Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1110
Adds new configuration options:
- ldap_sudo_refresh_enabled - enable/disable periodical updates
- ldap_sudo_refresh_timeout - rules timeout (refresh period)
|
|
|
|
|
|
It will be reused later in the sudo responder
|
|
https://fedorahosted.org/sssd/ticket/1036
|
|
https://fedorahosted.org/sssd/ticket/1075
|
|
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
Instead of making this a global option for all user lookups, make
it only used if the search base is passed without an explicit
filter.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1003
|
|
https://fedorahosted.org/sssd/ticket/970
|
|
https://fedorahosted.org/sssd/ticket/978
|
|
The patch also updates code using modified functions. Tests have also
been adjusted.
|
|
Allows to be more concise in tests and more defensive in resolve
callbacks
|
|
|
|
https://fedorahosted.org/sssd/ticket/911
|
|
|
|
This function converts a list of ldb_messages into a list of
sysdb_attrs.
|
|
|
|
|
|
|
|
|
|
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
https://fedorahosted.org/sssd/ticket/647
|
|
Now that gecos can come from either the 'gecos' or 'cn' attributes,
we need to ensure that we never remove it from the cache.
|
|
https://fedorahosted.org/sssd/ticket/746
|
|
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
|
|
Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
|
|
Sometimes, a value in LDAP will cease to exist (the classic
example being shadowExpire). We need to make sure we purge that
value from SSSD's sysdb as well.
https://fedorahosted.org/sssd/ticket/750
|
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
Previously, we would wait for ten seconds before starting an
enumeration. However, this meant that on the first startup (before
we had run our first enumeration) there was a ten-second window
where clients would immediately get back a response with no
entries instead of blocking until the enumeration completed.
With this patch, SSSD will now run an enumeration immediately upon
startup. Further startups will retain the ten-second delay so as
not to slow down system bootups.
https://fedorahosted.org/sssd/ticket/616
|
|
https://fedorahosted.org/sssd/ticket/726
|
|
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
Also allow it to be disabled entirely
|