| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
This patch introduces a new structure that holds information about a
subdomain and its ad_id_ctx. This structure will be used only in server
mode to make it possible to search subdomains with a particular
ad_id_ctx.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
https://fedorahosted.org/sssd/ticket/1993
SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
|
|
Recent versions of FreeIPA support a range type attribute to allow
different type of ranges for sub/trusted-domains. If the attribute is
available it will be used, if not the right value is determined with the
help of the other idrange attributes.
Fixes https://fedorahosted.org/sssd/ticket/1961
|
|
Use the sdap_idmap context for the IPA provider as well.
https://fedorahosted.org/sssd/ticket/1961
|
|
https://fedorahosted.org/sssd/ticket/1806
The IPA provider attempted to store the original value of member
attribute to the cache. That caused the memberof plugin to process the
values which was really CPU intensive.
|
|
The utility function will be reused to guess search base from the base
DN of AD trusted domains.
|
|
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
|
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
|
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
|
|
https://fedorahosted.org/sssd/ticket/1032
|
|
Option ipa_selinux_refresh is added to basic ipa options.
|
|
|
|
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
|
|
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
|
|
|
These are now replaced by the more accurate tests.
This patch also drops the runtime option-count check, since we are
always performing the more complete check at build-time.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1019
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1016
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/967
|
|
https://fedorahosted.org/sssd/ticket/1110
Adds new configuration options:
- ldap_sudo_refresh_enabled - enable/disable periodical updates
- ldap_sudo_refresh_timeout - rules timeout (refresh period)
|
|
|
|
https://fedorahosted.org/sssd/ticket/1036
|
|
In case IPA netgroup had indirect member hosts, they wouldn't be
detected.
This patch also modifies debug messages for easier debugging in the
future.
|
|
https://fedorahosted.org/sssd/ticket/1075
|
|
don't fetch all host groups if this option is false
https://fedorahosted.org/sssd/ticket/1078
|
|
* use the id connection for looking up the migration flag
* force TLS on the password based authentication connection
https://fedorahosted.org/sssd/ticket/924
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
https://fedorahosted.org/sssd/ticket/978
|
|
https://fedorahosted.org/sssd/ticket/802
|
|
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
|
|
This option describes the time between refreshes of the HBAC rules
on the IPA server.
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
https://fedorahosted.org/sssd/ticket/700
|
|
Previously, this was only handled by the internal LDAP and Kerberos
providers, but this wasn't available early enough to properly
handle setting up the krb5_service for failover and creating the
krb5info files.
|
|
It is possible to set up FreeIPA servers where the Kerberos realm
differs from the IPA domain name. We need to allow setting the
krb5_realm explicitly to handle this.
|
