summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2012-12-18sudo: schedule another full refresh in short interval if the first failsPavel Březina2-0/+28
https://fedorahosted.org/sssd/ticket/1689 If the first full refresh of sudo rules fails because the data provider is offline, we will schedule another one in 2, 4, ... minutes.
2012-12-18check dp error in sdap_sudo_full_refresh_done()Pavel Březina1-3/+8
https://fedorahosted.org/sssd/ticket/1689
2012-12-18add sdap_sudo_schedule_refresh()Pavel Březina2-43/+77
Reduces amount of code duplication.
2012-12-18try primary server after retry_timeout + 1 seconds when switching to backupPavel Březina3-1/+13
https://fedorahosted.org/sssd/ticket/1679 The problem is when we are about to reset the server status, we don't get through the timeout (30 seconds) because the "switch to primary server" task is scheduled 30 seconds after fall back to a backup server. Thus the server status remains "not working" and is resetted after another 30 seconds. We need to make sure that the server status is tried after the timeout period. retry_timeout is currently hardcoded to 30, thus the change in man page.
2012-12-17PROXY: fix groups cachingOndrej Kos1-0/+6
https://fedorahosted.org/sssd/ticket/1685 Properly react on deleting group which was not found in sysdb.
2012-12-15let ldap_chpass_uri failover work when using same hostnamePavel Březina1-11/+4
https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
2012-12-11sudo: don't get stuck in rules and smart refresh when offlinePavel Březina1-4/+14
https://fedorahosted.org/sssd/ticket/1682 The problem was in following code: if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) { tevent_req_error(req, ret); return; } In situation when data provider error occurs (e.g. when offline), ret == EOK but dp_error != DP_ERR_OK and we take the true branch. This results in calling tevent_req_error(req, EOK). Unfortunately, with EOK tevent_req_error only returns false, but does not trigger callback and this tevent request hangs forever, because no tevent_req_done(req) is called.
2012-12-10LDAP: remove dead assignmentJakub Hrozek1-1/+0
2012-12-10let krb5_kpasswd failover workPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1680 There were two errors: 1. kr->kpasswd_srv was never set 2. bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
2012-12-10PROXY: fix negative cacheOndrej Kos1-20/+24
https://fedorahosted.org/sssd/ticket/1685 The PROXY provider wasn't storing credentials to negative cache due to bad return value. This was delegated from attempt to delete these credentials from local cache. Therefore ENOENT is replaced as EOK.
2012-12-07SUDO: strdup the input variableJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1701
2012-12-05Fix comment on wrong lineSimo Sorce1-1/+1
2012-12-05LDAP: Continue adjusting group membership even if there is nothing to addJakub Hrozek1-2/+1
https://fedorahosted.org/sssd/ticket/1695
2012-12-05Add backchannel NSS provider query on initgr callsSimo Sorce1-0/+165
This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
2012-12-05Hook for mmap cache update on initgroup callsSimo Sorce1-0/+1
This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
2012-12-05Hook to perform a mmap cache update from sssd_nssSimo Sorce1-0/+6
This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
2012-12-04Use an entry type mask macro to filter entry typesSimo Sorce5-5/+6
Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
2012-12-04Streamline ipa_account_info handlerSimo Sorce1-74/+55
In particular note that we merge ipa_account_info_netgroups_done() and ipa_account_info_users_done() into a single fucntion called ipa_account_info_done() that handles both cases We also remove the auxiliary function ipa_account_info_complete() that unnecessarily violates the tevent_req style and instead use a new function named ipa_account_info_error_text() to generate error text.
2012-12-04Fix tevent_req style for get_netgroup in ipa_idSimo Sorce1-80/+71
Also do not intermix two tevent_req sequences
2012-12-04Fix ipa_subdomain_id names and tevent_req styleSimo Sorce3-52/+36
2012-12-04Fix tevent_req style for krb5_authSimo Sorce4-371/+334
No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
2012-12-04Missing parameter in DEBUG message.Michal Zidek1-1/+2
2012-12-04Indentation fixJakub Hrozek1-5/+2
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-12-02IPA: Handle bad results from c-ares lookupStephen Gallagher1-1/+11
In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
2012-11-28idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek4-79/+108
When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
2012-11-26Save errno before it might be modified.Simo Sorce1-8/+16
The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error.
2012-11-23LDAP: fix uninitialized variableOndrej Kos1-1/+1
initialized variable, was causing build warning
2012-11-20fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek4-9/+39
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-19Disable canonicalization during password changesSumit Bose1-2/+43
If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
2012-11-19Fix compare_principal_realm() checkSumit Bose1-9/+3
In case of a short UPN compare_principal_realm() erroneously returns an error.
2012-11-19Just use the service name with krb5_get_init_creds_password()Sumit Bose1-24/+2
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
2012-11-19LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek1-4/+16
2012-11-19LDAP: Checking the principal should not be considered fatalJakub Hrozek1-6/+10
The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
2012-11-19LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek4-91/+95
The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose3-16/+32
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce2-4/+61
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-19LDAP: Refactor saving ghost usersJakub Hrozek1-88/+99
2012-11-19LDAP: use the correct memory contextJakub Hrozek1-1/+1
The element being reallocated is part of the "group_attrs" array, not attrs.
2012-11-19LDAP: Fix saving empty groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
2012-11-19LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek1-1/+1
Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
2012-11-16fix -O3 variable may be uninitialized warningsPavel Březina2-6/+6
2012-11-15sudo: store rules with no sudoHost attributePavel Březina1-0/+7
https://fedorahosted.org/sssd/ticket/1640 Normal rules requires that sudoHost attribute is present. But this attribute is not mandatory for a special rule named cn=defaults. This patch modifies filter so that we store even rules that doesn't have sudoHost attribute specified. SUDO will then decide whether it is allowed or not.
2012-11-15Add ignore_group_members option.Paul B. Henson2-2/+13
https://fedorahosted.org/sssd/ticket/1376
2012-11-14Run IPA subdomain provider if IPA ID provider is configuredSumit Bose2-2/+69
To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek1-104/+18
2012-11-12KRB5: Rename variable to avoid shadowing a global declarationJakub Hrozek1-4/+4
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’: src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’ shadows a global declaration /usr/include/libgen.h:27: warning: shadowed declaration is here