summaryrefslogtreecommitdiff
path: root/src/providers/ldap/sdap_async.c
AgeCommit message (Collapse)AuthorFilesLines
2013-06-07LDAP: store FQDNs for trusted users and groupsJakub Hrozek1-3/+10
Because the NSS responder expects the name attribute to contain FQDN, we must save the name as FQDN in the LDAP provider if the domain we save to is a subdomain.
2013-05-30Prevent segfault while processing ASQ requestLukas Slebodnik1-0/+6
https://fedorahosted.org/sssd/ticket/1950
2013-05-23Adding option to disable retrieving large AD groups.Lukas Slebodnik1-2/+13
This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823
2013-05-20Fixing critical format string issues.Lukas Slebodnik1-1/+2
--missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta1-1/+20
https://fedorahosted.org/sssd/ticket/1660
2013-03-19Use common error facility instead of sdap_resultSimo Sorce1-26/+22
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-02-26sysdb: try dealing with binary-content attributesJan Engelhardt1-2/+2
https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
2013-01-10Change pam data auth tokens.Simo Sorce1-2/+2
Use the new authtok abstraction and interfaces throught the code.
2012-09-24AD: Detect domain controller compatibility versionStephen Gallagher1-0/+1
2012-07-16Fixed wrong number in shadowLastChangeJan Zeleny1-1/+2
The attribute is supposed to contain number of days since the epoch, not the number of seconds.
2012-06-13LDAP: Auto-detect support for the ldap match ruleStephen Gallagher1-1/+95
This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
2012-05-31Ghost members - removed sdap_check_aliases()Jan Zeleny1-108/+0
This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
2012-05-22Warn to syslog when dereference requests failAriel Barria1-2/+2
2012-05-10LDAP: Handle very large Active Directory groupsStephen Gallagher1-2/+25
Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
2012-05-07Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek1-4/+9
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
2012-05-03Read sysdb attribute name, not LDAP attribute map nameJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1320
2012-04-20sdap_check_aliases must not error when detects the same userJakub Hrozek1-13/+31
https://fedorahosted.org/sssd/ticket/1307
2012-04-18Prevent printing NULL from DEBUG messagesJakub Hrozek1-2/+4
2012-03-21LDAP: Add better error logging when ldap_result() failsStephen Gallagher1-1/+3
2012-02-24LDAP: Only use paging control on requests for multiple entriesStephen Gallagher1-5/+40
The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results. https://fedorahosted.org/sssd/ticket/1202 phase one
2012-02-21End request if ldap_parse_result failsJakub Hrozek1-0/+3
2012-02-06Update shadowLastChanged attribute during LDAP password changeJan Zeleny1-0/+132
https://fedorahosted.org/sssd/ticket/1019
2012-01-18LDAP: Add option to disable paging controlStephen Gallagher1-2/+6
Fixes https://fedorahosted.org/sssd/ticket/967
2011-12-16Use the case sensitivity flag in the LDAP providerJakub Hrozek1-4/+5
2011-12-16Refactor saving sdap entitiesJakub Hrozek1-0/+80
There was too much code duplication between sdap_save_{user,group,netgroup}. This patch removes the most egregious ones.
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-1/+2
2011-11-18Prevent printing NULL in several places of LDAP providerJakub Hrozek1-2/+4
2011-11-02Remove confusing do-while loopJakub Hrozek1-35/+36
The deref processing would return a single control back. The do-while loop was harmless but confusing.
2011-11-02Use LDAPDerefSpec properlyJakub Hrozek1-4/+6
ldap_create_deref_control_value expects an array of LDAPDerefSpec structures with LDAPDerefSpec.derefAttr == NULL as a sentinel. We were passing a single instance of a LDAPDerefSpec structure. https://fedorahosted.org/sssd/ticket/1050
2011-09-28Store name aliases for users, groupsJakub Hrozek1-0/+90
Also checks fake users for aliases when storing a real users so that getgrnam for a RFC2307 group that references a user by his secondary name followed by getpwnam for this user by his primary name works
2011-09-06Keep deref controls until the whole request is finishedJakub Hrozek1-8/+45
https://fedorahosted.org/sssd/ticket/989 John Hodrien found out that when paging is used while dereferencing an entry, sssd_be may segfault on the second page. This was because paging returned the control to sdap_generic_search multiple times but sssd was freeing dereference control after the first search invocation. The subsequend sdap searched accessed memory that was already freed.
2011-09-06Improve error message for LDAP password constraint violationJakub Hrozek1-5/+12
https://fedorahosted.org/sssd/ticket/985
2011-09-06Allow turning dereference off by setting the threshold to 0Jakub Hrozek1-1/+7
2011-09-06sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()Pavel Březina1-5/+5
https://fedorahosted.org/sssd/ticket/986
2011-08-25New DEBUG facility - conversionPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
2011-05-24Fix uninitialized pointer read in sdap_x_deref_parse_entryJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/877
2011-05-24Fix bad comparison in sdap_has_deref_supportJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/876
2011-05-20Generic dereference searchJakub Hrozek1-0/+139
A generic wrapper around ASQ and OpenLDAP dereference searches. https://fedorahosted.org/sssd/ticket/635
2011-05-20OpenLDAP dereference searchesJakub Hrozek1-0/+210
This dereference method is supported at least by OpenLDAP and 389DS/RHDS For more details, see: http://tools.ietf.org/html/draft-masarati-ldap-deref-00
2011-05-20Add support for Attribute Scoped QueriesJakub Hrozek1-0/+203
For more details on ASQ, see: http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx
2011-05-20Generic dereference data structures and utilitiesJakub Hrozek1-0/+35
These will be shared by both dereference methods in a later patch.
2011-05-20sdap_get_generic_extJakub Hrozek1-73/+202
Add a private sdap_get_generic_ext_send()/_recv() request that exposes more of ldap_search_ext options, in particular the server contols. The existing sdap_generic_search_send()/_recv() request is now a thin wrapper around the new _ext request. The other important change is that an entry parsing is a callback now. That was done in order to allow custom parsing for results such as OpenLDAP deref or Attribute Scoped Queries.
2011-04-28Do not leak LDAP paging controlsJakub Hrozek1-0/+5
2011-04-27Add ldap_page_size configuration optionStephen Gallagher1-2/+1
2011-04-27Enable paging support for LDAPStephen Gallagher1-23/+117
2011-04-27Log the LDAP message type we're processingStephen Gallagher1-0/+57
2011-04-08Don't pass NULL to printf for TLS errorsJakub Hrozek1-4/+2
https://fedorahosted.org/sssd/ticket/643
2011-03-09Release handle if not connectedSumit Bose1-0/+1
2011-01-17Add timeout parameter to sdap_get_generic_send()Sumit Bose1-5/+6
2010-12-07ldap: add checks to determine if USN features are available.Simo Sorce1-0/+1