| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
sysdb_attrs_get_el() creates an empty element in the sysdb_attrs
structure if the requested element does not exist. Recent versions of
libldb do not accept empty elements when writing new objects to disk.
sysdb_attrs_get_string_array() does not create an empty element but
returns ENOENT.
|
|
|
|
|
|
|
|
|
|
This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.
Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
|
|
We were not passing the old authtok to the pam_chauthtok()
function, causing it to return PAM_AUTH_ERR.
|
|
This patch adds a new tevent_req to the proxy provider, which will
spawn short-lived child processes to handle PAM requests. These
processes then call the proxied PAM stack and return the results
via SBUS method reply. Once it is returned, the parent process
kills the child.
There is a maximum of ten child processes running simultaneously,
after which requests will be queued for sending once a child slot
frees up. The maximum processes will be made configurable at a
later date (as this would violate string freeze).
|
|
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
|
|
|
|
|
The ccache file was removed too early if system is offline but the
backend was not already marked offline. Now we remove the ccache file
only if the successfully got a new one and it is not the same as the old
one.
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
The Kerberos backend would previously try only the first server and if
it was unreachable, it immediatelly went offline.
|
|
|
|
|
|
This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.
|
|
Instead of just using references to the pam data inside of the DBus
message the data is copied. New the DBus message can be freed at any
time and the pam data is part of the memory hierarchy. Additionally it
is possible to overwrite the authentication tokens in the DBus message,
because it is not used elsewhere.
|
|
|
|
|
|
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
Instead of having all-purpose SIGCHLD handlers that try to catch
every occurrence, we instead create a per-PID handler. This will
allow us to specify callbacks to occur when certain children exit.
|
|
The current version modified some global structures to be able to use
Kerberos and LDAP authentication during the IPA password migration. This
new version only uses tevent requests.
Additionally the ipaMigrationEnabled attribute is read from the IPA
server to see if password migration is allowed or not.
|
|
To allow other providers to include Kerberos authentication the main
part is put into a tevent request.
|
|
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7.
While this patch applied cleanly, it was uncompilable. Reverting
until it can be properly merged.
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
Allow backends to set a callback in the be_ctx that should be
invoked when the ID provider goes online.
This can be used to perform regular maintenance tasks that are
valid only when going online.
|
|
For the shadow and mit_kerberos password policy warnings are sent to the
client if the password is about to expire.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also clean up some duplicated code into a single common routine
sdap_account_info_common_done()
|
|
|
|
Prevent freeing the sdap_handle by failing in the destructor if we
are trying to recurse.
|
