summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2012-05-14Fixed two minor memory leaksJan Zeleny2-2/+6
2012-05-10LDAP: Handle very large Active Directory groupsStephen Gallagher5-45/+271
Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher12-32/+54
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-09Try all KDCs when getting TGT for LDAPJakub Hrozek1-15/+18
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-05-07Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek1-4/+9
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter1-0/+15
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter1-1/+2
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny1-12/+30
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-05-03LDAP: Add support for enumeration of ID-mapped users and groupsStephen Gallagher1-31/+102
2012-05-03LDAP: Treat groups with unmappable SIDs as non-POSIX groupsStephen Gallagher1-9/+12
2012-05-03LDAP: Add helper function to map IDsStephen Gallagher5-119/+81
This function will also auto-create a new ID map if the domain has not been seen previously.
2012-05-03LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵Stephen Gallagher2-0/+16
entries
2012-05-03LDAP: Add helper routine to convert LDAP blob to SID stringStephen Gallagher5-68/+195
2012-05-03LDAP: Map the user's primaryGroupIDStephen Gallagher3-12/+68
2012-05-03LDAP: Enable looking up id-mapped groups by GIDStephen Gallagher1-2/+45
2012-05-03LDAP: Allow looking up ID-mapped groups by nameStephen Gallagher2-29/+125
2012-05-03LDAP: Enable looking up id-mapped users by UIDStephen Gallagher1-6/+43
2012-05-03LDAP: Allow automatically-provisioning a domain and rangeStephen Gallagher1-3/+43
If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well.
2012-05-03LDAP: Add routine to extract domain SID from an object SIDStephen Gallagher2-0/+49
Also makes the domain prefix macros from sss_idmap public.
2012-05-03LDAP: Allow setting a default domain for id-mapping slice 0Stephen Gallagher3-0/+40
2012-05-03LDAP: Add autorid compatibility modeStephen Gallagher3-8/+16
2012-05-03LDAP: Enable looking up ID-mapped users by nameStephen Gallagher2-9/+55
2012-05-03LDAP: Initialize ID mapping when configuredStephen Gallagher2-0/+10
2012-05-03LDAP: Add ID mapping range settingsStephen Gallagher2-0/+6
2012-05-03LDAP: Add helper routines for ID-mappingStephen Gallagher2-0/+334
2012-05-03LDAP: Add id-mapping optionStephen Gallagher2-0/+2
2012-05-03LDAP: Add objectSID config optionStephen Gallagher2-0/+8
2012-05-03Read sysdb attribute name, not LDAP attribute map nameJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1320
2012-05-02LDAP: check return value of sysdb_attrs_get_elJakub Hrozek1-0/+7
2012-05-01execv, excvp and exec_child never return EOKStef Walter1-5/+3
* So don't need to handle that case
2012-04-24Accept be_req instead if be_ctx in LDAP access providerJan Zeleny2-14/+15
2012-04-20Get the RootDSE after binding if not successfull beforeJakub Hrozek1-26/+104
https://fedorahosted.org/sssd/ticket/1258
2012-04-20Convert read and write operations to sss_atomic_readJakub Hrozek1-32/+21
https://fedorahosted.org/sssd/ticket/1209
2012-04-20sdap_check_aliases must not error when detects the same userJakub Hrozek1-13/+31
https://fedorahosted.org/sssd/ticket/1307
2012-04-20Free controls in sdap_rebind_procJakub Hrozek1-4/+6
2012-04-18Fixed minor memory leak in ldap providerJan Zeleny1-0/+1
2012-04-18Fixed memory context in sdap_fill_memberships()Jan Zeleny1-1/+1
2012-04-18Removed unused block of code is sdap_fill_memberships()Jan Zeleny1-57/+29
2012-04-18Removed a block of dead code in sdap_async_groups.cJan Zeleny1-20/+1
2012-04-18Do not call sdap_auth if not neededJakub Hrozek1-7/+11
2012-04-18Prevent printing NULL from DEBUG messagesJakub Hrozek2-6/+13
2012-04-05Clean up log messages about keytab_nameStephen Gallagher1-7/+12
There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
2012-03-29LDAP services: Save lowercased protocol names in case-insensitive domainsJakub Hrozek1-1/+17
https://fedorahosted.org/sssd/ticket/1260
2012-03-28Add terminator for sdap_attr_mapStephen Gallagher2-14/+31
2012-03-28Add terminator for dp_optionStephen Gallagher1-1/+2
2012-03-28Put dp_option maps in their own fileStephen Gallagher2-279/+314
There is no functional change due to this patch.
2012-03-26LDAP: Fix memory leaks in synchronous_tls_setupStephen Gallagher1-8/+10
We were never freeing "result" if it was allocated by ldap_result(). We were also not freeing "errmsg" if it was allocated but ldap_parse_result() returned an error. Also disambiguate error messages from ldap_parse_result() and error messages from sss_ldap_get_diagnostic_msg() since they use differing memory-management functions.
2012-03-26LDAP services: Keep the protocol aroundJakub Hrozek1-0/+1
2012-03-21LDAP: Add better error logging when ldap_result() failsStephen Gallagher1-1/+3
2012-03-16LDAP: Errors retrieving the RootDSE should not be fatalStephen Gallagher1-15/+8
If we can't reach the RootDSE, let's just proceed as if it's unavailable with reasonable defaults. If we fail later on, that's fine. Fixes https://fedorahosted.org/sssd/ticket/1257