summaryrefslogtreecommitdiff
path: root/src/providers/ldap/ldap_id.c
AgeCommit message (Collapse)AuthorFilesLines
2013-08-08Enable removing nonexisting dn in sdap_handle_account_infoLukas Slebodnik1-1/+1
Change was introduced in commit ca344fde
2013-07-17LDAP: When resolving a SID, search for groups first, then usersJakub Hrozek1-19/+18
https://fedorahosted.org/sssd/ticket/1997 Most of the time, the SIDs are resolved as a call coming from the PAC responder during initgroups. In that case at least, it makes sense to search for group matching that SID first, then users. We may consider making this behaviour configurable ie for the server mode where typically the users should be queried first.
2013-06-28Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mappingSumit Bose1-3/+11
Currently the decision if external or algorithmic mapping should be used in the LDAP or AD provider was based on the value of the ldap_id_mapping config option. Since now all information about ID mapping is handled by libsss_idmap the check for this options can be replace with a call which checks the state via libss_idmap. https://fedorahosted.org/sssd/ticket/1961
2013-06-24LDAP: Retry SID search based on result of LDAP search, not the return codeJakub Hrozek1-2/+13
2013-06-07LDAP: return sdap search return code to IDJakub Hrozek1-34/+87
By default, the LDAP searches delete the entry from cache if it wasn't found during a search. But if a search wants to try both Global Catalog and LDAP, for example, it might be beneficial to have an option to only delete the entry from cache after the last operation fails to prevent unnecessary memberof operations for example.
2013-06-07LDAP: new SDAP domain structureJakub Hrozek1-19/+49
Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.
2013-06-07LDAP: Pass in a connection to ID functionsJakub Hrozek1-20/+39
Instead of using the default connection from the sdap_id_ctx, allow the caller to specify which connection shall be used for this particular request. Again, no functional change is present in this patch, just another parameter is added.
2013-06-07LDAP: Refactor account info handler into a tevent requestJakub Hrozek1-155/+201
The sdap account handler was a function with its own private callback that directly called the back end handlers. This patch refactors the handler into a new tevent request that the current sdap handler calls. This refactoring would allow the caller to specify a custom sdap connection for use by the handler and optionally retry the same request with another connection inside a single per-provider handler. No functional changes are present in this patch.
2013-06-07LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek1-5/+5
With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
2013-06-06Intermittent fix for get_user_and_group_users_doneSumit Bose1-3/+0
users_get_recv() never returns ENOENT. In general it should return EOK in the case no matching user was found. But since I forget to handle a SID based filter properly in sdap_get_users_process() an error is returned in this case which makes get_user_and_group_users_done() work as expected with this patch. There is an upcoming enhancement to users_get_recv() which I'm planning to use for a full fix.
2013-05-28Remove unneeded commentJakub Hrozek1-1/+0
2013-05-27Add SID related requests to the LDAP providerSumit Bose1-5/+230
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to the LDAP provider. Since the AD and the IPA provider use the same code they support those request now as well. Besides allowing that users and groups can be searched by the SID as well the new request allows to search users and groups in one run, i.e. if there is not user matching the search criteria groups are searched as well.
2013-05-02Add secid filter to responder-dp protocolSumit Bose1-0/+6
This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce1-0/+39
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce1-1/+1
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce1-10/+16
In preparation for making be_req opaque
2013-01-21Remove sysdb as a be context structure memberSimo Sorce1-3/+3
The sysdb context is already available through the 'domain' structure.
2013-01-15Add domain argument to sysdb_delete_group()Simo Sorce1-2/+4
Also remove sysdb_delete_domgroup()
2013-01-15Add domain argument to sysdb_delete_user()Simo Sorce1-3/+5
Also remove sysdb_delete_domuser()
2012-12-05Fix comment on wrong lineSimo Sorce1-1/+1
2012-12-04Use an entry type mask macro to filter entry typesSimo Sorce1-1/+1
Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-15Add ignore_group_members option.Paul B. Henson1-1/+8
https://fedorahosted.org/sssd/ticket/1376
2012-08-23Clean up cache on server reinitializationPavel Březina1-0/+45
https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.
2012-06-29ldap provider: add sudo usn valuePavel Březina1-0/+2
2012-05-31Add support for filtering atributesJan Zeleny1-6/+6
This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher1-3/+3
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-03LDAP: Enable looking up id-mapped groups by GIDStephen Gallagher1-2/+45
2012-05-03LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher1-11/+20
2012-05-03LDAP: Enable looking up id-mapped users by UIDStephen Gallagher1-6/+43
2012-01-31LDAP: Add enumeration support for servicesStephen Gallagher1-0/+2
2012-01-31LDAP: Add support for service lookups (non-enum)Stephen Gallagher1-0/+30
2011-12-19Pass sdap_id_ctx to online check from IPA providerJakub Hrozek1-17/+40
2011-11-29Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connectionsJakub Hrozek1-1/+2
2011-11-25Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA providerJakub Hrozek1-2/+13
This was causing a segfault during HBAC processing and any ID lookups except for netgroups
2011-11-23Renamed some LDAP routinesJan Zeleny1-2/+2
These were renamed just ot make sure they are not mistook for IPA netgroup functions.
2011-11-02LDAP: Add support for multiple search bases for group enumerationStephen Gallagher1-1/+2
2011-11-02LDAP: Add support for multiple search bases for user enumerationStephen Gallagher1-1/+2
2011-11-02LDAP: Convert ldap_*_search_filterStephen Gallagher1-32/+12
Instead of making this a global option for all user lookups, make it only used if the search base is passed without an explicit filter.
2011-11-02LDAP: Support multiple group search bases (non-enumeration, RFC2307)Stephen Gallagher1-1/+3
2011-11-02LDAP: Support multiple user search bases (non-enumeration)Stephen Gallagher1-0/+1
2011-10-03Use explicit base 10 for converting strings to integersJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1013
2011-08-15sysdb refactoring: memory context deletedJan Zeleny1-7/+5
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny1-9/+4
The patch also updates code using modified functions. Tests have also been adjusted.
2011-08-04Fix returning groups when gidNumber attribute is not orderedJakub Hrozek1-1/+3
https://fedorahosted.org/sssd/ticket/951
2011-07-27Explicitly ignore groups with gidNumber=0Jakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/916
2011-05-04Fixed lastUSN checking improvementsJan Zeleny1-3/+6
This patch fixes some issues with setting lastUSN attribute and it adds check against the highest user/group USN after enumeration to keep better track of the real highest USN. Optimal solution here would be to schedule a check of rootDSE entry right after the enumeration finishes, but for the moment this is good enough.
2011-04-19Add last usn checking after reconnectionJan Zeleny1-1/+16
When reconnecting to the LDAP server supporting USNs (either because of new incomming id operation or invokation of callback responsible for checking status of the backend), detect whether the highest USN is lower than the one SSSD has recorded. If so, setup enumeration/cleanup to refresh potentionally changed account information in the SSSD cache. Related ticket: https://fedorahosted.org/sssd/ticket/734
2011-04-19Add user and group search LDAP filter optionsJakub Hrozek1-13/+32
https://fedorahosted.org/sssd/ticket/647
2011-04-15Do not throw a DP error when failing to delete a nonexistent entityStephen Gallagher1-4/+4