| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes https://fedorahosted.org/sssd/ticket/2116
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
Until now, the POSIX-compliant initgroups would only be able to search
the parent domain. Since we want to allow using POSIX attributes from AD
subdomains as well, we should allow searching a custom sdap_domain.
|
|
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
|
|
If tokenGroups contains group from different domain than user's,
we stored it under the user's domain tree in sysdb. This patch
changes it so we store it under group's domain tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
We need to work with distinguish names when processing
cross-domain membership, because groups and users may
be stored in different sysdb tree.
Resolves:
https://fedorahosted.org/sssd/ticket/2066
|
|
Declarations of public functions was in header files,
but header files was not included in implementation file.
|
|
https://fedorahosted.org/sssd/ticket/2087
IN_MULTICAST accepts address in the host order, but network order was
supplied.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2075
|
|
The check worked for simple setups but fails e.g. in environment with
trusts.
|
|
|
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
AD provider will override the default with its own.
|
|
Remove code duplication.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct ldb_message_element.num_values is unsigned
This patch indirectly fixes printf format string warning.
|
|
|
|
|
|
When the SSSD changes serves (and hence lastUSN) we perform a cleanup as
well. However, after recent changes, we didn't set the cleanup timestamp
correctly, which made the lastUSN logic fail.
|
|
|
|
|
|
Instead of always performing the setup for the main domain, the setup
can now be performed for subdomains as well.
|
|
Instead of always performing the cleanup on the main domain, the task
now accepts a sdap_domain structure to perform the cleanup on. This
change will make the cleanup task reusable for subdomains.
|
|
The LDAP cleanup request was asynchronous for no good reason, probably a
leftover from the days of async sysdb. This patch makes it sychronous
again, removing a lot of uneeded code.
|
|
https://fedorahosted.org/sssd/ticket/1942
Identity providers other than LDAP need to customize the enumeration in
different ways while sharing the way the task is scheduled etc. The
easiest way to accomplish it is to leverage the recently introduced
ptask framework.
|
|
The LDAP enumeration was too closely tied to the LDAP identity provider.
Because some providers might need special handling such as refresh the
master domain record before proceeding with the enumeration itself, this
patch splits the request itself to a separate async request and lets the
ldap_id_enum.c module only configure this new request.
Also move the enum timestamp to sdap_domain to make the enum tracking
per sdap domain. The cleanup timestamp will be moved in another patch.
|
|
The constant was not used since Euegene came up with his reconnection
logic.
|
|
The enum code was quite old and predated the tevent_req style. In
particular, the enum code was checking tevent state direcly and not
using _recv functions or the helper macros we added later.
As a consequence, it was not easy to read. This patch adds the standard
_recv functions to read the status of the enum requests.
|
|
If USN attribute is not present, we call strdup on uninitialized
variable. This may cause segfault, or if we are lucky and
usn is NULL it will return ENOMEM.
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/2052
|
|
During initgroups request we read the SID of a group from the server but
do not save it to the cache. This patch fixes this and might help to
avoid an additional lookup of the SID later.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
For subdomains the group names must be expanded to fully qualified names
to be able to find existing groups or properly add new ones.
|
|
https://fedorahosted.org/sssd/ticket/2043
|
|
If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.
With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.
Fixes https://fedorahosted.org/sssd/ticket/2027
|
|
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
Change was introduced in commit ca344fde
|
|
In sdap_nested_group_populate_users() username and orignal_dn are
allocated on a temporary memory context. If the corresponding user is
not found in the cache both are added to a hash which is later on
returned to the caller. To avoid a use-after-free when the hash entries
are looked up both must be reassigned to the memory context of the hash.
|
|
primary_name was allocated on a temporary memory context but as it is a
member of the state struct it should belong to the memory context of the
state.
|
|
|
|
https://fedorahosted.org/sssd/ticket/2031
|
|
Coverity ID: 11927
|
|
The subdomain users user FQDN in their name attribute. However, handling
of whether to use FQDN in the LDAP code was not really good. This patch
introduces a utility function and converts code that was relying on
user/group names matching to this utility function.
This is a temporary fix until we can refactor the sysdb API in #2011.
|
|
https://fedorahosted.org/sssd/ticket/1992
|
