| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
|
|
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
|
|
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
Currently the decision if external or algorithmic mapping should be used
in the LDAP or AD provider was based on the value of the ldap_id_mapping
config option. Since now all information about ID mapping is handled by
libsss_idmap the check for this options can be replace with a call which
checks the state via libss_idmap.
https://fedorahosted.org/sssd/ticket/1961
|
|
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
https://fedorahosted.org/sssd/ticket/1660
|
|
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
|
|
The sysdb context is already available through the 'domain' structure.
|
|
https://fedorahosted.org/sssd/ticket/1761
The function tried to be smart and realloc only when needed, but that
only lead to hard-to find bugs where the logic would not allocate the
proper space. Remove the reallocation and prefer readability over speed
in this case.
|
|
|
|
|
|
|
|
Also remove unused sysdb_search_domgroup_by_name()
|
|
Also remove unused sysdb_search_domuser_by_name()
|
|
|
|
https://fedorahosted.org/sssd/ticket/1695
|
|
|
|
https://fedorahosted.org/sssd/ticket/1355
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
group members with groups outside nesting limit.
https://fedorahosted.org/sssd/ticket/1194
|
|
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
|
|
|
Move it to a private header so it can be reused by other
initgroups C files.
|
|
|
|
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(),
not sdap_initgr_nested_recv(). By coincidence both recv functions
happened to be identical, but if one or the other changed, this
would break unexpectedly.
|
|
Previous patch added the possibility to exclude some attributes from a
map when building an attribute list to be sent to server. The original
reason for this functionality is the code handling LDAP initgroups. In
this code, there is no need to fetch members of groups in question. This
can save some performance since the list of members can be pretty long
in some cases. This case apllies only to RFC2307 and generic RFC2307bis,
it doesn't apply for IPA schema.
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
|
This is necessary because in several places in the code, we are
appending to the attrs returned from this value, and if we relied
on the map size macro, we would be appending after the NULL
terminator if one or more attributes were defined as NULL.
|
|
|
|
This function will also auto-create a new ID map if the domain has
not been seen previously.
|
|
|
|
Instead of keeping the number of parent groups in "state" and having to
reset the count when moving to another group on the same level, keep
track of the all groups on a particular level along with their parents
and parent count.
|
|
|
|
|
|
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one
|
|
This was only used for properly identifying debug messages.
|
