summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2012-07-16Fixed wrong number in shadowLastChangeJan Zeleny1-1/+2
The attribute is supposed to contain number of days since the epoch, not the number of seconds.
2012-07-09Fix incorrect error-checkStephen Gallagher1-1/+1
Coverity #12770
2012-07-09Fix potential NULL-dereferenceStephen Gallagher1-1/+3
Coverity #12797
2012-07-09Fix uninitialized variableStephen Gallagher1-0/+1
Coverity #12802
2012-07-06Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter1-15/+0
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-07-06LDAP: Rename user and group maps for ADStephen Gallagher2-4/+4
This will eliminate ambiguity for the AD provider
2012-07-06KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher1-1/+1
This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
2012-07-06Fix crash when interface doesn't have an addressStef Walter1-0/+3
* This is similar to the code in ipa_dyndns_update_send()
2012-07-02LDAP: Print extended failure message for SASL bindStephen Gallagher1-2/+14
2012-06-30Fix segfault when sudo is not configured.Simo Sorce1-1/+2
Sudo support is optional, when it is not configured sudorules_map is not initialized and dereferencing it will cause a segmentation fault.
2012-06-29sudo ldap provider: support autoconfiguration of IP addressesPavel Březina1-1/+179
sudoHost attribute may contain IPv4 or IPv6 host/network address. This patch adds support for autoconfiguration of these information.
2012-06-29sudo ldap provider: do per-host updatesPavel Březina1-3/+160
Add host information to LDAP filters.
2012-06-29sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as staticPavel Březina1-2/+2
2012-06-29sudo ldap provider: load host filter configuration on initPavel Březina5-5/+185
We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).
2012-06-29sudo: add host info optionsPavel Březina2-0/+10
Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
2012-06-29sudo ldap provider: pass sudo_ctx instead of id_ctxPavel Březina3-45/+73
I had to create a new context structure to store additional information such as ip addresses and hostnames.
2012-06-29sdap_sudo.c: move _recv after _donePavel Březina1-45/+45
2012-06-29sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()Pavel Březina1-3/+14
2012-06-29sudo ldap provider: notify responder when an expired rule has been deletedPavel Březina1-11/+76
When an expired rule is not present on the server server during specific rule refresh, the provider will notify the sudo responder that it has been deleted. Because there is a high probability that some other rules were deleted from the server as well, we want to remove them from sysdb as soon as possible. Once the responder is notified, it will schedule an out of band full refresh. This is issued by responder, because we already have a mechanism that prohibits creation of similar request (i.e. once the OOB full refresh is scheduled, there won't be another). The notification is done by returning: DP error = DP_ERR_OK, error = ENOENT
2012-06-29sudo ldap provider: return number of downloaded rules in ↵Pavel Březina3-6/+16
sdap_sudo_refresh_recv()
2012-06-29sudo ldap provider: support periodical smart refreshPavel Březina1-73/+177
When SSSD is started, then full refresh is scheduled. The smart refresh is scheduled after this full refresh, if USN (or modifyTimestamp) values are available. If full refresh interval <= smart refresh interval then full refresh will be disabled. If both refresh types are 0 then smart refresh interval is set to default value.
2012-06-29sudo ldap provider: add periodical smart refresh APIPavel Březina1-0/+63
2012-06-29sudo provider: add ldap_sudo_smart_refresh_intervalPavel Březina2-0/+2
2012-06-29sudo ldap provider: when sysdb filter is NULL remove downloaded rulesPavel Březina1-5/+61
2012-06-29sudo ldap provider: add smart refresh APIPavel Březina1-0/+128
2012-06-29sudo ldap provider: remember highest usn after full refreshPavel Březina1-1/+9
2012-06-29sudo ldap provider: add sdap_sudo_set_usn()Pavel Březina1-0/+22
2012-06-29sudo ldap provider: find highest USNPavel Březina5-22/+113
2012-06-29ldap provider: add sudo usn valuePavel Březina5-0/+11
2012-06-29sudo ldap provider: support periodical full refreshPavel Březina1-0/+129
2012-06-29sudo ldap provider: add new timer APIPavel Březina2-0/+194
2012-06-29sudo provider: remove old timerPavel Březina5-349/+0
2012-06-29sudo provider: add ldap_sudo_full_refresh_intervalPavel Březina2-0/+2
2012-06-29sudo ldap provider: add support for on demand refresh of specific rulesPavel Březina1-0/+8
2012-06-29sudo ldap provider: provide API for refresh of specific rulesPavel Březina1-0/+93
2012-06-29sudo ldap provider: add support for on demand full refreshPavel Březina1-16/+25
2012-06-29sudo ldap provider: provide API for full refreshPavel Březina2-1/+126
2012-06-29sudo ldap provider: add expiration time to each rulePavel Březina3-8/+30
2012-06-29sudo ldap provider: add domain info in sdap_sudo_refresh_statePavel Březina1-0/+2
2012-06-29sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_statePavel Březina1-7/+7
2012-06-29sudo ldap provider: give sdap_sudo_refresh_send() search and purge filtersPavel Březina4-278/+93
2012-06-29sudo ldap provider: move async routines to sdap_async_sudo.cPavel Březina2-675/+710
2012-06-20Move some debug lines to new debug log levelsStef Walter2-2/+2
* These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
2012-06-20Fix possible segfault in sdap_save_group()Jan Zeleny1-2/+11
2012-06-15LDAP: Fix missing variable in debug messageStephen Gallagher1-1/+1
2012-06-15Fixed debug message in sdap_save_group()Jan Zeleny1-1/+1
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek1-1/+8
https://fedorahosted.org/sssd/ticket/1225
2012-06-13Fix an issue in ghost usersJan Zeleny1-75/+47
There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B. The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces. The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
2012-06-13LDAP: Auto-detect support for the ldap match ruleStephen Gallagher6-5/+107
This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
2012-06-13LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher3-9/+325