summaryrefslogtreecommitdiff
path: root/src/providers/ipa/ipa_common.h
AgeCommit message (Collapse)AuthorFilesLines
2010-10-22Add ldap_deref optionSumit Bose1-1/+1
2010-10-18Add option to limit nested groupsSimo Sorce1-1/+1
2010-10-13Add infrastructure to LDAP provider for netgroup supportSumit Bose1-1/+1
2010-10-13Add KDC to the list of LDAP optionsJakub Hrozek1-1/+1
2010-06-14Remove krb5_changepw_principal optionJakub Hrozek1-1/+1
Fixes: #531
2010-05-27Add ldap_access_filter optionStephen Gallagher1-1/+1
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
2010-05-26Add support for delayed kinit if offlineSumit Bose1-1/+1
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-05-16Add ldap_krb5_ticket_lifetime optionSumit Bose1-1/+1
2010-05-16Add dynamic DNS updates to FreeIPAStephen Gallagher1-0/+2
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-16New version of IPA auth and password migrationSumit Bose1-1/+7
The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
2010-05-07Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher1-2/+0
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
2010-05-07Add dynamic DNS updates to FreeIPAStephen Gallagher1-0/+2
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-07Use service discovery in backendsJakub Hrozek1-1/+1
Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
2010-03-25Fix LDAP search paths for IPA HBACSumit Bose1-1/+3
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test
2010-03-25Add krb5_kpasswd to IPA providerEugene Indenbom1-1/+1
The krb5 options were out of sync, causing a runtime abort.
2010-03-25Regression test against RHBZ #576856Jakub Hrozek1-0/+5
2010-02-23Better cleanup task handlingJakub Hrozek1-1/+1
Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391
2010-02-18Rename server/ directory to src/Stephen Gallagher1-0/+83
Also update BUILD.txt