summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2013-05-02Add secid filter to responder-dp protocolSumit Bose1-0/+6
This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.
2013-05-02LDAP: always store SID if availableSumit Bose2-33/+58
Currently the string representation of a SID is only stored in the cache for debugging purpose if SID based ID-mapping is used. This patch unconditionally stores the SID if available to allow SID-to-name mappings from the cache.
2013-05-02sdap: add sdap_connect_host requestPavel Březina2-0/+201
Create connection to specified LDAP server without using any failover stuff.
2013-05-02Display the last grace warning, tooJakub Hrozek2-3/+3
Due to a comparison error, the last warning when an LDAP password was in its grace period was never displayed. https://fedorahosted.org/sssd/ticket/1890
2013-04-29libsss_idmap: function to calculate rangeMichal Zidek2-115/+54
Calculation of range for domains is moved from sdap_idmap code to sss_idmap code. Some refactoring have been done to allow this move. https://fedorahosted.org/sssd/ticket/1844
2013-04-19LDAP: do not invalidate pointer with realloc while processing ghost usersJakub Hrozek1-3/+13
https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
2013-04-10DNS sites support - use SRV DNS lookup plugin in all providersPavel Březina1-0/+9
https://fedorahosted.org/sssd/ticket/1032 We set a plugin during an initialization of ID provider, which is an authoritative provider for a plugin choice. The plugin is set only once. When other provider is initalized (e.g. id = IPA, sudo = LDAP), we do not overwrite the plugin. Since sssm_*_id_init() is called from all module constructors, this patch relies on the fact, that ID provider is initialized before all other providers.
2013-04-09LDAP: Always fail if a map can't be foundJakub Hrozek1-4/+2
2013-04-04LDAP: Fix value initialization warningsLukas Slebodnik2-2/+2
2013-04-03Centralize resolv_init, remove resolv context listJakub Hrozek1-16/+2
2013-04-03Init failover with be_res optionsJakub Hrozek1-24/+5
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik2-9/+15
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02refactor nested group processing: replace old codePavel Březina2-1721/+21
https://fedorahosted.org/sssd/ticket/1784
2013-04-02refactor nested group processing: add new codePavel Březina1-0/+2229
https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group
2013-03-27LDAP: Fix value initializationOndrej Kos1-1/+1
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta4-4/+44
https://fedorahosted.org/sssd/ticket/1660
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce7-11/+191
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce3-453/+186
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik1-10/+0
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-19Use common error facility instead of sdap_resultSimo Sorce5-316/+202
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-13Fix initialization of multiple variablesOndrej Kos2-2/+2
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik1-5/+1
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-02-27sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
2013-02-26sysdb: try dealing with binary-content attributesJan Engelhardt2-7/+5
https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
2013-02-11LDAP: Check for authtok validityJakub Hrozek1-7/+9
The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
2013-02-10Add realm info to sss_domain_infoSimo Sorce1-1/+1
2013-01-28nested groups: fix group lookup hangs if member dn is incorrectPavel Březina1-0/+24
https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce5-8/+8
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce5-39/+43
In preparation for making be_req opaque
2013-01-21Introduce be_req_terminate() helperSimo Sorce4-17/+10
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove domain from be_req structureSimo Sorce1-1/+1
2013-01-21Pass domain not be_req to access check functionsSimo Sorce3-17/+25
2013-01-21Remove sysdb as a be request structure memberSimo Sorce1-2/+2
The sysdb context is already available through the 'domain' context.
2013-01-21Remove sysdb as a be context structure memberSimo Sorce13-27/+27
The sysdb context is already available through the 'domain' structure.
2013-01-21Move ldap provider access functionsSimo Sorce2-59/+86
It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
2013-01-21LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek1-134/+147
https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
2013-01-15LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek1-12/+4
https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
2013-01-15Add domain arguments to sysdb sudo functionsSimo Sorce4-9/+22
2013-01-15Add domain arguments to sysdb services functionsSimo Sorce2-4/+5
also fix sysdb_svc_add declarations
2013-01-15Add domain argument to sysdb autofs functionsSimo Sorce2-11/+18
2013-01-15Add domain arguemnt to sysdb_get_real_name()Simo Sorce1-1/+2
2013-01-15Add domain argument to sysdb_idmap_ funcitonsSimo Sorce1-1/+2
2013-01-15Add domain argument to sysdb_remove_attrs()Simo Sorce1-1/+1
2013-01-15Add domain argument to sysdb_has/set_enumerated()Simo Sorce3-3/+4
2013-01-15Add domain arg to sysdb_search/delete_netgroup()Simo Sorce1-1/+1
2013-01-15Add domain argument to sysdb_delete_group()Simo Sorce2-3/+5
Also remove sysdb_delete_domgroup()
2013-01-15Add domain argument to sysdb_search_groups()Simo Sorce3-7/+12
2013-01-15Add domain argument to sysdb_delete_user()Simo Sorce2-4/+6
Also remove sysdb_delete_domuser()