summaryrefslogtreecommitdiff
path: root/src/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2011-03-24Add host access control supportPierre Ossman1-1/+2
https://fedorahosted.org/sssd/ticket/746
2011-03-03Fixes for dynamic DNS updateSumit Bose1-16/+87
The current code assumed that only one server is given in the ipa_server config option and fails if multiple servers were given. To fix this nsupdate is first called without a server name assuming that nsupdate is able to find the name of the master DNS server of the zone by reading the SOA record. If this fails the IP address of the currently active LDAP server is used and nsupdate is called again. If there is no default realm given in /etc/krb5.conf nsupdate start trying to find a realm based on the DNS domain which might lead to wrong results. To be on the safe side the realm was added to the message send to nsupdate.
2011-02-28Use realm for basedn instead of IPA domainJakub Hrozek4-48/+50
https://fedorahosted.org/sssd/ticket/807
2011-02-22Fix uninitialized value error in ipa_get_id_options()Stephen Gallagher1-7/+7
Previously, we were only constructing the basedn variable if the ldap_search_base was not specified (which is unlikely to be in use when using the IPA provier). However, if it did happen, constrcuction of the compat search base for netgroups would be using an uninitialized value. Fixes https://fedorahosted.org/sssd/ticket/806
2011-02-22Add krb5_realm to the basic IPA optionsStephen Gallagher2-2/+4
Previously, this was only handled by the internal LDAP and Kerberos providers, but this wasn't available early enough to properly handle setting up the krb5_service for failover and creating the krb5info files.
2011-02-22Allow krb5_realm to override ipa_domainStephen Gallagher3-18/+37
It is possible to set up FreeIPA servers where the Kerberos realm differs from the IPA domain name. We need to allow setting the krb5_realm explicitly to handle this.
2011-02-17Point the IPA provider at the compat tree for netgroupsStephen Gallagher1-0/+19
We don't yet have support for IPA's internal representation of netgroups, so we need to use its compatibility mode for the time being.
2011-01-27Add option to disable TLS for LDAP authStephen Gallagher2-2/+6
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
2011-01-20Add ldap_tls_{cert,key,cipher_suite} config optionsTyson Whitehead2-1/+4
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-01-19Add ipa_hbac_search_base config optionSumit Bose4-54/+43
2011-01-19Add LDAP expire policy base RHDS/IPA attributeSumit Bose1-1/+2
The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
2011-01-19Add LDAP expire policy based on AD attributesSumit Bose1-1/+3
The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
2011-01-17Add ldap_search_enumeration_timeout config optionSumit Bose3-6/+7
2011-01-17Add timeout parameter to sdap_get_generic_send()Sumit Bose2-23/+34
2010-12-21Add authorizedService supportStephen Gallagher1-1/+2
https://fedorahosted.org/sssd/ticket/670
2010-12-17Fix uninitialized value error in set_local_and_remote_host_infoStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/725
2010-12-17Fix unsafe return condition in ipa_access_handlerStephen Gallagher1-1/+6
https://fedorahosted.org/sssd/ticket/718
2010-12-08Remove IPA_ACCESS_TIME defineStephen Gallagher1-13/+11
2010-12-08Bye, bye, ipa_timerulesSumit Bose2-1243/+0
It was decided that IPA HBAC will move to a different format to specify time ranges in access control rules. The evaluation based on the old format is not needed anymore.
2010-12-08Remove check_access_time() from IPA access providerSumit Bose2-70/+0
It is planned to release IPA 2.0 without time range specifications in the access control rules. To avoid confusion the evaluation is removed from sssd, too.
2010-12-07Replace krb5_kdcip by krb5_server in LDAP providerSumit Bose1-2/+2
2010-12-07ldap: Use USN entries if available.Simo Sorce1-1/+3
Otherwise fallback to the default modifyTimestamp indicator
2010-12-07ldap: add checks to determine if USN features are available.Simo Sorce1-1/+1
2010-12-07Pass sdap_id_ctx in sdap_id_op functions.Simo Sorce1-3/+1
2010-12-07Add support for FAST in krb5 providerSumit Bose3-3/+5
2010-12-06Add ldap_chpass_uri config optionSumit Bose2-2/+4
2010-12-06Add new account expired rule to LDAP access providerSumit Bose2-2/+4
Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
2010-12-03Add support for automatic Kerberos ticket renewalSumit Bose2-2/+3
2010-12-03Add krb5_lifetime optionSumit Bose2-2/+3
2010-12-03Add krb5_renewable_lifetime optionSumit Bose2-2/+3
2010-12-01Add check_online method to LDAP ID providerSumit Bose1-1/+2
2010-12-01Allow protocol fallback for SRV queriesJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/691
2010-11-19Use a more efficient host search filterSumit Bose1-5/+6
2010-11-15Sanitize sysdb search filters in the IPA providerStephen Gallagher1-2/+17
2010-10-22Download only enabled IPA HBAC rulesSumit Bose1-1/+3
2010-10-22Add ldap_deref optionSumit Bose2-2/+13
2010-10-19Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip.Jan Zeleny1-1/+9
For the time being, if krb5_server is not found, still falls back to krb5_kdcip with a warning. If both options are present in config file, krb5_server has a higher priority. Fixes: #543
2010-10-18Add option to limit nested groupsSimo Sorce2-2/+3
2010-10-13Add infrastructure to LDAP provider for netgroup supportSumit Bose2-2/+35
2010-10-13Initialize kerberos service for GSSAPIJakub Hrozek1-0/+1
2010-10-13Add KDC to the list of LDAP optionsJakub Hrozek2-1/+2
2010-10-13Rename index to idxSumit Bose1-4/+4
This patch suppresses a 'shadows a global declaration' warning.
2010-09-23Save all data to sysdb in one transactionSumit Bose1-222/+131
2010-09-23Handle host objects like other objectsSumit Bose2-129/+183
2010-09-15Store rootdse supported features in sdap_handlerSumit Bose1-2/+2
2010-09-07Cleaned some dead assignmentsJan Zeleny2-15/+13
Two needless assignments were deleted, two were complemented with code checking function results. Ticket: #582
2010-09-02Fix wrong return value in HBAC time rules evaluationJakub Hrozek1-0/+1
Fixes: #584
2010-08-03Fix check_time_rule() return value on failureJakub Hrozek1-1/+1
The value returned in the 'done:' label was always EOK which is wrong as any parsing errors are not returned to the caller. Fixes: #583
2010-07-23Fix IPA access backend handling of obsolete and missing HBAC entries:eindenbom1-9/+68
- Ticket #567: Fix removal of obsolete HBAC host, rules and service records from sysdb. - Ticket #565: When no HBAC host record is found return PAM_PERM_DENIED instead of PAM_SYSTEM_ERROR.
2010-07-23Do not treat missing HBAC rules as an errorSumit Bose1-0/+5