summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2010-05-16Add dynamic DNS updates to FreeIPAStephen Gallagher2-14/+16
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-16Properly set up SIGCHLD handlersStephen Gallagher1-10/+8
Instead of having all-purpose SIGCHLD handlers that try to catch every occurrence, we instead create a per-PID handler. This will allow us to specify callbacks to occur when certain children exit.
2010-05-07Revert "Add dynamic DNS updates to FreeIPA"Stephen Gallagher2-16/+14
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.
2010-05-07Add dynamic DNS updates to FreeIPAStephen Gallagher2-14/+16
This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).
2010-05-07Use service discovery in backendsJakub Hrozek4-19/+71
Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
2010-05-07Add callback when the ID provider switches from offline to onlineStephen Gallagher1-0/+9
Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.
2010-05-07Add more warnings about nearly expired passwordsSumit Bose1-5/+66
For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
2010-05-07Use all available servers in LDAP providerJakub Hrozek3-14/+91
2010-05-07Fix segfault in GSSAPI reconnect codeStephen Gallagher2-57/+41
Also clean up some duplicated code into a single common routine sdap_account_info_common_done()
2010-05-03Avoid freeing sdap_handle too earlySimo Sorce2-18/+46
Prevent freeing the sdap_handle by failing in the destructor if we are trying to recurse.
2010-05-03Better handle sdap_handle memory from callers.Simo Sorce4-33/+139
Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.
2010-04-30Silence warnings with -O2Jakub Hrozek1-2/+4
2010-04-26Display a message if a password reset by root failsSumit Bose1-0/+8
2010-04-26Make the handling of fd events opaqueSumit Bose5-184/+278
Depending on the version of the OpenLDAP libraries we use two different schemes to find the file descriptor of the connection to the LDAP server. This patch removes the related ifdefs from the main code and introduces helper functions which can handle the specific cases.
2010-04-26Set LDAP_OPT_RESTART for all LDAP connectionsSumit Bose1-7/+7
2010-04-16Make ID provider init functions clearerStephen Gallagher1-3/+3
Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.
2010-04-12sysdb: remove remaining traces of sysdb_handleSimo Sorce1-2/+0
2010-04-12sysdb: convert sysdb_get_user_attrSimo Sorce1-134/+69
2010-04-12Remove remaining use of sysdb_transaction_sendSimo Sorce1-319/+99
2010-04-12sysdb: convert sysdb_search_groupsSimo Sorce1-133/+57
2010-04-12sysdb: delete sysdb_delete_groupSimo Sorce2-125/+55
2010-04-12sysdb: convert sysdb_delete_userSimo Sorce2-195/+70
2010-04-12sysdb: convert sysdb_search_usersSimo Sorce1-67/+37
2010-04-12sysdb: convert sysdb_cache_passwordSimo Sorce1-32/+11
2010-04-12sysdb: convert sysdb_store/add(_basic)_groupSimo Sorce1-295/+100
2010-04-12sysdb: convert sysdb_store/add(_basic)_userSimo Sorce1-195/+85
2010-04-12sysdb: convert sysdb_search_entry and sysdb_delete_recursiveSimo Sorce1-37/+11
2010-03-25Allow arbitrary-length PAM messagesStephen Gallagher1-6/+6
The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
2010-03-25Fix warnings from -Wmissing-field-initializersSumit Bose1-1/+3
This patch removes some tab-indentations from pamsrv.c, too.
2010-03-25Set LDAP_OPT_RESTART for ldap_sasl_interactive_bind_s()Sumit Bose1-0/+7
This option is needed for the rare case where a poll() call during ldap_sasl_interactive_bind_s() is interrupted by a signal. LDAP_OPT_RESTART enables the handling of the EINTR error instead of returning an error.
2010-03-22Improvements for LDAP Password Policy supportRalf Haferkamp4-13/+103
Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
2010-03-22Lower debug level of unexpected LDAP result codesSumit Bose1-0/+5
2010-03-18Fix error message for ldap_start_tlsStephen Gallagher1-1/+1
2010-03-15Fixed authentication check for CHAUTHTOK_PRELIMRalf Haferkamp1-1/+1
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful authentication in SSS_PAM_CHAUTHTOK_PRELIM.
2010-03-15Fixed check for expired passwordsRalf Haferkamp1-2/+4
When the user's password is expired it might also be indicated by the bind operation returning "INVALID_CREDENTIALS" with the ppolicy control's errorcode set to "PP_passwordExpired".
2010-03-03Improve safe alignment buffer handling macrosSimo Sorce2-18/+18
Make the counter optional so that alignment safe macros can be used also where there is no counter to update. Change arguments names so that they are not deceiving (ptr normlly identify a pointer) Turn the memcpy substitute into an inline function so that passing a pointer to rp and checking for it doesn't make the compiler spit lots of warnings.
2010-02-25Fix check for values of expiration limitsJakub Hrozek1-1/+1
There were inconsistencies between what sssd.conf manpage said and what the code enforces.
2010-02-25Remove a check that was left behindJakub Hrozek1-7/+1
When refactoring talloc_asprintf calls a check was left behind that cased the backend to go offline immediately.
2010-02-23Better cleanup task handlingJakub Hrozek3-37/+239
Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391
2010-02-23Do not check entries during cleanup taskJakub Hrozek2-81/+59
Do not attempt to validate expired entries in cache, just delete them. Also increase the cache timeouts. Fixes: #331
2010-02-23Do not schedule enumeration after a cleanupJakub Hrozek1-2/+2
2010-02-23Handle expired passwords like other PAM modulesSumit Bose1-1/+1
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
2010-02-18Rename server/ directory to src/Stephen Gallagher16-0/+9851
Also update BUILD.txt