Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
https://fedorahosted.org/sssd/ticket/1458
When the responder is disabled and sudo_provider is set explicitly,
a warning is print and the module will be initialized.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1519
IPA host refactoring changed mapping of memberOf attribute
which caused SSSD being unable to retrieve membership of
hostgroup when being interpreted as netgroup.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1515
|
|
https://fedorahosted.org/sssd/ticket/1516
If sysdb_set_user_attr failed, we would cancel the transaction, then go
to the error handler and attempt to close it again.
|
|
https://fedorahosted.org/sssd/ticket/1488
|
|
|
|
|
|
To validate a TGT a keytab entry from the client realm is preferred but
if none ca be found the last entry should be used. But the entry was
freed and zeroed before it could be used.
This should also fix the trusted domain use case mentioned in
https://fedorahosted.org/sssd/ticket/1396
although a different approach then suggested in the ticket is used.
|
|
https://fedorahosted.org/sssd/ticket/1365
|
|
Removing bad examples of usage of sysdb_transaction_start/commit/end
functions and making it more consistent (all files except of
src/db/sysdb_*.c).
|
|
https://fedorahosted.org/sssd/ticket/1434
|
|
https://fedorahosted.org/sssd/ticket/734
We successfully detect when the server is reinitialized by testing
the new lastUSN value. The maximum USN values are set to zero, but
the current cache content remains.
This patch removes records that were deleted from the server.
It uses the following approach:
1. remove entryUSN attribute from all entries
2. run enumeration
3. remove records that doesn't have entryUSN attribute updated
We don't need to do this for sudo rules, they will be refreshed
automatically during next smart/full refresh, or when an expired rule
is deleted.
|
|
|
|
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
https://fedorahosted.org/sssd/ticket/1452
|
|
The caller should issue a next request, which would just shortcut with
ENOENT.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1472
|
|
group members with groups outside nesting limit.
https://fedorahosted.org/sssd/ticket/1194
|
|
|
|
https://fedorahosted.org/sssd/ticket/1463
|
|
https://fedorahosted.org/sssd/ticket/1462
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1459
|
|
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion.
|
|
The DP was sending the reply in a format the responder did not expect,
so the responder always failed to parse the message.
|
|
In the failover, we treat both KDC and LDAP on the IPA server as a single
"port", numbered 0. This was done in order to make sure that the SSSD
always talks to the same server for both LDAP and Kerberos.
However, this clever hack breaks when the IPA provider needs to establish an
GSSAPI encrypted LDAP connection because we're asking the fail over code to
yield a server while no server has yet been marked as tried. This triggers a
fail over for the KDC, so in effect, the TGT is received from second server.
If the second server is not available for some reason, the whole provider
goes offline.
The fail over needs to detect that the server asked for is still being
resolved and return the same pointer.
|
|
https://fedorahosted.org/sssd/ticket/1457
|
|
https://fedorahosted.org/sssd/ticket/1456
|
|
https://fedorahosted.org/sssd/ticket/1393
|
|
https://fedorahosted.org/sssd/ticket/1453
|
|
This bug was producing harmless, but annoying error messages.
|
|
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
|
|
|
|
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
Instead of exporting internal structures, expose an initilizer function
like the autofs code and initialize everything inside the
ipa_subdomains.c file.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
|
I am all for readable names, but there is a tradeof between expressing purpose
and compactness.
|
|
Something like this:
sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb;
really is not readable, and we always discourage using obfuscated C, please
refrain in future.
|
|
|