summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2013-04-19LDAP: do not invalidate pointer with realloc while processing ghost usersJakub Hrozek1-3/+13
https://fedorahosted.org/sssd/ticket/1799 One peculiarity of the sysdb_attrs_get_el interface is that if the attribute does not exist, then the attrs array is reallocated and the element is created. But in case other pointers are already pointing into the array, the realloc might invalidate them. Such case was in the sdap_process_ghost_members function where if the group had no members, the "gh" pointer requested earlier might have been invalidated by the realloc in order to create the member element.
2013-04-15Fix simple access group control in case-insensitive domainsJakub Hrozek1-16/+9
https://fedorahosted.org/sssd/ticket/1713 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
2013-04-12Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik2-11/+61
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
2013-04-10DNS sites support - add IPA SRV pluginPavel Březina5-5/+369
https://fedorahosted.org/sssd/ticket/1032
2013-04-10DNS sites support - use SRV DNS lookup plugin in all providersPavel Březina3-0/+29
https://fedorahosted.org/sssd/ticket/1032 We set a plugin during an initialization of ID provider, which is an authoritative provider for a plugin choice. The plugin is set only once. When other provider is initalized (e.g. id = IPA, sudo = LDAP), we do not overwrite the plugin. Since sssm_*_id_init() is called from all module constructors, this patch relies on the fact, that ID provider is initialized before all other providers.
2013-04-10DNS sites support - replace SRV lookup code with a plugin callPavel Březina1-258/+73
https://fedorahosted.org/sssd/ticket/1032 Removes hard coded SRV lookup code with a plugin call. This patch breaks SRV lookups as there is currently no plugin in use. It is fixed in next patch.
2013-04-10fail over - add function to insert multiple servers to the listPavel Březina1-10/+101
2013-04-10DNS sites support - SRV DNS lookup pluginPavel Březina4-0/+521
https://fedorahosted.org/sssd/ticket/1032 This plugin mimics the current behaviour. If discovery_domain is set it is the only domain that is tried. If discovery_domain is not set, we try to autodetect domain first and if that fails or SRV lookup on this domain fails, we fallback to SSSD domain name.
2013-04-10DNS sites support - SRV lookup plugin interfacePavel Březina5-0/+135
https://fedorahosted.org/sssd/ticket/1032 Introduces two new error codes: - ERR_SRV_NOT_FOUND - ERR_SRV_LOOKUP_ERROR Since id_provider is authoritative in case of SRV plugin choise, ability to override the selected pluging during runtime is not desirable. We rely on the fact that id_provider is initialized before all other providers, thus the plugin is set correctly.
2013-04-10Allow using flatname for subdomain home dir templateJakub Hrozek1-1/+2
https://fedorahosted.org/sssd/ticket/1609
2013-04-09LDAP: Always fail if a map can't be foundJakub Hrozek1-4/+2
2013-04-05Check for the correct variablesJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1864
2013-04-05Further restrict become_user drop of privileges.Simo Sorce1-15/+18
We never need to regain root after we call become_user() so tighten up even further our privilege drop. Add a setgroups() call to remove all secondary groups root may have been given for whateve reason. Then use the setres[ug]id function to also drop the saved uid/gid so the process cannot regain back root id. Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a Point of No Return, once changed to non-root the process can't get back. Remove redefinition of sys/types.h and unistd.h, they are already defined in util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined or the prototypes for setres[ug]id will not be found. Add grp.h after util.h for the same reason.
2013-04-04dyndns: Fix initializing sdap_id_ctxJakub Hrozek1-1/+1
2013-04-04LDAP: Fix value initialization warningsLukas Slebodnik2-2/+2
2013-04-03Centralize resolv_init, remove resolv context listJakub Hrozek3-25/+4
2013-04-03Init failover with be_res optionsJakub Hrozek5-81/+124
2013-04-03Allow setting krb5_renew_interval with a delimiterAriel Barria5-8/+32
https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
2013-04-03Check for correct variable nameJakub Hrozek2-5/+1
https://fedorahosted.org/sssd/ticket/1864
2013-04-03krb5 child: Use the correct type when processing OTPJakub Hrozek1-1/+1
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik14-78/+115
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik2-1/+13
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-04-02refactor nested group processing: replace old codePavel Březina2-1721/+21
https://fedorahosted.org/sssd/ticket/1784
2013-04-02refactor nested group processing: add new codePavel Březina1-0/+2229
https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group
2013-03-27selinux: Remove unused parameterJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1848
2013-03-27LDAP: Fix value initializationOndrej Kos1-1/+1
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta5-4/+50
https://fedorahosted.org/sssd/ticket/1660
2013-03-20Return error code from ipa_subdom_storeJakub Hrozek1-5/+13
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce9-11/+193
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce5-480/+212
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Resolve GIDs in the simple access providerJakub Hrozek3-122/+655
Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
2013-03-19Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek1-0/+2
The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
2013-03-19Provide a be_get_account_info_send functionJakub Hrozek2-19/+144
In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
2013-03-19Make the SELinux refresh time configurable.Michal Zidek3-2/+5
Option ipa_selinux_refresh is added to basic ipa options.
2013-03-19Reuse cached SELinux mappings.Michal Zidek2-3/+29
Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
2013-03-19Move SELinux processing to provider.Michal Zidek2-31/+388
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik2-12/+2
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-19Use common error facility instead of sdap_resultSimo Sorce7-347/+229
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos3-3/+3
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-13Fix initialization of multiple variablesOndrej Kos6-8/+7
2013-03-13Removing unused header file providers.hLukas Slebodnik1-24/+0
Header file "providers.h" is not included in any other file and function "dp_process_init" declared in this header file has no implementation. Header file protos.h is not also included in any other file and even hole content is commented out.
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik2-10/+2
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum4-1/+232
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-06Updated Doxygen configuration to 1.8.1Thorsten Scherf1-134/+478
https://fedorahosted.org/sssd/ticket/1819
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-03-04Cleanup error message handling for krb5 childSimo Sorce2-296/+240
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04krb5_child: fix value type and initializationOndrej Kos1-1/+2
ret was defined as integer, instead of errno_t, and was uninitialized
2013-03-04Use the correct memory context in be_req_createJakub Hrozek1-1/+1