summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2013-03-19Use common error facility instead of sdap_resultSimo Sorce5-316/+202
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-13Fix initialization of multiple variablesOndrej Kos2-2/+2
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik1-5/+1
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-02-27sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
2013-02-26sysdb: try dealing with binary-content attributesJan Engelhardt2-7/+5
https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
2013-02-11LDAP: Check for authtok validityJakub Hrozek1-7/+9
The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
2013-02-10Add realm info to sss_domain_infoSimo Sorce1-1/+1
2013-01-28nested groups: fix group lookup hangs if member dn is incorrectPavel Březina1-0/+24
https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce5-8/+8
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce5-39/+43
In preparation for making be_req opaque
2013-01-21Introduce be_req_terminate() helperSimo Sorce4-17/+10
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove domain from be_req structureSimo Sorce1-1/+1
2013-01-21Pass domain not be_req to access check functionsSimo Sorce3-17/+25
2013-01-21Remove sysdb as a be request structure memberSimo Sorce1-2/+2
The sysdb context is already available through the 'domain' context.
2013-01-21Remove sysdb as a be context structure memberSimo Sorce13-27/+27
The sysdb context is already available through the 'domain' structure.
2013-01-21Move ldap provider access functionsSimo Sorce2-59/+86
It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
2013-01-21LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek1-134/+147
https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
2013-01-15LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek1-12/+4
https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
2013-01-15Add domain arguments to sysdb sudo functionsSimo Sorce4-9/+22
2013-01-15Add domain arguments to sysdb services functionsSimo Sorce2-4/+5
also fix sysdb_svc_add declarations
2013-01-15Add domain argument to sysdb autofs functionsSimo Sorce2-11/+18
2013-01-15Add domain arguemnt to sysdb_get_real_name()Simo Sorce1-1/+2
2013-01-15Add domain argument to sysdb_idmap_ funcitonsSimo Sorce1-1/+2
2013-01-15Add domain argument to sysdb_remove_attrs()Simo Sorce1-1/+1
2013-01-15Add domain argument to sysdb_has/set_enumerated()Simo Sorce3-3/+4
2013-01-15Add domain arg to sysdb_search/delete_netgroup()Simo Sorce1-1/+1
2013-01-15Add domain argument to sysdb_delete_group()Simo Sorce2-3/+5
Also remove sysdb_delete_domgroup()
2013-01-15Add domain argument to sysdb_search_groups()Simo Sorce3-7/+12
2013-01-15Add domain argument to sysdb_delete_user()Simo Sorce2-4/+6
Also remove sysdb_delete_domuser()
2013-01-15Add domain arg to sysdb_search_users()Simo Sorce3-16/+25
2013-01-15Add domain argument to sysdb_cache_password()Simo Sorce1-0/+1
2013-01-15Add domain arg to sysdb group member functionsSimo Sorce2-7/+9
2013-01-15Add domain argument to sysdb_store_group()Simo Sorce1-3/+5
Also remove sysdb_store_domgroup()
2013-01-15Add domain argument to sysdb_store_user()Simo Sorce1-2/+3
Also remove sysdb_store_domuser()
2013-01-15Add domain arguments to sysdb_add_inetgroup fns.Simo Sorce1-1/+1
2013-01-15Add domain arguments to sysdb_add_group functions.Simo Sorce2-4/+6
2013-01-15Add domain argument to sysdb_set_user_attr()Simo Sorce2-3/+8
2013-01-15Add domain to sysdb_search_group_by_gid()Simo Sorce1-1/+1
Also remove unused sysdb_search_domgroup_by_gid()
2013-01-15Add domain to sysdb_search_group_by_name()Simo Sorce3-7/+16
Also remove unused sysdb_search_domgroup_by_name()
2013-01-15Add domain to sysdb_search_user_by_name()Simo Sorce5-15/+36
Also remove unused sysdb_search_domuser_by_name()
2013-01-15Add domain argument to sysdb_get_user_attr()Simo Sorce2-5/+6
2013-01-15Make sysdb_custom_subtree_dn() require a domain.Simo Sorce1-2/+4
2013-01-15Make sysdb_domain_dn() require a domain.Simo Sorce1-1/+1
2013-01-15Make sysdb_netgroup_base_dn() require a domain.Simo Sorce1-1/+1
2013-01-14let ldap_backup_chpass_uri workPavel Březina1-2/+4
https://fedorahosted.org/sssd/ticket/1760
2013-01-14Fix LDAP authentication - invalid password lengthPavel Březina1-1/+1
sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
2013-01-10Change pam data auth tokens.Simo Sorce4-97/+92
Use the new authtok abstraction and interfaces throught the code.
2013-01-10Fix sdap reinit.Simo Sorce1-82/+89
This set of functions had a few important issues: 1. the base_dn was always NULL, as the base array was never actually used to construct any DN. This means each function searched the whole database multiple times. It would try to remove SYSDB_USN from all database entries 3 times. Then it would try to find non updated entries another 3 times and delete them, arguably find empty results the last 2 times. 2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it should not be used anywhere but within sysdb. Do this by using existing functions instead of using ldb calls directly. This is important to keep sysdb as conistent and self-contained as possible.