sssd - System Security Services Daemon

Age	Commit message (Collapse)	Author	Files	Lines
2012-05-09	Try all KDCs when getting TGT for LDAP	Jakub Hrozek	1	-15/+18
	When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-05-07	Only reset kpasswd server status when performing a chpass operation	Jakub Hrozek	1	-2/+3
	https://fedorahosted.org/sssd/ticket/1316
2012-05-07	Special-case LDAP_SIZELIMIT_EXCEEDED	Jakub Hrozek	1	-4/+9
	Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
2012-05-07	Limit krb5_get_init_creds_keytab() to etypes in keytab	Stef Walter	2	-0/+36
	* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07	Remove erroneous failure message in find_principal_in_keytab	Stef Walter	1	-1/+3
	* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04	If canon'ing principals, write ccache with updated default principal	Stef Walter	2	-3/+8
	* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-05-04	Modify behavior of pam_pwd_expiration_warning	Jan Zeleny	2	-16/+57
	New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-05-03	LDAP: Add support for enumeration of ID-mapped users and groups	Stephen Gallagher	1	-31/+102

2012-05-03	LDAP: Treat groups with unmappable SIDs as non-POSIX groups	Stephen Gallagher	1	-9/+12

2012-05-03	LDAP: Add helper function to map IDs	Stephen Gallagher	5	-119/+81
	This function will also auto-create a new ID map if the domain has not been seen previously.
2012-05-03	LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵	Stephen Gallagher	2	-0/+16
	entries
2012-05-03	LDAP: Add helper routine to convert LDAP blob to SID string	Stephen Gallagher	5	-68/+195

2012-05-03	LDAP: Map the user's primaryGroupID	Stephen Gallagher	4	-12/+69

2012-05-03	LDAP: Enable looking up id-mapped groups by GID	Stephen Gallagher	1	-2/+45

2012-05-03	LDAP: Allow looking up ID-mapped groups by name	Stephen Gallagher	2	-29/+125

2012-05-03	LDAP: Enable looking up id-mapped users by UID	Stephen Gallagher	1	-6/+43

2012-05-03	LDAP: Allow automatically-provisioning a domain and range	Stephen Gallagher	1	-3/+43
	If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well.
2012-05-03	LDAP: Add routine to extract domain SID from an object SID	Stephen Gallagher	2	-0/+49
	Also makes the domain prefix macros from sss_idmap public.
2012-05-03	LDAP: Allow setting a default domain for id-mapping slice 0	Stephen Gallagher	4	-0/+42

2012-05-03	LDAP: Add autorid compatibility mode	Stephen Gallagher	4	-8/+17

2012-05-03	LDAP: Enable looking up ID-mapped users by name	Stephen Gallagher	2	-9/+55

2012-05-03	LDAP: Initialize ID mapping when configured	Stephen Gallagher	2	-0/+10

2012-05-03	LDAP: Add ID mapping range settings	Stephen Gallagher	3	-0/+9

2012-05-03	LDAP: Add helper routines for ID-mapping	Stephen Gallagher	2	-0/+334

2012-05-03	LDAP: Add id-mapping option	Stephen Gallagher	3	-0/+3

2012-05-03	LDAP: Add objectSID config option	Stephen Gallagher	3	-0/+10

2012-05-03	Read sysdb attribute name, not LDAP attribute map name	Jakub Hrozek	1	-2/+2
	https://fedorahosted.org/sssd/ticket/1320
2012-05-03	SSH: Add dp_get_host_send to common responder code	Jakub Hrozek	3	-30/+24
	Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176
2012-05-03	Rename split_service_name_filter	Jakub Hrozek	1	-16/+16
	The function was used outside services code which was confusing due to its name. This patch renames it to sound more netrual.
2012-05-03	IPA: Check return values	Jakub Hrozek	2	-2/+12

2012-05-03	PROXY: return correct return codes	Jakub Hrozek	1	-7/+9
	We were reporting on the value of "status" instead of "ret'. We also didn't set ret to EOK in cases group contained no members.
2012-05-02	DP: return correct error message when subdomains back end target is not ↵	Jakub Hrozek	1	-1/+1
	configured The done handler uses the value of status, not ret.
2012-05-02	HBAC: Prevent NULL dereference in hbac_evaluate	Jakub Hrozek	1	-2/+4
	'info' is optional parameter and can be set to NULL
2012-05-02	ipa_get_config_send: remove unused assignment	Jakub Hrozek	1	-1/+0

2012-05-02	IPA netgroups: return EOK when there are no netgroups to process	Jakub Hrozek	1	-0/+1
	If the code fell through the loop, ret would have been random value.
2012-05-02	LDAP: check return value of sysdb_attrs_get_el	Jakub Hrozek	1	-0/+7

2012-05-01	execv, excvp and exec_child never return EOK	Stef Walter	2	-10/+6
	* So don't need to handle that case
2012-04-24	Utilize sysdb context within be_req in HBAC	Jan Zeleny	1	-2/+2

2012-04-24	Detect subdomain request in IPA access provider	Jan Zeleny	1	-0/+10

2012-04-24	Accept be_req instead if be_ctx in LDAP access provider	Jan Zeleny	3	-15/+16

2012-04-24	Carry sysdb context and domain info in be_req structure	Jan Zeleny	2	-0/+5

2012-04-24	Basic support for subdomains in auth provider	Jan Zeleny	3	-3/+13

2012-04-24	Add ID operations in subdomains	Jan Zeleny	3	-0/+276

2012-04-24	Add s2n extended operation	Sumit Bose	2	-0/+667

2012-04-24	Add domain name to get_account_info request	Sumit Bose	2	-0/+10

2012-04-24	IPA: Add get-domains target	Sumit Bose	6	-0/+425

2012-04-24	data provider: added subdomains	Sumit Bose	3	-2/+167

2012-04-24	Responder part of the subdomain retrieval work	Jan Zeleny	1	-0/+1

2012-04-20	Get the RootDSE after binding if not successfull before	Jakub Hrozek	1	-26/+104
	https://fedorahosted.org/sssd/ticket/1258
2012-04-20	Convert read and write operations to sss_atomic_read	Jakub Hrozek	3	-78/+52
	https://fedorahosted.org/sssd/ticket/1209