summaryrefslogtreecommitdiff
path: root/src/providers/ldap
AgeCommit message (Collapse)AuthorFilesLines
2012-12-04Use an entry type mask macro to filter entry typesSimo Sorce1-1/+1
Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
2012-12-04Indentation fixJakub Hrozek1-5/+2
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-11-28idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek4-79/+108
When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
2012-11-23LDAP: fix uninitialized variableOndrej Kos1-1/+1
initialized variable, was causing build warning
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2-8/+38
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-19LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek1-4/+16
2012-11-19LDAP: Checking the principal should not be considered fatalJakub Hrozek1-6/+10
The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
2012-11-19LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek2-0/+79
The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose1-3/+16
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-11-19LDAP: Refactor saving ghost usersJakub Hrozek1-88/+99
2012-11-19LDAP: use the correct memory contextJakub Hrozek1-1/+1
The element being reallocated is part of the "group_attrs" array, not attrs.
2012-11-19LDAP: Fix saving empty groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
2012-11-19LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek1-1/+1
Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
2012-11-16fix -O3 variable may be uninitialized warningsPavel Březina2-6/+6
2012-11-15sudo: store rules with no sudoHost attributePavel Březina1-0/+7
https://fedorahosted.org/sssd/ticket/1640 Normal rules requires that sudoHost attribute is present. But this attribute is not mandatory for a special rule named cn=defaults. This patch modifies filter so that we store even rules that doesn't have sudoHost attribute specified. SUDO will then decide whether it is allowed or not.
2012-11-15Add ignore_group_members option.Paul B. Henson2-2/+13
https://fedorahosted.org/sssd/ticket/1376
2012-11-10Do not remove a group if it has members from subdomainsSumit Bose1-4/+15
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
2012-11-08do not default fullname to gecos when schema = adPavel Březina1-0/+14
https://fedorahosted.org/sssd/ticket/1482 When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
2012-11-01LDAP: Better debug logging when saving groupsStephen Gallagher1-11/+75
2012-11-01LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek1-1/+1
The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
2012-10-29Include talloc log in our debug facilityMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1495
2012-10-24KRB5: Return error when principal selection failsJakub Hrozek1-1/+4
The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
2012-10-24sudo refresh: handle errors properlyPavel Březina1-8/+25
We should test both ret and (dp_error, errno) pair.
2012-10-24sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2-7/+19
https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
2012-10-15LDAP: Check validity of naming_contextJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek1-1/+1
2012-10-12Create ghost users when a user DN is encountered in IPAJakub Hrozek1-37/+276
The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319
2012-10-12Collect krb5 trace on high debug levelsJakub Hrozek2-1/+25
If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
2012-10-12Two fixes to child processesJakub Hrozek1-4/+5
There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
2012-10-10Fix segfault when ID-mapping an entry without a SIDJakub Hrozek1-1/+1
If there was no SID attribute, then we would have detected it by checking the number of values of an element. We would however happily return EOK in that case and save garbage into the sid_str. This was causing segfault when the entry was supposed to be ID-mapped by had no SID.
2012-10-04Fix default upper limit of slicesOndrej Kos1-1/+1
https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.
2012-10-04Slices calculation is alway wrong for default valuesOndrej Kos1-2/+2
2012-10-04Remove unused variableJakub Hrozek1-6/+0
2012-10-03Variable in sdap_sudo_rules_refresh_send could be used, uninitialized.Michal Zidek1-0/+1
2012-10-02Flip the default value of ldap_initgroups_use_matching_rule_in_chainJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1535
2012-10-02remove left over principal selectionPavel Březina1-21/+0
https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
2012-09-26LDAP: Handle empty namingContexts values safelyStephen Gallagher1-0/+8
Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
2012-09-24SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2-2/+2
The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
2012-09-24AUTOFS: Use both key and value in entry RDNJakub Hrozek1-2/+10
This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map.
2012-09-24AUTOFS: Add entry objects below map objectsJakub Hrozek1-43/+91
https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.
2012-09-24AUTOFS: Do not fail if search base is not providedJakub Hrozek1-2/+2
2012-09-24AD: Handle sysdb lookup failure during tokenGroups processingStephen Gallagher1-0/+6
2012-09-24sdap_add_incomplete_groups(): fix ret may be uninitialized warningPavel Březina1-1/+1
2012-09-24AD: Optimize initgroups lookups with tokenGroupsStephen Gallagher3-4/+313
https://fedorahosted.org/sssd/ticket/1355
2012-09-24AD: Detect domain controller compatibility versionStephen Gallagher3-0/+44
2012-09-24AD: autorid compatibility should recommend the use of default domainStephen Gallagher1-4/+4
Previously, we were failing to start if ldap_idmap_autorid_compat was True but the default domain SID was unspecified. This is the recommended configuration, but it is functional without it. There is just a slight risk that the IDs will be inconsistent between machines if the first user requested is not from the default domain. https://fedorahosted.org/sssd/ticket/1530
2012-09-20SSSD fails to store users if any of the requested attribute is empty.Michal Zidek1-0/+6
https://fedorahosted.org/sssd/ticket/1440