Age | Commit message (Collapse) | Author | Files | Lines |
|
I had to create a new context structure to store additional
information such as ip addresses and hostnames.
|
|
|
|
|
|
When an expired rule is not present on the server server during specific rule
refresh, the provider will notify the sudo responder that it has been deleted.
Because there is a high probability that some other rules were deleted from
the server as well, we want to remove them from sysdb as soon as possible.
Once the responder is notified, it will schedule an out of band full refresh.
This is issued by responder, because we already have a mechanism that
prohibits creation of similar request (i.e. once the OOB full refresh is
scheduled, there won't be another).
The notification is done by returning:
DP error = DP_ERR_OK, error = ENOENT
|
|
sdap_sudo_refresh_recv()
|
|
When SSSD is started, then full refresh is scheduled.
The smart refresh is scheduled after this full refresh,
if USN (or modifyTimestamp) values are available.
If full refresh interval <= smart refresh interval then
full refresh will be disabled.
If both refresh types are 0 then smart refresh interval
is set to default value.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1225
|
|
There was an issue with ghost members in nested groups. Consider a
scenario with two groups A and B, B being member of A and having some
ghost members. In such case SSSD stored both groups, then added
membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate
these ghost members to group A. This functionality could have been
solved by memberof plugin but the logic is far more complicated that
changes this patch introduces.
The change is simple: add ghost members at the same time as the group is
created, even if groups are supposed to be stored in two passes. That
way ghost members will be present at the time A -> B membership is
created and they will be propagated as expected.
|
|
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
|
|
|
|
|
|
|
Move it to a private header so it can be reused by other
initgroups C files.
|
|
|
|
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(),
not sdap_initgr_nested_recv(). By coincidence both recv functions
happened to be identical, but if one or the other changed, this
would break unexpectedly.
|
|
The same block appeared earlier in the function and neither
variable could have changed values since.
|
|
Previous patch added the possibility to exclude some attributes from a
map when building an attribute list to be sent to server. The original
reason for this functionality is the code handling LDAP initgroups. In
this code, there is no need to fetch members of groups in question. This
can save some performance since the list of members can be pretty long
in some cases. This case apllies only to RFC2307 and generic RFC2307bis,
it doesn't apply for IPA schema.
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
|
|
|
|
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
|
The original approach was to store name and original DN in an object in
sysdb. When later referenced as member of a group, it was retrieved by
its original DN and the correct information about its sysdb DN was
stored in the group object which referenced it.
The new approach doesn't use fake user objects, therefore this
information has to be reached differently when constructing group
memberships. The approach is to store all users to a hash table where
original DN is used as the key and username as value. When constructing
group memberships, the name is retrieved from this hash table instead of
sysdb. This hash table is constructed when retrieving user objects from
LDAP server - if the user is not present in sysdb, it is automatically
stored in the hash table.
Another situation is for rfc2307. Because there is no nesting there, we
can construct the SYSDB_GHOST attribute directly and therefore don't
need a hash table of ghost users.
|
|
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|