Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1657
IPA_HOSTNAME is not stored in ipa_opts->id options so it the option
was always NULL here. This caused SIGSEGV when accessed by strchr()
in subsequent function.
|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.
Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
To make configuration easier the IPA subdomain provider should be always
loaded if the IPA ID provider is configured and the subdomain provider
is not explicitly disabled. But to avoid the overhead of regular
subdomain requests in setups where no subdomains are used the IPA
subdomain provider should behave differently if configured explicit or
implicit.
If the IPA subdomain provider is configured explicitly, i.e.
'subdomains_provider = ipa' can be found in the domain section of
sssd.conf subdomain request are always send to the server if needed.
If it is configured implicitly and a request to the server fails
with an indication that the server currently does not support subdomains
at all, e.g. is not configured to handle trust relationships, a new
request will be only send to the server after a long timeout or after
a going-online event.
To be able to make this distinction this patch save the configuration
status to the subdomain context.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
|
The check is now held only in ipa_get_subdomain_account_info_send().
|
|
The initgroups request is not handled by the IPA provider for
subdomain users on purpose because the group membership information is
not available on the IPA server but will be directly written to the
cache when the PAC of the user is processed. The old generic debug
message "Invalid sub-domain request type" might be misleading.
This patch adds a specific message for the initgroups case "Initgroups
requests are not handled by the IPA provider but are resolved by the
responder directly from the cache." and increase the debug level so
that typically this message is not shown anymore because it is expected
behaviour.
Fixes https://fedorahosted.org/sssd/ticket/1610
|
|
Currently the only type of supported sub-domains are AD domains which
are not case-sensitive. To make it easier for Windows user we make
sub-domains case-insensitive as well which allows to write the username
in any case at the login prompt.
If support for other types of sub-domains is added it might be necessary
to set the case-sensitive flag based on the domain type.
|
|
If there is an authentication request for a user from a sub-domain a
temporary sysdb context is generated to allow lookups in the
corresponding sub-tree in the cache.
|
|
|
|
|
|
There are case where the extdom extended operation will return the flat
or NetBIOS name of a domain instead of the DNS domain name. If this name
is available for the current domain we accept it as well.
Related to https://fedorahosted.org/sssd/ticket/1561
|
|
|
|
https://fedorahosted.org/sssd/ticket/1537
changes upper limit of slices to 2000200000 in providers code and
manpage.
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
|
|
https://fedorahosted.org/sssd/ticket/1519
IPA host refactoring changed mapping of memberOf attribute
which caused SSSD being unable to retrieve membership of
hostgroup when being interpreted as netgroup.
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
https://fedorahosted.org/sssd/ticket/1462
|
|
https://fedorahosted.org/sssd/ticket/1457
|
|
https://fedorahosted.org/sssd/ticket/1456
|
|
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
|
|
|
|
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
Instead of exporting internal structures, expose an initilizer function
like the autofs code and initialize everything inside the
ipa_subdomains.c file.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
|
I am all for readable names, but there is a tradeof between expressing purpose
and compactness.
|
|
Something like this:
sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb;
really is not readable, and we always discourage using obfuscated C, please
refrain in future.
|
|
|
|
|
|
Rename the structure to use a standard name prefix so it is properly
name-spaced, in preparation for changing the structure itself.
|
|
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
|
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
|
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
The host record will be fetched if HBAC is used as access provider since
the record is already downloaded and it can be trusted to be valid.
|
|
If HBAC is active, SELinux code will reuse them instead of downloading
them from the server again.
|
|
|
|
|
|
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
|
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|