| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
|
|
Also remove sysdb_delete_domgroup()
|
|
|
|
Also remove sysdb_delete_domuser()
|
|
|
|
|
|
|
|
Also remove sysdb_store_domgroup()
|
|
Also remove sysdb_store_domuser()
|
|
|
|
|
|
|
|
Also remove unused sysdb_search_domgroup_by_gid()
|
|
Also remove unused sysdb_search_domgroup_by_name()
|
|
Also remove unused sysdb_search_domuser_by_name()
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1760
|
|
sss_authtok_get_password() already returns length without terminating
zero. This broke authentication over LDAP because we removed the
last password character.
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
This set of functions had a few important issues:
1. the base_dn was always NULL, as the base array was never actually used
to construct any DN. This means each function searched the whole database
multiple times.
It would try to remove SYSDB_USN from all database entries 3 times.
Then it would try to find non updated entries another 3 times and delete
them, arguably find empty results the last 2 times.
2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it
should not be used anywhere but within sysdb. Do this by using existing
functions instead of using ldb calls directly. This is important to keep
sysdb as conistent and self-contained as possible.
|
|
In the AD case, deployments sometimes add groups as parents of the
primary GID group. These groups are then returned during initgroups
in the tokenGroups attribute and member/memberof links are established
between the user and the group. However, any update of these groups
would remove the links, so a sequence of calls: id -G user; id user; id
-G user would return different group memberships.
The downside of this approach is that the user is returned as a group
member during getgrgid call as well.
|
|
The code would call sysdb_attrs_add_uint32 which added another UID or GID
to the ID=0 we already downloaded from LDAP (0 is the default value) when
ID-mapping an entry. This led to funky behaviour later on when we wanted
to process the ID.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
|
|
Use correct name for _done() function from the caller.
Remove unneded initializzations to NULL for a lot of variables hat are going to
be assigned as the first thing done in the functions.
|
|
|
|
Added new parameter to split_on_separator that allows to skip
empty values.
The whole function was rewritten. Unit test case was added to
check the new implementation.
https://fedorahosted.org/sssd/ticket/1484
|
|
If we are unable to delete some rule from cache we print a debug
message and ignore the error. Thus we should set ret to EOK after
the for loop otherwise we return whether the last rule was deleted
successfully or not.
This also removes compilation warning that ret may be used
uninitialized (when we don't go inside the loop at all).
|
|
switch statements should always have a default section. In this
particular case gcc gave a "'send_fn' may be used uninitialized in this
function" warning.
|
|
If the Data Provider receives a request for the auto.master map, it
passes on a flag to let the actual provider let know he should
invalidate the existing maps
|
|
https://fedorahosted.org/sssd/ticket/1689
Add a online callback if the first full refresh fails due to the
provider beeing offline so we can perform the refresh as soon as
possible.
|
|
https://fedorahosted.org/sssd/ticket/1689
If the first full refresh of sudo rules fails because the data provider
is offline, we will schedule another one in 2, 4, ... minutes.
|
|
https://fedorahosted.org/sssd/ticket/1689
|
|
Reduces amount of code duplication.
|
|
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
|
https://fedorahosted.org/sssd/ticket/1682
The problem was in following code:
if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) {
tevent_req_error(req, ret);
return;
}
In situation when data provider error occurs (e.g. when offline),
ret == EOK but dp_error != DP_ERR_OK and we take the true branch.
This results in calling tevent_req_error(req, EOK).
Unfortunately, with EOK tevent_req_error only returns false, but
does not trigger callback and this tevent request hangs forever,
because no tevent_req_done(req) is called.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1701
|
|
|
|
https://fedorahosted.org/sssd/ticket/1695
|
|
Avoids hardcoding magic numbers everywhere and self documents why a
mask is being applied.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
