summaryrefslogtreecommitdiff
path: root/src/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2013-09-05Fix warning missing argumentsLukas Slebodnik1-1/+1
2013-09-02Fix czech specific character in my namePavel Březina2-2/+2
2013-08-28IPA_HBAC: Explicitelly include header file time.hLukas Slebodnik1-0/+1
struct hbac_eval_req is defined in header file and it has attribute request_time with type time_t, but header file "time.h" was not included. It was not problem, because time.h was indirectly included by stdlib.h (stdlib.h -> sys/types.h -> time.h) in implementation files, but other platforms can have other dependencies among header files.
2013-08-28IPA: Add forgotten declarationJakub Hrozek1-0/+1
A conflict between two patches was not resolved correctly
2013-08-28IPA: enable enumeration if parent domain enumerates in server modeJakub Hrozek1-12/+58
https://fedorahosted.org/sssd/ticket/1963
2013-08-28SYSDB: Store enumerate flag for subdomainJakub Hrozek1-1/+2
2013-08-28LDAP: Make sdap_id_setup_tasks reusable for subdomainsJakub Hrozek1-1/+1
Instead of always performing the setup for the main domain, the setup can now be performed for subdomains as well.
2013-08-28DB: remove unused realm parameter from sysdb_master_domain_add_infoJakub Hrozek1-1/+1
The parameter was not used at all.
2013-08-28ipa-server-mode: add IPA group memberships to AD usersSumit Bose3-8/+1004
When IPA trusts an AD domain the AD user or groups can be placed into IPA groups e.g. to put AD users under the control of HBAC. Since IPA group can only have members from the IPA directory tree and the AD users and groups are not stored there a special IPA object called external group was introduced. SIDs of users and groups can be added to the external group and since the external groups are in the IPA directory tree they can be member of IPA groups. To speed things up and to remove some load from the IPA servers SSSD reads all external groups and stores them in memory for some time before rereading the data. Enhances https://fedorahosted.org/sssd/ticket/1962
2013-08-28IPA: Enable AD sites when in server modeJakub Hrozek3-2/+70
https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally
2013-08-28krb5: Fetch ccname template from krb5.confStephen Gallagher1-1/+1
In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
2013-08-19ipa_s2n_get_user_done: make sure ALIAS name is lower caseSumit Bose1-2/+18
Fixes https://fedorahosted.org/sssd/ticket/1630
2013-08-19ipa_s2n_get_user_done: free group_attrs as wellSumit Bose1-0/+1
2013-08-19Check whether servername is not empty string.Lukas Slebodnik1-1/+1
Previous check was wrong, servername cannot be NULL.
2013-07-29Use GID if subdomain is not MPGJakub Hrozek1-1/+8
https://fedorahosted.org/sssd/ticket/2032 In non-MPG subdomains (such as those that manage their IDs manually with POSIX attributes), we need to set the GID ourself.
2013-07-23Fix possible dereference of a NULL pointer.Lukas Slebodnik1-1/+1
We check if function ipa_get_ad_id_ctx returns NULL, but function ipa_get_ad_id_ctx could never return NULL. This issue was found by scan-build.
2013-07-23KRB5: Do not send PAC in server modeJakub Hrozek1-1/+7
The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
2013-07-19Fix the default FQDN formatJakub Hrozek1-1/+1
Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake.
2013-07-19IPA: warn if full_name_format is customized in server modeJakub Hrozek1-0/+17
https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.
2013-06-28IPA: Look up AD users directly if IPA server mode is onJakub Hrozek4-4/+155
https://fedorahosted.org/sssd/ticket/1962 If the ipa_server_mode is selected IPA subdomain user and group lookups are not done with the help of the extdom plugin but directly against AD using the AD ID code.
2013-06-28IPA: Create and remove AD id_ctx for subdomains discovered in server modeJakub Hrozek1-0/+182
When IPA server mode is on, then this patch will create an ad_id_ctx for each subdomain discovered in IPA provider. The ID context is needed to perform direct lookups using the AD provider. Subtask of: https://fedorahosted.org/sssd/ticket/1962
2013-06-28IPA: Initialize server mode ctx if server mode is onJakub Hrozek4-0/+62
This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962
2013-06-28IPA: Add a server mode optionJakub Hrozek2-0/+2
https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set.
2013-06-28Save mpg state for subdomainsSumit Bose1-3/+10
The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.
2013-06-28IPA: read ranges before subdomainsSumit Bose1-29/+27
Since FreIPA will start to support external mapping for trusted domains as well the range type for the domain must be know before the domain object is created. The reason is that external mapping will not use magic private groups (mpg) while algorithmic mapping will use them.
2013-06-28Replace new_subdomain() with find_subdomain_by_name()Sumit Bose2-7/+5
new_subdomain() will create a new domain object and should not be used anymore in the priovder code directly. Instead a reference to the domain from the common domain object should be used.
2013-06-28Add support for new ipaRangeType attributeSumit Bose3-6/+36
Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961
2013-06-28Add ipa_idmap_init()Sumit Bose3-1/+275
Use the sdap_idmap context for the IPA provider as well. https://fedorahosted.org/sssd/ticket/1961
2013-06-28Add now options ldap_min_id and ldap_max_idSumit Bose1-0/+2
Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.
2013-06-27SSH: When host is removed from LDAP, remove it from the cache as wellJan Cholasta1-1/+8
https://fedorahosted.org/sssd/ticket/1949
2013-06-27AD: Write out domain-realm mappingsJakub Hrozek1-164/+3
This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
2013-06-25krb5: do not send pac for IPA users from the local domainSumit Bose1-0/+1
So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
2013-06-24IPA: Do not download or store the member attribute of host groupsJakub Hrozek2-2/+0
https://fedorahosted.org/sssd/ticket/1806 The IPA provider attempted to store the original value of member attribute to the cache. That caused the memberof plugin to process the values which was really CPU intensive.
2013-06-17handle ERR_ACCOUNT_EXPIRED properlyPavel Březina1-0/+4
https://fedorahosted.org/sssd/ticket/1953
2013-06-16subdomains: touch krb5.conf when creating new domain-realm mappingsPavel Březina1-0/+8
https://fedorahosted.org/sssd/ticket/1815
2013-06-12Fix minor typosYuri Chornoivan1-1/+1
2013-06-10A new option krb5_use_kdcinfoJakub Hrozek2-12/+25
https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
2013-06-10providers: refresh expired netgroupsPavel Březina1-0/+10
https://fedorahosted.org/sssd/ticket/1713
2013-06-07Move domain_to_basedn outside IPA subtreeJakub Hrozek2-65/+0
The utility function will be reused to guess search base from the base DN of AD trusted domains.
2013-06-07LDAP: new SDAP domain structureJakub Hrozek2-12/+19
Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
2013-06-07LDAP: Pass in a connection to ID functionsJakub Hrozek1-1/+1
Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.
2013-06-07LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek8-15/+11
With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
2013-06-07Do not obfuscate calls with booleansJakub Hrozek1-7/+21
Instead of using boolean variables to denote whether the call is adding a primary or a secondary server, use a function wrapper that tells what it's doing by its name.
2013-05-30Add utility functions for formatting fully-qualified namesJakub Hrozek1-4/+4
Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.
2013-05-28IPA: Check for ENOMEMJakub Hrozek1-0/+3
2013-05-27Fix dyndns timer initializationJakub Hrozek2-2/+8
The dyndns init function was starting the timer even if the updates were set to False. This patch splits the init of dynamic updates and the timer into two functions so that the back end can start the updates separately from reading the options.
2013-05-27IPA: read user and group SIDSumit Bose1-2/+2
To allow mapping of SIDs to names or POSIX IDs and back the related attributes must be read from the FreeIPA directory server.
2013-05-27IPA: Always initialize ID mappingSumit Bose1-4/+10
Because we now always want to store SIDs in the IPA provider, we also need to always initialize the ID mapping context.
2013-05-23Adding option to disable retrieving large AD groups.Lukas Slebodnik1-0/+1
This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
2013-05-20Remove unneeded parameter of setup_child and namespace itJakub Hrozek1-1/+1
setup_child() was accepting a parameter it didn't use. Also the function name was too generic, so I added a sdap prefix.