| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Makes creating the sdap_domain structure for a subdomain reusable
outside AD subdomain code where it was created initially.
Subtask of:
https://fedorahosted.org/sssd/ticket/1962
|
|
https://fedorahosted.org/sssd/ticket/1713
|
|
This function will be used later to fill the sdap_domain structures with
search bases.
|
|
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
The sdap account handler was a function with its own private callback
that directly called the back end handlers. This patch refactors the
handler into a new tevent request that the current sdap handler calls.
This refactoring would allow the caller to specify a custom sdap
connection for use by the handler and optionally retry the same request
with another connection inside a single per-provider handler.
No functional changes are present in this patch.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
This patch adds support for the primary server functionality into LDAP
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
|
|
|
|
|
|
|
|
Previously, we were using sdap_parse_search_base() for setting up
the search_base objects for use in IPA. However, this was
generating unfriendly log messages about unknown search base
types. This patch creates a new common_parse_search_base() routine
that can be used with either LDAP or IPA providers.
https://fedorahosted.org/sssd/ticket/1151
|
|
|
|
|
|
Avoid #ifdefs in the general part of the code
|
|
|
|
https://fedorahosted.org/sssd/ticket/1110
Adds new configuration options:
- ldap_sudo_refresh_enabled - enable/disable periodical updates
- ldap_sudo_refresh_timeout - rules timeout (refresh period)
|
|
|
|
|
|
|
|
This was causing a segfault during HBAC processing and any ID lookups
except for netgroups
|
|
|
|
These were renamed just ot make sure they are not mistook for IPA
netgroup functions.
|
|
|
|
|
|
This function converts a list of ldb_messages into a list of
sysdb_attrs.
|
|
https://fedorahosted.org/sssd/ticket/647
|
|
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
|
|
Sometimes, a value in LDAP will cease to exist (the classic
example being shadowExpire). We need to make sure we purge that
value from SSSD's sysdb as well.
https://fedorahosted.org/sssd/ticket/750
|
|
|
|
Otherwise fallback to the default modifyTimestamp indicator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
