| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
|
|
The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.
Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.
select_principal_from_keytab will error out anyway if there's no
suitable principal at all.
|
|
The AD and IPA initialization functions shared the same code. This patch
moves the code into a common initialization function.
|
|
Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.
Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
|
|
|
|
The element being reallocated is part of the "group_attrs" array, not
attrs.
|
|
https://fedorahosted.org/sssd/ticket/1647
A logic bug in the LDAP provider causes an attempt to allocate a zero-length
array for group members while processing an empty group. The allocation
would return NULL and saving the empty group would fail.
|
|
Allocating temporary context on NULL helps vind memory leaks with
valgrind and avoid growing memory over time by allocating on a
long-lived context.
|
|
|
|
The connections request was terminated before setting the expiry timeout
in case no authentication was set.
https://fedorahosted.org/sssd/ticket/1649
|
|
|
|
https://fedorahosted.org/sssd/ticket/1640
Normal rules requires that sudoHost attribute is present. But this
attribute is not mandatory for a special rule named cn=defaults.
This patch modifies filter so that we store even rules that doesn't
have sudoHost attribute specified. SUDO will then decide whether it
is allowed or not.
|
|
https://fedorahosted.org/sssd/ticket/1376
|
|
Currently it is only checked if an expired group still has members of
the local domain. If not, the group is delete from the cache. With this
patch the whole cache, i.e. including subdomains, is searched for
members.
|
|
https://fedorahosted.org/sssd/ticket/1482
When we add fullname to user_attrs, then sysdb_add_basic_user()
will set fullname to gecos when it initially creates the user
object in the cache, but it will be overwritten in the same
transaction when sysdb_store_user() adds all the user_attrs.
|
|
|
|
The ldb_val's length parameter should not include the terminating NULL.
This was causing funky behaviour as the users were saved as binary
attributes.
https://fedorahosted.org/sssd/ticket/1614
|
|
https://fedorahosted.org/sssd/ticket/1495
|
|
The ldap_child would return a NULL ccache but the error code would still
indicate success.
https://fedorahosted.org/sssd/ticket/1594
|
|
We should test both ret and (dp_error, errno) pair.
|
|
https://fedorahosted.org/sssd/ticket/1596
In case that LDAP server contains zero sudo rules, the full refresh
completes succussfully and stores current USN value (= 0). But then
smart refresh will fail because it takes USN=0 as invalid value.
|
|
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
|
|
|
The IPA has a defined directory tree structure that allows us to guess
the username from a DN without having to look up the DN in LDAP.
https://fedorahosted.org/sssd/ticket/1319
|
|
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also
include tracing information from libkrb5.
https://fedorahosted.org/sssd/ticket/1539
|
|
There was an unused structure member in the krb5_child.
Declaration of __krb5_error_msg was shadowing the same variable from
sss_krb5.h which is not nice. Also we might actually use the error
context directly instead of passing it as parameter.
|
|
If there was no SID attribute, then we would have detected it by
checking the number of values of an element. We would however happily
return EOK in that case and save garbage into the sid_str.
This was causing segfault when the entry was supposed to be ID-mapped by
had no SID.
|
|
https://fedorahosted.org/sssd/ticket/1537
changes upper limit of slices to 2000200000 in providers code and
manpage.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1535
|
|
https://fedorahosted.org/sssd/ticket/1303
Domain start up was taking too long when there are many principals
in a kerberos keytab. We were looking up in the keytab two times.
The first time we try to select a proper principal and remember it.
The second call happens almost right after the first one and
it is just a check if the principal exists in the keytab, without
any output information other than success/failure. It is
probably a left over from https://fedorahosted.org/sssd/ticket/781.
This patch removes the second call.
|
|
Certain LDAP servers can return an empty string as the value of
namingContexts. We need to treat these as NULL so that we can fail
gracefully.
https://fedorahosted.org/sssd/ticket/1542
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
This patch switches from using just key in the RDN to using both key and
value. That is neccessary to allow multiple direct mounts in a single
map.
|
|
https://fedorahosted.org/sssd/ticket/1506
Changes how the new autofs entry objects are handled. Instead of
creating the entry on the cn=autofs,cn=custom level, the entry is
created below the map it belongs to.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1355
|
|
|
|
Previously, we were failing to start if ldap_idmap_autorid_compat
was True but the default domain SID was unspecified. This is the
recommended configuration, but it is functional without it. There
is just a slight risk that the IDs will be inconsistent between
machines if the first user requested is not from the default
domain.
https://fedorahosted.org/sssd/ticket/1530
|
|
https://fedorahosted.org/sssd/ticket/1440
|
|
https://fedorahosted.org/sssd/ticket/1225
krb5_child already updated before. Adding more debuginfo into
ldap_child. Also old debug levels rewritten into new macros.
|
|
https://fedorahosted.org/sssd/ticket/1521
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
https://fedorahosted.org/sssd/ticket/1488
|
|
|
