Age | Commit message (Collapse) | Author | Files | Lines |
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
In case of a short UPN compare_principal_realm() erroneously returns an
error.
|
|
With the current approach the upn was either a pointer to a const string
in a ldb_message or a string created with the help of talloc. This new
function always makes it a talloc'ed value.
Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as
well.
|
|
Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
This patch adds support for the primary server functionality
into krb5 provider. No backup servers are added at the moment,
just the basic support is in place.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
|
https://fedorahosted.org/sssd/ticket/974
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
https://fedorahosted.org/sssd/ticket/1209
|
|
There is no functional change due to this patch.
|
|
https://fedorahosted.org/sssd/ticket/1217
|
|
Coverity 12394, 12395, 12396, 12397 and 12398
|
|
https://fedorahosted.org/sssd/ticket/1080
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/909
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/700
|
|
https://fedorahosted.org/sssd/ticket/722
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
|
|
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
Fixes: #531
|
|
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
|
|
|
|
|
|
|
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
The current version modified some global structures to be able to use
Kerberos and LDAP authentication during the IPA password migration. This
new version only uses tevent requests.
Additionally the ipaMigrationEnabled attribute is read from the IPA
server to see if password migration is allowed or not.
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
|