summaryrefslogtreecommitdiff
path: root/src/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2012-08-06IPA: Securely set umask for mkstemp in subdomain providerStephen Gallagher1-0/+3
https://fedorahosted.org/sssd/ticket/1457
2012-08-06IPA: Do not attempt to close the same file twiceStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1456
2012-08-01Create a domain-realm mapping for krb5.conf to be includedJakub Hrozek1-0/+135
When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings
2012-08-01Add automatic periodic retrieval of subdomainsSimo Sorce1-1/+44
2012-08-01Add online callback to enumerate subdomainsSimo Sorce1-24/+49
2012-08-01Limit refreshes keeping track of last refresh timeSimo Sorce1-26/+46
2012-08-01Change refreshing of subdomainsSimo Sorce1-65/+156
This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.
2012-08-01Expose an initializer function from subdomainSimo Sorce3-32/+46
Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.
2012-08-01Add realm paramter to subdomain listSimo Sorce1-0/+27
This will be used later for setting domain_realm mappings in krb5.conf
2012-08-01Use a more tractable name for subdomain requestSimo Sorce1-7/+5
I am all for readable names, but there is a tradeof between expressing purpose and compactness.
2012-08-0180 col and style fixesSimo Sorce1-20/+48
Something like this: sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb; really is not readable, and we always discourage using obfuscated C, please refrain in future.
2012-08-01Make structure initializer more readableSimo Sorce1-7/+15
2012-08-01Fix wrong elements used in comparisonSimo Sorce1-1/+1
2012-08-01Change subdomain_infoSimo Sorce1-6/+6
Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
2012-08-01Primary server support: new option in IPA providerJan Zeleny3-4/+6
This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new options in krb5 providerJan Zeleny1-0/+3
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new option in ldap providerJan Zeleny1-0/+2
This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.
2012-08-01Primary server support: IPA adaptationJan Zeleny3-35/+77
This patch adds support for the primary server functionality into IPA provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: basic support in failover codeJan Zeleny1-1/+1
Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
2012-07-31Support fetching of host from sysdb in SELinux codeJan Zeleny1-11/+55
The host record will be fetched if HBAC is used as access provider since the record is already downloaded and it can be trusted to be valid.
2012-07-31Support fetching of HBAC rules from sysdb in SELinux codeJan Zeleny1-14/+47
If HBAC is active, SELinux code will reuse them instead of downloading them from the server again.
2012-07-31Modify hbac_get_cached_rules() so it can be used outside of HBAC codeJan Zeleny2-14/+22
2012-07-27Renamed session provider to selinux providerJan Zeleny4-47/+47
2012-07-25Provide counter of possible matches in SELinux IPA providerJan Zeleny1-6/+6
The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.
2012-07-25Fix linking of HBAC rules and SELinux user mapsJan Zeleny1-0/+13
Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
2012-07-25Remove ipa_selinux_map_merge()Jan Zeleny3-55/+0
This function is no longer necessary since sysdb interface for copying elements has been implemented.
2012-07-23Added some DEBUG statements into SELinux related codeJan Zeleny1-4/+14
2012-07-18Fix uninitialized valuesNick Guay1-4/+4
https://fedorahosted.org/sssd/ticket/1379
2012-07-18IPA: Return and save all SELinux rules in the providerJakub Hrozek1-47/+27
https://fedorahosted.org/sssd/ticket/1421
2012-07-18IPA: Download defaults even if there are no SELinux mappingsJakub Hrozek1-60/+59
We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults.
2012-07-18Modify priority evaluation in SELinux user mapsJan Zeleny1-2/+34
The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
2012-07-10Remove dead code in ipa_subdomains_handler_done()Sumit Bose1-1/+1
Fixes https://fedorahosted.org/sssd/ticket/1410
2012-07-06KRB5: Create a common init routine for krb5_child optionsStephen Gallagher1-45/+6
This will reduce code duplication between the krb5, ipa and ad providers
2012-07-06KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher1-1/+1
This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
2012-07-02IPA: Don't hang onto memory longer than necessaryStephen Gallagher1-0/+1
This request and attached memory would be freed at the end of access-check processing, but it's a waste to keep it around.
2012-06-29sudo: add host info optionsPavel Březina1-0/+5
Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
2012-06-29sudo provider: add ldap_sudo_smart_refresh_intervalPavel Březina1-0/+1
2012-06-29sudo provider: remove old timerPavel Březina1-2/+0
2012-06-29sudo provider: add ldap_sudo_full_refresh_intervalPavel Březina1-0/+1
2012-06-21Add support for ID rangesSumit Bose6-10/+197
2012-06-14Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek1-2/+2
2012-06-13LDAP: Add ldap_*_use_matching_rule_in_chain optionsStephen Gallagher1-0/+2
2012-06-10IPA subdomains - ask for information about master domainJan Zeleny6-17/+164
The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
2012-05-31Add support for filtering atributesJan Zeleny5-7/+12
This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
2012-05-22Fixed issue in SELinux user mapsJan Zeleny1-0/+2
There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
2012-05-10Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek1-1/+57
https://fedorahosted.org/sssd/ticket/949
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher5-7/+8
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-03LDAP: Map the user's primaryGroupIDStephen Gallagher1-0/+1
2012-05-03LDAP: Allow setting a default domain for id-mapping slice 0Stephen Gallagher1-0/+2
2012-05-03LDAP: Add autorid compatibility modeStephen Gallagher1-0/+1