| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
We tried to be too clever and only requested the name of the group,
but we require the objectClass to validate the results.
https://fedorahosted.org/sssd/ticket/622
|
|
|
|
This reverts 56d8d19ac9d857580a233d8264e851883b883c67
|
|
|
|
Dead assignments were deleted. Also prototype of function
sdap_access_decide_offline() has been changed, since its return
code was never used.
Ticket: #586
|
|
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
|
In fail_over.c, there was a small bug causing subrequest to have
wrong parent memory context. This patch fixes it.
|
|
Two needless assignments were deleted, two were complemented
with code checking function results.
Ticket: #582
|
|
In function get_pw_name when allocation of memory fails, there
were two codepaths which could cause printing of undefined value.
This patch fixes both cases.
Ticket: #580
|
|
If sysdb_attrs_get_el() call failed in function sdap_save_group(),
it would result in printing an undefined value of variable name.
This is now fixed by initializing the variable.
Ticket: #579
|
|
If the allocation on line 678 failed, the value of ret was undefined
in following comparison. ENOMEM is now assigned before the comparison.
Ticket: #578
|
|
In the very unlikely case dp_copy_options was called
with num_options == 0, the return value as well as the left operand
of comparison on line 214 would be undefined.
Ticket: #577
|
|
Fixes: #584
|
|
Every ldap function that could possibly create a new connection is now
wrapped in a tevent_req. If the connection is created, we will call the
function again after the socket is ready for writing.
|
|
|
|
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
|
|
The initial verification of the old password was returning an
error because we were not explicitly setting dp_err to
DP_ERR_SUCCESS and it was initialized earlier in the function to
DP_ERR_FATAL.
|
|
Instead of recursively updating all users of each group the user
being queried belongs to, just add or remove membership for the
requested user.
Fixes https://fedorahosted.org/sssd/ticket/478
|
|
Fixes: #587
|
|
The value returned in the 'done:' label was always EOK which is wrong as
any parsing errors are not returned to the caller.
Fixes: #583
|
|
|
|
In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.
Fixes: #556
|
|
|
|
- Ticket #567: Fix removal of obsolete HBAC host, rules and service records from sysdb.
- Ticket #565: When no HBAC host record is found return PAM_PERM_DENIED instead of PAM_SYSTEM_ERROR.
|
|
|
|
Also adds support for detecting LDAPS errors by adding a check for
SDAP_DIAGNOSTIC_MESSAGE after ldap_search_ext()
|
|
We will now emit a level 0 debug message on keytab errors, and
also write to the syslog (LOG_DAEMON)
|
|
Integrates libnl to detect adding routes. When a route is added, the
offline status of all back ends is reset. This patch adds no heuristics
to detect whether back end went offline.
Fixes: #456
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
server was unexpectedly dropped.
|
|
|
|
through SRV records) failover servers.
|
|
sdap_handle for future reference.
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
proxy.c was growing too large to manage (and some graphical
development tools could no longer open it because of memory
limitations).
This patch splits proxy.c into the following files:
proxy_init.c: Setup routines for the plugin
proxy_id.c: Functions to handle user and group lookups
proxy_auth.c: Functions to handle PAM interactions
proxy_common.c: Common utility routines
|
|
|
|
In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable
|
|
Operational attributes are not returned in searched requests unless
explicitly requested according to RFC 4512 section 5.1. Therefore to
get several standard attributes of root DSE we have to request for
them. The requested attrs are:
- altServer
- namingContexts
- supportedControl
- supportedExtension
- supportedFeatures
- supportedLDAPVersion
- supportedSASLMechanisms
Signed-off-by: Alexander Gordeev <lasaine@lvk.cs.msu.su>
|
|
|
