summaryrefslogtreecommitdiff
path: root/src/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2010-06-10Avoid potential NULL dereferenceStephen Gallagher1-3/+5
https://fedorahosted.org/sssd/ticket/506
2010-06-02Unify sdap and sysdb data handlingSumit Bose1-85/+104
2010-06-02Compare full service nameSumit Bose1-1/+2
2010-06-02Remove service groupsSumit Bose2-193/+7
Because the memberOf attribute is now set for the service objects we do not need to fetch the service groups separately anymore.
2010-06-02Use new schema for HBAC service checksSumit Bose2-21/+641
2010-06-02Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()Sumit Bose1-23/+12
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs structure if the requested element does not exist. Recent versions of libldb do not accept empty elements when writing new objects to disk. sysdb_attrs_get_string_array() does not create an empty element but returns ENOENT.
2010-05-27Check ipaEnabledFlagSumit Bose1-5/+23
2010-05-27Remove signal event if child was terminated by a signalSumit Bose1-1/+8
2010-05-27Add ldap_access_filter optionStephen Gallagher2-2/+3
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
2010-05-27Add offline callback to disconnect global SDAP handleSumit Bose1-0/+7
2010-05-27Add krb5 SIGTERM handler to ipa auth providerSumit Bose1-0/+6
2010-05-27Add callback to remove krb5 info files when going offlineSumit Bose1-0/+6
2010-05-27Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose1-9/+0
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
2010-05-26Add support for delayed kinit if offlineSumit Bose3-2/+12
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-05-23Do not modify IPA_DOMAIN when setting Kerberos realmSumit Bose1-6/+20
2010-05-16Add ldap_krb5_ticket_lifetime optionSumit Bose2-2/+3
2010-05-16Don't report a fatal error for an HBAC denialStephen Gallagher1-1/+1
2010-05-16Add dynamic DNS updates to FreeIPAStephen Gallagher5-0/+656
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-16Properly set up SIGCHLD handlersStephen Gallagher1-15/+0
Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
2010-05-16New version of IPA auth and password migrationSumit Bose3-197/+398
The current version modified some global structures to be able to use Kerberos and LDAP authentication during the IPA password migration. This new version only uses tevent requests. Additionally the ipaMigrationEnabled attribute is read from the IPA server to see if password migration is allowed or not.
2010-05-07Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher5-656/+0
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
2010-05-07Add dynamic DNS updates to FreeIPAStephen Gallagher5-0/+656
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-07Use service discovery in backendsJakub Hrozek3-8/+21
Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
2010-05-07Compare the full service nameSumit Bose1-1/+2
2010-05-07Create kdcinfo and kpasswdinfo file at startupSumit Bose1-0/+9
2010-05-07Fix memory hierarchy in the ipa timerulesJakub Hrozek1-4/+4
2010-05-03Fix a wrong return value in IPA HBACSumit Bose1-2/+2
2010-05-03Better handle sdap_handle memory from callers.Simo Sorce1-8/+0
Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
2010-04-16Make ID provider init functions clearerStephen Gallagher1-5/+5
Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.
2010-04-12sysdb: remove remaining traces of sysdb_handleSimo Sorce1-4/+0
2010-04-12Remove remaining use of sysdb_transaction_sendSimo Sorce1-69/+25
2010-04-12sysdb: convert sysdb_asq_searchSimo Sorce1-150/+69
2010-04-12sysdb: convert sysdb_store_customSimo Sorce1-113/+35
2010-04-12sysdb: convert sysdb_search_customSimo Sorce1-42/+60
2010-04-12sysdb: convert sysdb_search_user_by_name/uidSimo Sorce1-61/+14
2010-04-12sysdb: convert sysdb_search_entry and sysdb_delete_recursiveSimo Sorce1-25/+5
2010-03-25Fix LDAP search paths for IPA HBACSumit Bose5-43/+81
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test
2010-03-25Add krb5_kpasswd to IPA providerEugene Indenbom2-2/+3
The krb5 options were out of sync, causing a runtime abort.
2010-03-25Regression test against RHBZ #576856Jakub Hrozek2-5/+5
2010-03-12Add krb5_kpasswd optionSumit Bose1-2/+3
2010-03-11Write the IP address of the KDC to the kdcinfo fileSumit Bose1-3/+11
2010-02-23Better cleanup task handlingJakub Hrozek2-2/+3
Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391
2010-02-18Rename server/ directory to src/Stephen Gallagher9-0/+4449
Also update BUILD.txt