| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes https://fedorahosted.org/sssd/ticket/2116
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
Change was introduced in commit ca344fde
|
|
https://fedorahosted.org/sssd/ticket/1997
Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.
We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
|
|
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
|
|
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
The sdap account handler was a function with its own private callback
that directly called the back end handlers. This patch refactors the
handler into a new tevent request that the current sdap handler calls.
This refactoring would allow the caller to specify a custom sdap
connection for use by the handler and optionally retry the same request
with another connection inside a single per-provider handler.
No functional changes are present in this patch.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
users_get_recv() never returns ENOENT. In general it should return EOK
in the case no matching user was found. But since I forget to handle a
SID based filter properly in sdap_get_users_process() an error is
returned in this case which makes get_user_and_group_users_done() work
as expected with this patch.
There is an upcoming enhancement to users_get_recv() which I'm planning
to use for a full fix.
|
|
|
|
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to
the LDAP provider. Since the AD and the IPA provider use the same code
they support those request now as well.
Besides allowing that users and groups can be searched by the SID as
well the new request allows to search users and groups in one run, i.e.
if there is not user matching the search criteria groups are searched as
well.
|
|
This patch add a new filter type to the data-provider interface which
can be used for SID-based lookups.
|
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
In preparation for making struct be_req opaque.
|
|
In preparation for making be_req opaque
|
|
The sysdb context is already available through the 'domain' structure.
|
|
Also remove sysdb_delete_domgroup()
|
|
Also remove sysdb_delete_domuser()
|
|
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1376
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
This is necessary because in several places in the code, we are
appending to the attrs returned from this value, and if we relied
on the map size macro, we would be appending after the NULL
terminator if one or more attributes were defined as NULL.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This was causing a segfault during HBAC processing and any ID lookups
except for netgroups
|
|
These were renamed just ot make sure they are not mistook for IPA
netgroup functions.
|
|
|
|
|
|
Instead of making this a global option for all user lookups, make
it only used if the search base is passed without an explicit
filter.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1013
|
|
This patch deletes memory context parameter in those places in sysdb
where it is not necessary. The code using modified functions has been
updated. Tests updated as well.
|
|
The patch also updates code using modified functions. Tests have also
been adjusted.
|
|
https://fedorahosted.org/sssd/ticket/951
|
|
https://fedorahosted.org/sssd/ticket/916
|
|
This patch fixes some issues with setting lastUSN attribute and it adds
check against the highest user/group USN after enumeration to keep
better track of the real highest USN. Optimal solution here would be to
schedule a check of rootDSE entry right after the enumeration finishes,
but for the moment this is good enough.
|
|
When reconnecting to the LDAP server supporting USNs (either because of new incomming
id operation or invokation of callback responsible for checking status
of the backend), detect whether the highest USN is lower than the one
SSSD has recorded. If so, setup enumeration/cleanup to refresh
potentionally changed account information in the SSSD cache.
Related ticket:
https://fedorahosted.org/sssd/ticket/734
|
