Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/944
|
|
https://fedorahosted.org/sssd/ticket/943
|
|
This caused no ill effects, since it wasn't used in the callback.
However, it is a layering violation (especially since req is freed
in the callback)
|
|
https://fedorahosted.org/sssd/ticket/936
|
|
https://fedorahosted.org/sssd/ticket/933
|
|
|
|
Allows to be more concise in tests and more defensive in resolve
callbacks
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/802
|
|
https://fedorahosted.org/sssd/ticket/909
|
|
|
|
|
|
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
|
|
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
|
|
This option describes the time between refreshes of the HBAC rules
on the IPA server.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/915
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/893
|
|
|
|
https://fedorahosted.org/sssd/ticket/880
|
|
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
|
|
We were trying to request the krb5 keytab from the auth provider
configuration, but it hasn't yet been set up. Much better to use
the value in the ID provider.
|
|
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
https://fedorahosted.org/sssd/ticket/700
|
|
https://fedorahosted.org/sssd/ticket/746
|
|
The current code assumed that only one server is given in the ipa_server
config option and fails if multiple servers were given. To fix this
nsupdate is first called without a server name assuming that nsupdate is
able to find the name of the master DNS server of the zone by reading
the SOA record. If this fails the IP address of the currently active
LDAP server is used and nsupdate is called again.
If there is no default realm given in /etc/krb5.conf nsupdate start
trying to find a realm based on the DNS domain which might lead to wrong
results. To be on the safe side the realm was added to the message send
to nsupdate.
|
|
https://fedorahosted.org/sssd/ticket/807
|
|
Previously, we were only constructing the basedn variable if the
ldap_search_base was not specified (which is unlikely to be in use
when using the IPA provier). However, if it did happen,
constrcuction of the compat search base for netgroups would be
using an uninitialized value.
Fixes https://fedorahosted.org/sssd/ticket/806
|
|
Previously, this was only handled by the internal LDAP and Kerberos
providers, but this wasn't available early enough to properly
handle setting up the krb5_service for failover and creating the
krb5info files.
|
|
It is possible to set up FreeIPA servers where the Kerberos realm
differs from the IPA domain name. We need to allow setting the
krb5_realm explicitly to handle this.
|
|
We don't yet have support for IPA's internal representation of
netgroups, so we need to use its compatibility mode for the time
being.
|
|
Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
https://fedorahosted.org/sssd/ticket/725
|