Age | Commit message (Collapse) | Author | Files | Lines |
|
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain.
|
|
https://fedorahosted.org/sssd/ticket/1950
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
https://fedorahosted.org/sssd/ticket/1660
|
|
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
https://fedorahosted.org/sssd/ticket/1818
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
|
|
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
|
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
|
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
|
|
|
Active Directory 2008R2 allows only 1500 group members to be
retrieved in a single lookup. However, when we hit such a
situation, we can take advantage of the ASQ lookups, which are not
similarly limited.
With this patch, we will add any members found by ASQ that were
not found by the initial lookup so we will end with a complete
group listing.
https://fedorahosted.org/sssd/ticket/783
|
|
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
|
|
https://fedorahosted.org/sssd/ticket/1320
|
|
https://fedorahosted.org/sssd/ticket/1307
|
|
|
|
|
|
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one
|
|
|
|
https://fedorahosted.org/sssd/ticket/1019
|
|
Fixes https://fedorahosted.org/sssd/ticket/967
|
|
|
|
There was too much code duplication between
sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.
|
|
|
|
|
|
The deref processing would return a single control back. The do-while
loop was harmless but confusing.
|
|
ldap_create_deref_control_value expects an array of LDAPDerefSpec structures
with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a
single instance of a LDAPDerefSpec structure.
https://fedorahosted.org/sssd/ticket/1050
|
|
Also checks fake users for aliases when storing a real users so that
getgrnam for a RFC2307 group that references a user by his secondary
name followed by getpwnam for this user by his primary name works
|
|
https://fedorahosted.org/sssd/ticket/989
John Hodrien found out that when paging is used while dereferencing an
entry, sssd_be may segfault on the second page.
This was because paging returned the control to sdap_generic_search
multiple times but sssd was freeing dereference control after the first
search invocation. The subsequend sdap searched accessed memory that was
already freed.
|
|
https://fedorahosted.org/sssd/ticket/985
|
|
|
|
https://fedorahosted.org/sssd/ticket/986
|
|
https://fedorahosted.org/sssd/ticket/925
Conversion of the old debug_level format to the new one.
(only where it was necessary)
Removed:
SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
|
|
https://fedorahosted.org/sssd/ticket/877
|
|
https://fedorahosted.org/sssd/ticket/876
|
|
A generic wrapper around ASQ and OpenLDAP dereference searches.
https://fedorahosted.org/sssd/ticket/635
|
|
This dereference method is supported at least by OpenLDAP and
389DS/RHDS
For more details, see:
http://tools.ietf.org/html/draft-masarati-ldap-deref-00
|
|
For more details on ASQ, see:
http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx
|
|
These will be shared by both dereference methods in a later patch.
|
|
Add a private sdap_get_generic_ext_send()/_recv() request that
exposes more of ldap_search_ext options, in particular the server
contols. The existing sdap_generic_search_send()/_recv() request
is now a thin wrapper around the new _ext request.
The other important change is that an entry parsing is a callback now.
That was done in order to allow custom parsing for results such as
OpenLDAP deref or Attribute Scoped Queries.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/643
|
|
|
|
|
|
|