summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2012-11-10Do not remove a group if it has members from subdomainsSumit Bose1-4/+15
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
2012-11-08do not default fullname to gecos when schema = adPavel Březina1-0/+14
https://fedorahosted.org/sssd/ticket/1482 When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
2012-11-01LDAP: Better debug logging when saving groupsStephen Gallagher1-11/+75
2012-11-01LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek1-1/+1
The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
2012-10-29Include talloc log in our debug facilityMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1495
2012-10-24KRB5: Return error when principal selection failsJakub Hrozek1-1/+4
The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
2012-10-24sudo refresh: handle errors properlyPavel Březina1-8/+25
We should test both ret and (dp_error, errno) pair.
2012-10-24sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2-7/+19
https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
2012-10-15LDAP: Check validity of naming_contextJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek1-1/+1
2012-10-12Create ghost users when a user DN is encountered in IPAJakub Hrozek1-37/+276
The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek2-1/+25
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-12Two fixes to child processesJakub Hrozek1-4/+5
There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
2012-10-10Fix segfault when ID-mapping an entry without a SIDJakub Hrozek1-1/+1
If there was no SID attribute, then we would have detected it by checking the number of values of an element. We would however happily return EOK in that case and save garbage into the sid_str. This was causing segfault when the entry was supposed to be ID-mapped by had no SID.
2012-10-04Fix default upper limit of slicesOndrej Kos1-1/+1
https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.
2012-10-04Slices calculation is alway wrong for default valuesOndrej Kos1-2/+2
2012-10-04Remove unused variableJakub Hrozek1-6/+0
2012-10-03Variable in sdap_sudo_rules_refresh_send could be used, uninitialized.Michal Zidek1-0/+1
2012-10-02Flip the default value of ldap_initgroups_use_matching_rule_in_chainJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1535
2012-10-02remove left over principal selectionPavel Březina1-21/+0
https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
2012-09-26LDAP: Handle empty namingContexts values safelyStephen Gallagher1-0/+8
Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
2012-09-24SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2-2/+2
The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
2012-09-24AUTOFS: Use both key and value in entry RDNJakub Hrozek1-2/+10
This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map.
2012-09-24AUTOFS: Add entry objects below map objectsJakub Hrozek1-43/+91
https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.
2012-09-24AUTOFS: Do not fail if search base is not providedJakub Hrozek1-2/+2
2012-09-24AD: Handle sysdb lookup failure during tokenGroups processingStephen Gallagher1-0/+6
2012-09-24sdap_add_incomplete_groups(): fix ret may be uninitialized warningPavel Březina1-1/+1
2012-09-24AD: Optimize initgroups lookups with tokenGroupsStephen Gallagher3-4/+313
https://fedorahosted.org/sssd/ticket/1355
2012-09-24AD: Detect domain controller compatibility versionStephen Gallagher3-0/+44
2012-09-24AD: autorid compatibility should recommend the use of default domainStephen Gallagher1-4/+4
Previously, we were failing to start if ldap_idmap_autorid_compat was True but the default domain SID was unspecified. This is the recommended configuration, but it is functional without it. There is just a slight risk that the IDs will be inconsistent between machines if the first user requested is not from the default domain. https://fedorahosted.org/sssd/ticket/1530
2012-09-20SSSD fails to store users if any of the requested attribute is empty.Michal Zidek1-0/+6
https://fedorahosted.org/sssd/ticket/1440
2012-09-20Add more debuginfo into ldap_childOndrej Kos1-23/+36
https://fedorahosted.org/sssd/ticket/1225 krb5_child already updated before. Adding more debuginfo into ldap_child. Also old debug levels rewritten into new macros.
2012-09-17Failover: use _srv_ when no primary server is definedPavel Březina1-12/+3
https://fedorahosted.org/sssd/ticket/1521
2012-09-13FO: Check server validity before setting statusJakub Hrozek2-8/+17
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-09-05Don't terminate the same connection twiceJakub Hrozek1-6/+0
https://fedorahosted.org/sssd/ticket/1488
2012-09-05Retry the next server if bind during LDAP auth times outJakub Hrozek1-1/+6
2012-08-23Fix: IPv6 address with square brackets doesn't work.Michal Zidek1-0/+7
https://fedorahosted.org/sssd/ticket/1365
2012-08-23Unify usage of sysdb transactionsMichal Zidek6-36/+93
Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
2012-08-23Clean up cache on server reinitializationPavel Březina5-4/+403
https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.
2012-08-21Remove compilation warning: ret may be uninitializedPavel Březina1-0/+2
2012-08-21Process all groups from a single nesting levelJakub Hrozek1-4/+14
https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
2012-08-15Duplicate detection in fail over did not work.Michal Zidek1-1/+6
https://fedorahosted.org/sssd/ticket/1472
2012-08-10When ldap_group_nesting_level was reached, the LDAP provider tried to link ↵Michal Zidek1-1/+45
group members with groups outside nesting limit. https://fedorahosted.org/sssd/ticket/1194
2012-08-09SRV resolution for backup servers should not be permitted.Michal Zidek1-1/+9
https://fedorahosted.org/sssd/ticket/1463
2012-08-09Change default for ldap_idmap_range_min to 200000Jakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1462
2012-08-07Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OCPavel Březina2-3/+3
It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.
2012-08-06shadow attributes can contain -1Pavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1393
2012-08-01Primary server support: new options in krb5 providerJan Zeleny3-4/+5
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new option in ldap providerJan Zeleny3-4/+7
This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.
2012-08-01Primary server support: LDAP adaptationJan Zeleny3-35/+84
This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.