summaryrefslogtreecommitdiff
path: root/src/providers/ipa/ipa_common.h
AgeCommit message (Collapse)AuthorFilesLines
2013-08-28IPA: Enable AD sites when in server modeJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally
2013-06-28IPA: Look up AD users directly if IPA server mode is onJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.
2013-06-28IPA: Initialize server mode ctx if server mode is onJakub Hrozek1-0/+5
This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962
2013-06-28IPA: Add a server mode optionJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set.
2013-06-28Add support for new ipaRangeType attributeSumit Bose1-0/+4
Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961
2013-06-28Add ipa_idmap_init()Sumit Bose1-0/+3
Use the sdap_idmap context for the IPA provider as well. https://fedorahosted.org/sssd/ticket/1961
2013-06-24IPA: Do not download or store the member attribute of host groupsJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
2013-06-07Move domain_to_basedn outside IPA subtreeJakub Hrozek1-2/+0
The utility function will be reused to guess search base from the base DN of AD trusted domains.
2013-05-03Convert IPA-specific options to be back-end agnosticJakub Hrozek1-3/+4
This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning.
2013-05-03Refactor dynamic DNS updatesJakub Hrozek1-1/+1
Provides two new layers instead of the previous IPA specific layer: 1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its purpose it to make it possible for any back end to use dynamic DNS updates. 2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some LDAP-specific features like autodetecting the address from the LDAP connection. Also converts the dyndns code to new specific error codes.
2013-05-03SUDO: IPA providerLukas Slebodnik1-0/+5
This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733
2013-04-10DNS sites support - add IPA SRV pluginPavel Březina1-0/+1
https://fedorahosted.org/sssd/ticket/1032
2013-03-19Make the SELinux refresh time configurable.Michal Zidek1-0/+1
Option ipa_selinux_refresh is added to basic ipa options.
2012-10-16Make TTL configurable for dynamic dns updatesJames Hogarth1-0/+1
2012-08-01Primary server support: new option in IPA providerJan Zeleny1-0/+1
This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: IPA adaptationJan Zeleny1-1/+2
This patch adds support for the primary server functionality into IPA provider. No backup servers are added at the moment, just the basic support is in place.
2012-06-21Add support for ID rangesSumit Bose1-0/+2
2012-06-10IPA subdomains - ask for information about master domainJan Zeleny1-0/+2
The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
2012-04-24IPA: Add get-domains targetSumit Bose1-0/+2
2012-03-28Remove old compatibility testsStephen Gallagher1-15/+0
These are now replaced by the more accurate tests. This patch also drops the runtime option-count check, since we are always performing the more complete check at build-time.
2012-02-24IPA hosts refactoringJan Zeleny1-0/+17
2012-02-07AUTOFS: IPA providerJakub Hrozek1-0/+14
2012-02-07IPA: Add host info handlerJan Cholasta1-0/+1
2012-02-06Update shadowLastChanged attribute during LDAP password changeJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/1019
2012-02-06Session target in IPA providerJan Zeleny1-0/+17
2012-02-06Implemented support for multiple search bases in HBAC rules and servicesJan Zeleny1-0/+1
2012-02-05AUTOFS: LDAP providerJakub Hrozek1-1/+1
2012-02-04NSS: Add individual timeouts for entry typesStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1016
2012-01-31IPA: Add support for services lookups (non-enum)Stephen Gallagher1-1/+3
2012-01-18LDAP: Add option to disable paging controlStephen Gallagher1-1/+1
Fixes https://fedorahosted.org/sssd/ticket/967
2012-01-17SUDO Integration - periodical update of rules in data providerPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1110 Adds new configuration options: - ldap_sudo_refresh_enabled - enable/disable periodical updates - ldap_sudo_refresh_timeout - rules timeout (refresh period)
2011-12-16SUDO Integration - LDAP configuration optionsPavel Březina1-1/+1
2011-12-12Add sdap_connection_expire_timeout optionStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1036
2011-12-09Fixed IPA netgroup processingJan Zeleny1-0/+1
In case IPA netgroup had indirect member hosts, they wouldn't be detected. This patch also modifies debug messages for easier debugging in the future.
2011-12-08Add ldap_sasl_minssf optionJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/1075
2011-11-29Add ipa_hbac_support_srchost option to IPA providerJan Zeleny1-0/+1
don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078
2011-11-29IPA migration fixesJakub Hrozek1-0/+1
* use the id connection for looking up the migration flag * force TLS on the password based authentication connection https://fedorahosted.org/sssd/ticket/924
2011-11-23New IPA ID contextJan Zeleny1-1/+6
2011-11-23Added and modified options for IPA netgroupsJan Zeleny1-0/+23
2011-11-02Support to request canonicalization in LDAP/IPA providerJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/957
2011-11-02Add support to request canonicalization on krb AS requestsJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/957
2011-08-26Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/978
2011-07-11Check DNS records before updatingJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/802
2011-07-08Add ipa_hbac_treat_deny_as optionStephen Gallagher1-0/+1
By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
2011-07-08Add ipa_hbac_refresh optionStephen Gallagher1-0/+1
This option describes the time between refreshes of the HBAC rules on the IPA server.
2011-05-20Use dereference when processing RFC2307bis nested groupsJakub Hrozek1-1/+1
Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799
2011-04-27Add ldap_page_size configuration optionStephen Gallagher1-1/+1
2011-04-25Modify principal selection for keytab authenticationJan Zeleny1-1/+1
Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-25Allow new option to specify principal for FASTJan Zeleny1-1/+1
https://fedorahosted.org/sssd/ticket/700
2011-02-22Add krb5_realm to the basic IPA optionsStephen Gallagher1-0/+1
Previously, this was only handled by the internal LDAP and Kerberos providers, but this wasn't available early enough to properly handle setting up the krb5_service for failover and creating the krb5info files.