summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2012-09-20Add more debuginfo into ldap_childOndrej Kos1-23/+36
https://fedorahosted.org/sssd/ticket/1225 krb5_child already updated before. Adding more debuginfo into ldap_child. Also old debug levels rewritten into new macros.
2012-09-17Failover: use _srv_ when no primary server is definedPavel Březina1-12/+3
https://fedorahosted.org/sssd/ticket/1521
2012-09-13FO: Check server validity before setting statusJakub Hrozek2-8/+17
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-09-05Don't terminate the same connection twiceJakub Hrozek1-6/+0
https://fedorahosted.org/sssd/ticket/1488
2012-09-05Retry the next server if bind during LDAP auth times outJakub Hrozek1-1/+6
2012-08-23Fix: IPv6 address with square brackets doesn't work.Michal Zidek1-0/+7
https://fedorahosted.org/sssd/ticket/1365
2012-08-23Unify usage of sysdb transactionsMichal Zidek6-36/+93
Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
2012-08-23Clean up cache on server reinitializationPavel Březina5-4/+403
https://fedorahosted.org/sssd/ticket/734 We successfully detect when the server is reinitialized by testing the new lastUSN value. The maximum USN values are set to zero, but the current cache content remains. This patch removes records that were deleted from the server. It uses the following approach: 1. remove entryUSN attribute from all entries 2. run enumeration 3. remove records that doesn't have entryUSN attribute updated We don't need to do this for sudo rules, they will be refreshed automatically during next smart/full refresh, or when an expired rule is deleted.
2012-08-21Remove compilation warning: ret may be uninitializedPavel Březina1-0/+2
2012-08-21Process all groups from a single nesting levelJakub Hrozek1-4/+14
https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
2012-08-15Duplicate detection in fail over did not work.Michal Zidek1-1/+6
https://fedorahosted.org/sssd/ticket/1472
2012-08-10When ldap_group_nesting_level was reached, the LDAP provider tried to link ↵Michal Zidek1-1/+45
group members with groups outside nesting limit. https://fedorahosted.org/sssd/ticket/1194
2012-08-09SRV resolution for backup servers should not be permitted.Michal Zidek1-1/+9
https://fedorahosted.org/sssd/ticket/1463
2012-08-09Change default for ldap_idmap_range_min to 200000Jakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1462
2012-08-07Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OCPavel Březina2-3/+3
It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.
2012-08-06shadow attributes can contain -1Pavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1393
2012-08-01Primary server support: new options in krb5 providerJan Zeleny3-4/+5
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new option in ldap providerJan Zeleny3-4/+7
This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.
2012-08-01Primary server support: LDAP adaptationJan Zeleny3-35/+84
This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: support for "disconnecting" connections in LDAPJan Zeleny1-4/+37
This patch adds support for marking existing connections as being disconnected. Each such connection can't be used for new queries and a new one has to be created instead if necessary. This will ensure that pending operations will end gracefully during reconnection. Also all new queries to the server we are reconnecting to will use another (probably newly created) connection.
2012-08-01Primary server support: basic support in failover codeJan Zeleny1-2/+2
Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
2012-07-31Unbreak SASLPavel Březina1-9/+12
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.
2012-07-30sudo ldap provider: support autoconfiguration of hostnamesPavel Březina1-6/+275
https://fedorahosted.org/sssd/ticket/1420 sudoHost attribute may contain hostname or fqdn of the machine. Sudo itself supports only one hostname and its fqdn - the one that is returned by gethostbyname(). This patch implements autoconfiguration of hostname and fqdn if it has not been set manually by ldap_sudo_hostnames option.
2012-07-23sdap_sudo.c: add missing end of line in few debug messagesPavel Březina1-3/+3
2012-07-18Fix uninitialized valuesNick Guay3-8/+8
https://fedorahosted.org/sssd/ticket/1379
2012-07-18LDAP: Properly cast type for MINSSF valueJan Vcelak1-11/+9
2012-07-16Fixed wrong number in shadowLastChangeJan Zeleny1-1/+2
The attribute is supposed to contain number of days since the epoch, not the number of seconds.
2012-07-09Fix incorrect error-checkStephen Gallagher1-1/+1
Coverity #12770
2012-07-09Fix potential NULL-dereferenceStephen Gallagher1-1/+3
Coverity #12797
2012-07-09Fix uninitialized variableStephen Gallagher1-0/+1
Coverity #12802
2012-07-06Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter1-15/+0
* This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
2012-07-06LDAP: Rename user and group maps for ADStephen Gallagher2-4/+4
This will eliminate ambiguity for the AD provider
2012-07-06KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher1-1/+1
This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
2012-07-06Fix crash when interface doesn't have an addressStef Walter1-0/+3
* This is similar to the code in ipa_dyndns_update_send()
2012-07-02LDAP: Print extended failure message for SASL bindStephen Gallagher1-2/+14
2012-06-30Fix segfault when sudo is not configured.Simo Sorce1-1/+2
Sudo support is optional, when it is not configured sudorules_map is not initialized and dereferencing it will cause a segmentation fault.
2012-06-29sudo ldap provider: support autoconfiguration of IP addressesPavel Březina1-1/+179
sudoHost attribute may contain IPv4 or IPv6 host/network address. This patch adds support for autoconfiguration of these information.
2012-06-29sudo ldap provider: do per-host updatesPavel Březina1-3/+160
Add host information to LDAP filters.
2012-06-29sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as staticPavel Březina1-2/+2
2012-06-29sudo ldap provider: load host filter configuration on initPavel Březina5-5/+185
We need to load host information during provider initialization. Currently it loads only values from configuration files, but it is implemented as an asynchrounous request as it will later try to autodetect these settings (which will need to contact DNS).
2012-06-29sudo: add host info optionsPavel Březina2-0/+10
Adds some option that allows to manually configure a host filter. ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost
2012-06-29sudo ldap provider: pass sudo_ctx instead of id_ctxPavel Březina3-45/+73
I had to create a new context structure to store additional information such as ip addresses and hostnames.
2012-06-29sdap_sudo.c: move _recv after _donePavel Březina1-45/+45
2012-06-29sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()Pavel Březina1-3/+14
2012-06-29sudo ldap provider: notify responder when an expired rule has been deletedPavel Březina1-11/+76
When an expired rule is not present on the server server during specific rule refresh, the provider will notify the sudo responder that it has been deleted. Because there is a high probability that some other rules were deleted from the server as well, we want to remove them from sysdb as soon as possible. Once the responder is notified, it will schedule an out of band full refresh. This is issued by responder, because we already have a mechanism that prohibits creation of similar request (i.e. once the OOB full refresh is scheduled, there won't be another). The notification is done by returning: DP error = DP_ERR_OK, error = ENOENT
2012-06-29sudo ldap provider: return number of downloaded rules in ↵Pavel Březina3-6/+16
sdap_sudo_refresh_recv()
2012-06-29sudo ldap provider: support periodical smart refreshPavel Březina1-73/+177
When SSSD is started, then full refresh is scheduled. The smart refresh is scheduled after this full refresh, if USN (or modifyTimestamp) values are available. If full refresh interval <= smart refresh interval then full refresh will be disabled. If both refresh types are 0 then smart refresh interval is set to default value.
2012-06-29sudo ldap provider: add periodical smart refresh APIPavel Březina1-0/+63
2012-06-29sudo provider: add ldap_sudo_smart_refresh_intervalPavel Březina2-0/+2
2012-06-29sudo ldap provider: when sysdb filter is NULL remove downloaded rulesPavel Březina1-5/+61