summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2011-04-11Initialise srv_opts even if rootDSE is missingSumit Bose2-46/+49
2011-04-08Read only rootDSE data if rootDSE is availableSumit Bose1-20/+22
2011-04-08Fix unchecked return values of pam_add_responseJakub Hrozek1-2/+7
https://fedorahosted.org/sssd/ticket/798
2011-04-08Don't pass NULL to printf for TLS errorsJakub Hrozek3-33/+24
https://fedorahosted.org/sssd/ticket/643
2011-04-01Only save members for successfully saved groupsJakub Hrozek1-2/+17
2011-03-30Fall back to cn if gecos is not availableStephen Gallagher1-0/+9
We were not fully compliant with section 5.3 of RFC 2307 which states: An account's GECOS field is preferably determined by a value of the gecos attribute. If no gecos attribute exists, the value of the cn attribute MUST be used. (The existence of the gecos attribute allows information embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute. It also accommodates directories where the common name does not contain the user's full name.)
2011-03-28Mark transaction as done when cancelledJakub Hrozek1-2/+8
2011-03-28RFC2307: Ignore zero-length member names in group lookupsStephen Gallagher1-0/+4
2011-03-28Always complete the transaction in sdap_process_group_members_2307Stephen Gallagher1-0/+11
If the loop ran through at least one sdap_process_missing_member_2307() call and errored out later, we were not canceling the transaction.
2011-03-28Fix typo in sdap_nested_group_process_stepJakub Hrozek1-1/+1
2011-03-24Return from functions in LDAP provider after marking request as failedJakub Hrozek1-1/+4
2011-03-24Add host access control supportPierre Ossman5-2/+155
https://fedorahosted.org/sssd/ticket/746
2011-03-23Add sysdb_attrs_primary_name_list() routineStephen Gallagher1-18/+22
This routine will replace the use of sysdb_attrs_to_list() for any case where we're trying to get the name of the entry. It's a necessary precaution in case the name is multi-valued.
2011-03-23Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_groupStephen Gallagher1-1/+3
2011-03-23Use fake groups during IPA schema initgroupsJakub Hrozek1-114/+418
https://fedorahosted.org/sssd/ticket/822
2011-03-23Add originalDN to fake groupsJakub Hrozek1-1/+10
2011-03-23RFC2307bis: Ignore aliases for groupsStephen Gallagher1-14/+26
Groups in ldap with multiple values for their groupname attribute will now be compared against the RDN of the entry to determine the "primary" group name. We will save only this primary group name to the ldb cache.
2011-03-23RFC2307: Ignore aliases for groupsStephen Gallagher1-23/+35
Groups in ldap with multiple values for their groupname attribute will now be compared against the RDN of the entry to determine the "primary" group name. We will save only this primary group name to the ldb cache.
2011-03-23Ignore aliases for usersStephen Gallagher1-20/+26
Users in ldap with multiple values for their username attribute will now be compared against the RDN of the entry to determine the "primary" username. We will save only this primary name to the ldb cache.
2011-03-22Sanitize DN when searching the original DN in the cacheSumit Bose1-1/+9
2011-03-17Fix incorrect return value checkStephen Gallagher1-1/+1
2011-03-15Fix LDAP search filter for nested initgroupsJakub Hrozek1-1/+1
2011-03-14Fix one unlikely case of failure in sdap_id_op moduleJan Zeleny1-1/+3
There can be an unlikely scenario when the first part of sdap_id_op_connect_done works fine and there is no need to mark backend offline. But right after the check, the memory allocation can fail in which case the backend needs to be marked offline along with disabled reconnecting.
2011-03-14Require existence of username, uid and gid for user enumerationStephen Gallagher1-12/+18
We will ignore users that do not have these three values.
2011-03-14Require existence of GID number and name in group searchesStephen Gallagher3-25/+42
https://fedorahosted.org/sssd/ticket/824
2011-03-09Release handle if not connectedSumit Bose1-0/+1
2011-02-21IPA provider: remove deleted groups during initgroups()Stephen Gallagher1-3/+112
The IPA provider was not properly removing groups in the cache that the user was no longer a member of. https://fedorahosted.org/sssd/ticket/803
2011-02-18Remove cached user entry if initgroups returns ENOENTStephen Gallagher1-0/+11
This behavior was present for getpwnam() but was lacking for initgroups.
2011-02-16Do not attempt to use START_TLS on SSL connectionsStephen Gallagher4-11/+43
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
2011-02-14Verify LDAP file descriptor validityStephen Gallagher1-1/+1
2011-02-11Fix cleanup transactionStephen Gallagher1-0/+1
Without setting in_transaction=true, if the sysdb operations threw an error, we wouldn't cancel the transaction.
2011-02-04Only print "no matching service rule" when appropriateStephen Gallagher1-6/+6
2011-02-03Wrap cleanup task in a sysdb transactionStephen Gallagher1-0/+20
2011-02-01Sanitize search filters for nested group lookupsStephen Gallagher1-3/+17
2011-01-31Remove LDAP_DEPRECATEDSumit Bose1-1/+0
2011-01-27Add option to disable TLS for LDAP authStephen Gallagher3-2/+19
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
2011-01-27Do not fail if attributes are emptySumit Bose1-16/+29
Currently we fail if attributes are empty. But there are some use cases where requested attributes are empty. E.g Active Directory uses an empty member attribute to indicate that a subset of the members are in a range sub-attribute.
2011-01-21Delete attributes that are removed from LDAPStephen Gallagher3-8/+163
Sometimes, a value in LDAP will cease to exist (the classic example being shadowExpire). We need to make sure we purge that value from SSSD's sysdb as well. https://fedorahosted.org/sssd/ticket/750
2011-01-21Fix nested group handling during enumerationSumit Bose1-0/+14
Nested groups where not unrolled completely during the first enumeration run because not all where present in the cache.
2011-01-21Add missing include file to sdap_async_accounts.cStephen Gallagher1-0/+1
2011-01-21Add the user's primary group to the initgroups lookupStephen Gallagher3-14/+56
The user may not be a direct member of their primary group, but we still want to make sure that group is cached on the system.
2011-01-20Add ldap_tls_{cert,key,cipher_suite} config optionsTyson Whitehead3-0/+33
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-01-19Fix return value checkSumit Bose1-2/+2
2011-01-19Don't double-sanitize member DNsStephen Gallagher1-12/+4
After asking the cache for the list of member DNs for groups during an initgroups request, we were passing it through the sanitization function. Since this had already been done before they were saved to the cache, this meant that it was corrupting the results. It is safe to pass the returned DN directly into the sysdb_group_dn_name() function.
2011-01-19Add LDAP expire policy base RHDS/IPA attributeSumit Bose5-3/+52
The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
2011-01-19Add LDAP expire policy based on AD attributesSumit Bose5-3/+99
The second bit of userAccountControl is used to determine if the account is enabled or disabled. accountExpires is checked to see if the account is expired.
2011-01-17Add ldap_search_enumeration_timeout config optionSumit Bose3-4/+6
2011-01-17Add timeout parameter to sdap_get_generic_send()Sumit Bose8-32/+77
2011-01-14Do not throw a DP error when a netgroup is not foundStephen Gallagher1-5/+1
https://fedorahosted.org/sssd/ticket/775
2011-01-14Add missing sysdb transaction to group enumerationsStephen Gallagher1-12/+45
We were not enclosing group processing in a transaction, which was resulting in extremely high numbers of disk-writes. This patch adds a transaction around the sdap_process_group code to ensure that these actions take place within a transaction. This patch also adds a check around the missing member code for RFC2307bis so we don't go back to the LDAP server to look up entries that don't exist (since the enumeration first pass would already have guaranteed that we have all real users cached)
generated by cgit (git 2.34.1) at 2024-07-09 03:57:49 +0000