Age | Commit message (Collapse) | Author | Files | Lines |
|
The check worked for simple setups but fails e.g. in environment with
trusts.
|
|
|
|
AD provider will override the default with its own.
|
|
|
|
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
Instead of always performing the cleanup on the main domain, the task
now accepts a sdap_domain structure to perform the cleanup on. This
change will make the cleanup task reusable for subdomains.
|
|
https://fedorahosted.org/sssd/ticket/1942
Identity providers other than LDAP need to customize the enumeration in
different ways while sharing the way the task is scheduled etc. The
easiest way to accomplish it is to leverage the recently introduced
ptask framework.
|
|
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
|
|
This function will be used later to fill the sdap_domain structures with
search bases.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
This patch add a basic check if the SID returned by the LDAP server is
in a string representation. If not it is assumed that a binary SID was
returned by the LDAP server which is converted into a string
representation which is returned to the caller.
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
The sysdb context is already available through the 'domain' structure.
|
|
|
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
|
|
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
If there was no SID attribute, then we would have detected it by
checking the number of values of an element. We would however happily
return EOK in that case and save garbage into the sid_str.
This was causing segfault when the entry was supposed to be ID-mapped by
had no SID.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
https://fedorahosted.org/sssd/ticket/1393
|
|
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
|
This patch adds support for the primary server functionality into LDAP
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
This will eliminate ambiguity for the AD provider
|
|
This function is not supposed to return any newly-allocated memory
directly. It was actually leaking the memory for krb5_servers if
krb5_kdcip was being used, though it was undetectable because it
was allocated on the provided memctx.
This patch removes the memctx parameter and allocates krb5_servers
temporarily on NULL and ensures that it is freed on all exit
conditions. It is not necessary to retain this memory, as
dp_opt_set_string() performs a talloc_strdup onto the appropriate
context internally.
It also updates the DEBUG messages for this function to the
appropriate new macro levels.
|
|
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
This is necessary because in several places in the code, we are
appending to the attrs returned from this value, and if we relied
on the map size macro, we would be appending after the NULL
terminator if one or more attributes were defined as NULL.
|
|
|
|
There is no functional change due to this patch.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1031
|
|
https://fedorahosted.org/sssd/ticket/1217
|
|
|
|
Previously, we were using sdap_parse_search_base() for setting up
the search_base objects for use in IPA. However, this was
generating unfriendly log messages about unknown search base
types. This patch creates a new common_parse_search_base() routine
that can be used with either LDAP or IPA providers.
https://fedorahosted.org/sssd/ticket/1151
|
|
|
|
Coverity #12525 and #12524
|
|
|
|
https://fedorahosted.org/sssd/ticket/1019
|
|
|
|
Avoid #ifdefs in the general part of the code
|