summaryrefslogtreecommitdiff
path: root/src/providers/ldap/sdap_async_connection.c
AgeCommit message (Collapse)AuthorFilesLines
2013-01-14Fix LDAP authentication - invalid password lengthPavel Březina1-1/+1
sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
2013-01-10Change pam data auth tokens.Simo Sorce1-37/+51
Use the new authtok abstraction and interfaces throught the code.
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
2012-09-13FO: Check server validity before setting statusJakub Hrozek1-7/+14
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-07-31Unbreak SASLPavel Březina1-9/+12
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.
2012-07-18Fix uninitialized valuesNick Guay1-1/+1
https://fedorahosted.org/sssd/ticket/1379
2012-07-18LDAP: Properly cast type for MINSSF valueJan Vcelak1-11/+9
2012-07-02LDAP: Print extended failure message for SASL bindStephen Gallagher1-2/+14
2012-05-22Simple implementation of Netscape password warning expiration controlJoshua Roys1-22/+74
2012-05-09Try all KDCs when getting TGT for LDAPJakub Hrozek1-15/+18
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-04-20Get the RootDSE after binding if not successfull beforeJakub Hrozek1-26/+104
https://fedorahosted.org/sssd/ticket/1258
2012-04-20Free controls in sdap_rebind_procJakub Hrozek1-4/+6
2012-04-18Do not call sdap_auth if not neededJakub Hrozek1-7/+11
2012-03-26LDAP: Fix memory leaks in synchronous_tls_setupStephen Gallagher1-8/+10
We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.
2012-03-16LDAP: Errors retrieving the RootDSE should not be fatalStephen Gallagher1-15/+8
If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257
2012-03-08Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek1-2/+4
2012-03-06Only do one cycle when resolving a serverJakub Hrozek1-7/+6
https://fedorahosted.org/sssd/ticket/1214
2012-01-14LDAP: Copy URI instead of pointing at failover service recordStephen Gallagher1-2/+8
In a heavy load environment, sometimes the failover service record would be updated and free the URI value. We need to guarantee that this URI string remains valid throughout the entire request. https://fedorahosted.org/sssd/ticket/1139
2011-12-12Add sdap_connection_expire_timeout optionStephen Gallagher1-0/+12
https://fedorahosted.org/sssd/ticket/1036
2011-12-08LDAP: Fix missing break statements in force_tlsStephen Gallagher1-6/+12
Also add a default case to protect against bad input
2011-12-08LDAP provider: Error while setting the nocanon option should not be fatalJakub Hrozek1-3/+9
https://fedorahosted.org/sssd/ticket/1100
2011-12-08Add ldap_sasl_minssf optionJan Zeleny1-0/+17
https://fedorahosted.org/sssd/ticket/1075
2011-11-29Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connectionsJakub Hrozek1-7/+28
2011-11-29LDAP: Try next failover server on any errorStephen Gallagher1-9/+5
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-9/+5
2011-11-18Prevent printing NULL in several places of LDAP providerJakub Hrozek1-3/+5
2011-11-02Support to request canonicalization in LDAP/IPA providerJan Zeleny1-0/+15
https://fedorahosted.org/sssd/ticket/957
2011-09-06sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string()Pavel Březina1-16/+16
https://fedorahosted.org/sssd/ticket/986
2011-09-06sss_ldap_err2string() - function createdPavel Březina1-2/+0
https://fedorahosted.org/sssd/ticket/986
2011-08-26Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANONJakub Hrozek1-0/+11
https://fedorahosted.org/sssd/ticket/978
2011-08-15Handle timeout during sss_ldap_init_sendJakub Hrozek1-1/+5
In some cases, where there would be no response from the LDAP server, there would be no R/W events on the LDAP fd, so sdap_async_sys_connect_done would never be called. This patch adds a tevent timer that cancels the connection after SDAP_NETWORK_TIMEOUT seconds.
2011-08-01Request password control unconditionally during bindJakub Hrozek1-6/+6
https://fedorahosted.org/sssd/ticket/940
2011-06-30Use ldap_init_fd() instead of ldap_initialize() if availableSumit Bose1-36/+83
2011-04-27Add ldap_page_size configuration optionStephen Gallagher1-0/+4
2011-04-25Modify principal selection for keytab authenticationJan Zeleny1-2/+7
Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-12Initialise rootdse to NULL if not availableSumit Bose1-0/+1
2011-04-11Initialise srv_opts even if rootDSE is missingSumit Bose1-8/+9
2011-04-08Read only rootDSE data if rootDSE is availableSumit Bose1-20/+22
2011-04-08Don't pass NULL to printf for TLS errorsJakub Hrozek1-19/+22
https://fedorahosted.org/sssd/ticket/643
2011-02-16Do not attempt to use START_TLS on SSL connectionsStephen Gallagher1-2/+10
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
2011-01-06Convert obfuscated password once at startupSumit Bose1-14/+0
2010-12-07Mark unavailable Kerberos server as PORT_NOT_WORKINGSumit Bose1-0/+1
2010-12-07ldap: add checks to determine if USN features are available.Simo Sorce1-9/+19
2010-12-01Fix offline detection in sdap_cli_connect requestSumit Bose1-0/+1
sdap_cli_connect_recv_ext() checks if the failover server is not set to determine if the backend is offline. To make this work properly if multiple servers are defined the failover server must be set to NULL if all servers are checked.
2010-11-04Use (default)namingContext to set empty search basesSumit Bose1-0/+8
2010-10-27Allow authentication for referralsSumit Bose1-0/+193
2010-10-22Add some missing ldap_memfree()Sumit Bose1-2/+4
2010-10-22Add ldap_deref optionSumit Bose1-0/+37
2010-10-13Initialize kerberos service for GSSAPIJakub Hrozek1-4/+88
2010-10-13Make ldap_child report kerberos return code to parentJakub Hrozek1-1/+3