summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2011-05-20sdap_get_generic_extJakub Hrozek1-73/+202
Add a private sdap_get_generic_ext_send()/_recv() request that exposes more of ldap_search_ext options, in particular the server contols. The existing sdap_generic_search_send()/_recv() request is now a thin wrapper around the new _ext request. The other important change is that an entry parsing is a callback now. That was done in order to allow custom parsing for results such as OpenLDAP deref or Attribute Scoped Queries.
2011-05-20Remove append_attrs_to_arrayJakub Hrozek2-12/+0
This function was not used anywhere
2011-05-20IPA Provider: don't fail if user is not a member of any groupsStephen Gallagher1-2/+5
2011-05-16Possible memory leak fixedJan Zeleny1-1/+1
2011-05-16Fixed wrong variable in sdap_initgr_nested_storeJan Zeleny1-1/+1
2011-05-04Fixed lastUSN checking improvementsJan Zeleny3-5/+23
This patch fixes some issues with setting lastUSN attribute and it adds check against the highest user/group USN after enumeration to keep better track of the real highest USN. Optimal solution here would be to schedule a check of rootDSE entry right after the enumeration finishes, but for the moment this is good enough.
2011-05-04Do not leak LDAP URI with high log levelJakub Hrozek1-2/+7
2011-04-28Do not leak LDAP paging controlsJakub Hrozek1-0/+5
2011-04-27Add ldap_page_size configuration optionStephen Gallagher4-3/+9
2011-04-27Enable paging support for LDAPStephen Gallagher1-23/+117
2011-04-27Log the LDAP message type we're processingStephen Gallagher1-0/+57
2011-04-25Modify principal selection for keytab authenticationJan Zeleny5-6/+19
Currently we construct the principal as host/fqdn@REALM. The problem with this is that this principal doesn't have to be in the keytab. In that case the provider fails to start. It is better to scan the keytab and find the most suitable principal to use. Only in case no suitable principal is found the backend should fail to start. The second issue solved by this patch is that the realm we are authenticating the machine to can be in general different from the realm our users are part of (in case of cross Kerberos trust). The patch adds new configuration option SDAP_SASL_REALM. https://fedorahosted.org/sssd/ticket/781
2011-04-19Add last usn checking after reconnectionJan Zeleny2-1/+31
When reconnecting to the LDAP server supporting USNs (either because of new incomming id operation or invokation of callback responsible for checking status of the backend), detect whether the highest USN is lower than the one SSSD has recorded. If so, setup enumeration/cleanup to refresh potentionally changed account information in the SSSD cache. Related ticket: https://fedorahosted.org/sssd/ticket/734
2011-04-19Add value of the last USN to server configurationStephen Gallagher2-0/+16
Related: https://fedorahosted.org/sssd/ticket/734
2011-04-19Add user and group search LDAP filter optionsJakub Hrozek4-19/+82
https://fedorahosted.org/sssd/ticket/647
2011-04-15Do not throw a DP error when failing to delete a nonexistent entityStephen Gallagher1-4/+4
2011-04-12Never remove gecos from the sysdb cacheStephen Gallagher1-0/+9
Now that gecos can come from either the 'gecos' or 'cn' attributes, we need to ensure that we never remove it from the cache.
2011-04-12Initialise rootdse to NULL if not availableSumit Bose1-0/+1
2011-04-11Initialise srv_opts even if rootDSE is missingSumit Bose2-46/+49
2011-04-08Read only rootDSE data if rootDSE is availableSumit Bose1-20/+22
2011-04-08Fix unchecked return values of pam_add_responseJakub Hrozek1-2/+7
https://fedorahosted.org/sssd/ticket/798
2011-04-08Don't pass NULL to printf for TLS errorsJakub Hrozek3-33/+24
https://fedorahosted.org/sssd/ticket/643
2011-04-01Only save members for successfully saved groupsJakub Hrozek1-2/+17
2011-03-30Fall back to cn if gecos is not availableStephen Gallagher1-0/+9
We were not fully compliant with section 5.3 of RFC 2307 which states: An account's GECOS field is preferably determined by a value of the gecos attribute. If no gecos attribute exists, the value of the cn attribute MUST be used. (The existence of the gecos attribute allows information embedded in the GECOS field, such as a user's telephone number, to be returned to the client without overloading the cn attribute. It also accommodates directories where the common name does not contain the user's full name.)
2011-03-28Mark transaction as done when cancelledJakub Hrozek1-2/+8
2011-03-28RFC2307: Ignore zero-length member names in group lookupsStephen Gallagher1-0/+4
2011-03-28Always complete the transaction in sdap_process_group_members_2307Stephen Gallagher1-0/+11
If the loop ran through at least one sdap_process_missing_member_2307() call and errored out later, we were not canceling the transaction.
2011-03-28Fix typo in sdap_nested_group_process_stepJakub Hrozek1-1/+1
2011-03-24Return from functions in LDAP provider after marking request as failedJakub Hrozek1-1/+4
2011-03-24Add host access control supportPierre Ossman5-2/+155
https://fedorahosted.org/sssd/ticket/746
2011-03-23Add sysdb_attrs_primary_name_list() routineStephen Gallagher1-18/+22
This routine will replace the use of sysdb_attrs_to_list() for any case where we're trying to get the name of the entry. It's a necessary precaution in case the name is multi-valued.
2011-03-23Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_groupStephen Gallagher1-1/+3
2011-03-23Use fake groups during IPA schema initgroupsJakub Hrozek1-114/+418
https://fedorahosted.org/sssd/ticket/822
2011-03-23Add originalDN to fake groupsJakub Hrozek1-1/+10
2011-03-23RFC2307bis: Ignore aliases for groupsStephen Gallagher1-14/+26
Groups in ldap with multiple values for their groupname attribute will now be compared against the RDN of the entry to determine the "primary" group name. We will save only this primary group name to the ldb cache.
2011-03-23RFC2307: Ignore aliases for groupsStephen Gallagher1-23/+35
Groups in ldap with multiple values for their groupname attribute will now be compared against the RDN of the entry to determine the "primary" group name. We will save only this primary group name to the ldb cache.
2011-03-23Ignore aliases for usersStephen Gallagher1-20/+26
Users in ldap with multiple values for their username attribute will now be compared against the RDN of the entry to determine the "primary" username. We will save only this primary name to the ldb cache.
2011-03-22Sanitize DN when searching the original DN in the cacheSumit Bose1-1/+9
2011-03-17Fix incorrect return value checkStephen Gallagher1-1/+1
2011-03-15Fix LDAP search filter for nested initgroupsJakub Hrozek1-1/+1
2011-03-14Fix one unlikely case of failure in sdap_id_op moduleJan Zeleny1-1/+3
There can be an unlikely scenario when the first part of sdap_id_op_connect_done works fine and there is no need to mark backend offline. But right after the check, the memory allocation can fail in which case the backend needs to be marked offline along with disabled reconnecting.
2011-03-14Require existence of username, uid and gid for user enumerationStephen Gallagher1-12/+18
We will ignore users that do not have these three values.
2011-03-14Require existence of GID number and name in group searchesStephen Gallagher3-25/+42
https://fedorahosted.org/sssd/ticket/824
2011-03-09Release handle if not connectedSumit Bose1-0/+1
2011-02-21IPA provider: remove deleted groups during initgroups()Stephen Gallagher1-3/+112
The IPA provider was not properly removing groups in the cache that the user was no longer a member of. https://fedorahosted.org/sssd/ticket/803
2011-02-18Remove cached user entry if initgroups returns ENOENTStephen Gallagher1-0/+11
This behavior was present for getpwnam() but was lacking for initgroups.
2011-02-16Do not attempt to use START_TLS on SSL connectionsStephen Gallagher4-11/+43
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
2011-02-14Verify LDAP file descriptor validityStephen Gallagher1-1/+1
2011-02-11Fix cleanup transactionStephen Gallagher1-0/+1
Without setting in_transaction=true, if the sysdb operations threw an error, we wouldn't cancel the transaction.
2011-02-04Only print "no matching service rule" when appropriateStephen Gallagher1-6/+6
generated by cgit (git 2.34.1) at 2024-07-09 03:32:09 +0000