summaryrefslogtreecommitdiff
path: root/src/providers/ldap/sdap_access.c
AgeCommit message (Collapse)AuthorFilesLines
2013-03-19Convert sdap_access to new error codesSimo Sorce1-448/+174
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-02-10Add realm info to sss_domain_infoSimo Sorce1-1/+1
2013-01-21Pass domain not be_req to access check functionsSimo Sorce1-15/+21
2013-01-21Remove sysdb as a be request structure memberSimo Sorce1-2/+2
The sysdb context is already available through the 'domain' context.
2013-01-21Move ldap provider access functionsSimo Sorce1-59/+0
It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
2013-01-15Add domain argument to sysdb_set_user_attr()Simo Sorce1-0/+1
2013-01-15Add domain argument to sysdb_get_user_attr()Simo Sorce1-2/+2
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose1-3/+16
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-04-24Accept be_req instead if be_ctx in LDAP access providerJan Zeleny1-13/+14
2012-03-09LDAP: Make sdap_access_send/recv publicStephen Gallagher1-12/+8
We want to consume this in the IPA provider.
2012-02-24LDAP: Only use paging control on requests for multiple entriesStephen Gallagher1-1/+2
The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-13/+2
2011-08-15sysdb refactoring: memory context deletedJan Zeleny1-2/+1
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny1-4/+1
The patch also updates code using modified functions. Tests have also been adjusted.
2011-07-08Add LDAP access control based on NDS attributesSumit Bose1-0/+177
2011-03-24Add host access control supportPierre Ossman1-0/+146
https://fedorahosted.org/sssd/ticket/746
2011-02-04Only print "no matching service rule" when appropriateStephen Gallagher1-6/+6
2011-01-19Add LDAP expire policy base RHDS/IPA attributeSumit Bose1-0/+38
The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
2011-01-19Add LDAP expire policy based on AD attributesSumit Bose1-0/+85
The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
2011-01-17Add timeout parameter to sdap_get_generic_send()Sumit Bose1-1/+3
2011-01-06Add syslog messages to authorized service access checkSumit Bose1-1/+31
2011-01-06Add syslog message to shadow access checkSumit Bose1-6/+14
2010-12-21Add authorizedService supportStephen Gallagher1-0/+135
https://fedorahosted.org/sssd/ticket/670
2010-12-21Pass all PAM data to the LDAP access providerStephen Gallagher1-9/+12
Previously we were only passing the username.
2010-12-06Add new account expired rule to LDAP access providerSumit Bose1-66/+377
Two new options are added to the LDAP access provider to allow a broader range of access control rules to be evaluated. 'ldap_access_order' makes it possible to run more than one rule. To keep compatibility with older versions the default is 'filter'. This patch adds a new rule 'expire'. 'ldap_account_expire_policy' specifies which LDAP attribute should be used to determine if an account is expired or not. Currently only 'shadow' is supported which evaluates the ldap_user_shadow_expire attribute.
2010-11-15Sanitize search filters in LDAP providerStephen Gallagher1-1/+9
2010-09-28Suppress some 'may be used uninitialized' warningsSumit Bose1-1/+1
Additionally the handling of errno and the errno_t return value of functions is fixed in krb5_common.c.
2010-09-08Dead assignments cleanup in providers codeJan Zeleny1-11/+7
Dead assignments were deleted. Also prototype of function sdap_access_decide_offline() has been changed, since its return code was never used. Ticket: #586
2010-07-09Use new LDAP connection framework in LDAP access backend.eindenbom1-59/+73
2010-06-09Allow ldap_access_filter values wrapped in parenthesesStephen Gallagher1-1/+1
2010-05-27Add ldap_access_filter optionStephen Gallagher1-0/+457
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com