summaryrefslogtreecommitdiff
path: root/src/providers/ipa
AgeCommit message (Collapse)AuthorFilesLines
2011-10-17Add a missing breakJakub Hrozek1-0/+1
2011-10-14HBAC: Use originalMember for identifying hostgroupsStephen Gallagher3-45/+165
2011-10-14HBAC: Use originalMember for identifying servicegroupsStephen Gallagher3-41/+169
2011-10-14HBAC: Do not save member/memberOf linksStephen Gallagher1-120/+0
We can just trust the values from the FreeIPA server
2011-09-28HBAC: fix typos preventing proper hostgroup evaluationStephen Gallagher1-3/+3
2011-09-28IPA access: hostname comparison should be case-insensitiveJakub Hrozek1-1/+1
2011-09-28Multiline macro cleanupJakub Hrozek2-2/+2
This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
2011-09-08Improve documentation of libipa_hbacStephen Gallagher2-21/+1697
2011-09-07Do not access memory out of boundsSumit Bose1-2/+2
2011-08-29HBAC: Properly skip all non-group memberOf entriesStephen Gallagher1-1/+2
2011-08-26HBAC: Use of hostgroups for targethost or sourcehost was brokenStephen Gallagher1-4/+4
We were trying to look up the wrong attribute for the name of the hostgroup.
2011-08-26HBAC: Handle saving groups that have no membersStephen Gallagher1-7/+21
2011-08-26Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek2-2/+3
https://fedorahosted.org/sssd/ticket/978
2011-08-25IPA dyndns: do not segfault if the server cannot be resolvedJakub Hrozek1-4/+2
https://fedorahosted.org/sssd/ticket/963
2011-08-15sysdb refactoring: memory context deletedJan Zeleny2-3/+3
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny6-17/+12
The patch also updates code using modified functions. Tests have also been adjusted.
2011-08-01Change the default value of ldap_tls_cacert in IPA providerJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/944
2011-08-01Add rule validator to libipa_hbacStephen Gallagher2-0/+74
https://fedorahosted.org/sssd/ticket/943
2011-08-01Remove incorrect private variableStephen Gallagher1-1/+1
This caused no ill effects, since it wasn't used in the callback. However, it is a layering violation (especially since req is freed in the callback)
2011-07-29Fix incorrect NULL check in ipa_hbac_common.cStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/936
2011-07-29Fix memory leak in ipa_hbac_evaluate_rulesStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/933
2011-07-29libipa_hbac: Support case-insensitive comparisons with UTF8Stephen Gallagher1-16/+98
2011-07-21fo_get_server_name() getter for a server nameJakub Hrozek1-1/+9
Allows to be more concise in tests and more defensive in resolve callbacks
2011-07-21Rename fo_get_server_name to fo_get_server_str_nameJakub Hrozek1-2/+2
2011-07-13Remove unused krb5_service structure memberJakub Hrozek1-2/+0
2011-07-11Check DNS records before updatingJakub Hrozek4-25/+470
https://fedorahosted.org/sssd/ticket/802
2011-07-11Escape IP address in kdcinfoJakub Hrozek1-10/+10
https://fedorahosted.org/sssd/ticket/909
2011-07-11Move IP adress escaping from the LDAP namespaceJakub Hrozek1-3/+3
2011-07-08Add LDAP access control based on NDS attributesSumit Bose1-1/+4
2011-07-08Treat NULL or empty rhost as unknownStephen Gallagher2-11/+25
Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts.
2011-07-08Add ipa_hbac_treat_deny_as optionStephen Gallagher3-2/+13
By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
2011-07-08Add ipa_hbac_refresh optionStephen Gallagher4-1/+21
This option describes the time between refreshes of the HBAC rules on the IPA server.
2011-07-08Add new HBAC lookup and evaluation routinesStephen Gallagher2-124/+398
2011-07-08Remove old HBAC implementationStephen Gallagher2-1595/+1
2011-07-08Add helper functions for looking up HBAC rule componentsStephen Gallagher6-0/+2616
2011-07-08Add HBAC evaluator and testsStephen Gallagher3-0/+386
2011-07-05ipa_dyndns: Use sockaddr_storage for storing IP addressesJakub Hrozek1-12/+17
https://fedorahosted.org/sssd/ticket/915
2011-06-30Use name based URI instead of IP address based URIsSumit Bose1-1/+1
2011-06-30Add sockaddr_storage to sdap_serviceSumit Bose1-0/+10
2011-06-21Log nsupdate messageJakub Hrozek1-0/+3
https://fedorahosted.org/sssd/ticket/893
2011-06-15Switch resolver to using resolv_hostent and honor TTLJakub Hrozek1-2/+2
2011-06-02Escape IPv6 IP addresses in the IPA providerJakub Hrozek1-4/+26
https://fedorahosted.org/sssd/ticket/880
2011-06-02Add utility function to return IP address as stringJakub Hrozek1-8/+2
2011-05-20Use dereference when processing RFC2307bis nested groupsJakub Hrozek2-2/+3
Instead of issuing N LDAP requests when processing a group with N users, utilize the dereference functionality to pull down all the members in a single LDAP request. https://fedorahosted.org/sssd/ticket/799
2011-04-29Fix order of arguments in select_principal_from_keytab() callJakub Hrozek1-1/+1
2011-04-29Fix segfault in IPA providerStephen Gallagher1-2/+2
We were trying to request the krb5 keytab from the auth provider configuration, but it hasn't yet been set up. Much better to use the value in the ID provider.
2011-04-28Fix IPA config bug with SDAP_KRB5_REALMStephen Gallagher1-1/+1
2011-04-27Add ldap_page_size configuration optionStephen Gallagher2-2/+3
2011-04-25Modify principal selection for keytab authenticationJan Zeleny2-22/+54
Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-25Allow new option to specify principal for FASTJan Zeleny2-2/+3
https://fedorahosted.org/sssd/ticket/700