. sditer is a valid pointer in both cases, so just use that.
|
|
https://fedorahosted.org/sssd/ticket/1976
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
https://fedorahosted.org/sssd/ticket/364
Looks up trusted domain objects in the LDAP and stores them as AD
subdomains.
Currently only trusted domains that run NT5 or newer from the same forest
are looked up and stored.
|
|
https://fedorahosted.org/sssd/ticket/1557
Some lookups should be performed from GC only -- for example trusted
users are only present in the Global Catalog, while some lookups should
be performed from LDAP only as not all objects or attributes are
replicated to Global Catalog.
This patch adds a generic failover mechanism for identity lookups in the
AD provider that allows to choose the appropriate source and even fail over
to the other source if available.
|
|
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
|
|
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options.
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
