summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos3-3/+3
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-13Fix initialization of multiple variablesOndrej Kos6-8/+7
2013-03-13Removing unused header file providers.hLukas Slebodnik1-24/+0
Header file "providers.h" is not included in any other file and function "dp_process_init" declared in this header file has no implementation. Header file protos.h is not also included in any other file and even hole content is commented out.
2013-03-13More generalized function open_debug_file_ex()Lukas Slebodnik2-10/+2
Function open_debug_file_ex() set flag FD_CLOEXEC to opened file according to the value of third parameter. Removed duplicity of unsetting FD_CLOEXEC after calling function open_debug_file_ex()
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum4-1/+232
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-07Fixed typo in debug message.Lukas Slebodnik1-3/+5
C compiler did not complain, because "index" is function defined in header file <string.h>
2013-03-06Updated Doxygen configuration to 1.8.1Thorsten Scherf1-134/+478
https://fedorahosted.org/sssd/ticket/1819
2013-03-05Check the return value of sysdb_search_servicesJakub Hrozek1-0/+6
2013-03-04Cleanup error message handling for krb5 childSimo Sorce2-296/+240
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-03-04krb5_child: fix value type and initializationOndrej Kos1-1/+2
ret was defined as integer, instead of errno_t, and was uninitialized
2013-03-04Use the correct memory context in be_req_createJakub Hrozek1-1/+1
2013-02-28Refactor krb5 childSimo Sorce1-288/+210
The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
2013-02-28krb5_child style fixSimo Sorce1-11/+11
Use the standard 'done' label for exceptions.
2013-02-27sdap_fill_memberships: continue if a member is not foud in sysdbPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1755 sdap_find_entry_by_origDN() may return ENOENT in these non-error scenarios: If a member is out of scope of configured nesting level, sssd produces few noise lines indicating failure. The worse case is when a member is outside of configured search bases. In this case we save the group with incomplete membership,
2013-02-26Do not process success case in an elseJakub Hrozek1-24/+24
2013-02-26sysdb: try dealing with binary-content attributesJan Engelhardt2-7/+5
https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
2013-02-14subdomains: replace invalid characters with underscore in krb5 mapping file namePavel Březina1-1/+26
https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.
2013-02-12Filter out multicast addresses from IPA DNS updatesJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1804
2013-02-11LDAP: Check for authtok validityJakub Hrozek1-7/+9
The default authtok type in the LDAP provider (unlike the new IPA and AD providers) is "password". This oddity dates back to when password was the only supported authtok type in the SSSD, so configuration specifying only the password and bind DN was valid. We need to check the authtok validity as well before attempting to use it.
2013-02-10Introduce IS_SUBDOMAIN() macroSimo Sorce1-2/+2
Fixes https://fedorahosted.org/sssd/ticket/1766
2013-02-10Change the way domains are linked.Simo Sorce1-107/+45
- Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
2013-02-10Remove sysdb_subdom completelySimo Sorce1-52/+58
struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.
2013-02-10Refactor sysdb_master_domain_add_info()Simo Sorce1-24/+6
2013-02-10Update main domain info in placeSimo Sorce1-5/+4
2013-02-10Avoid sysdb_subdom in sysdb_get_subdomains()Simo Sorce1-3/+1
2013-02-10Add realm info to sss_domain_infoSimo Sorce5-6/+8
2013-02-10NSS: Add original homedir to home directory template optionsStephen Gallagher1-0/+1
https://fedorahosted.org/sssd/ticket/1805
2013-02-01dp: check whether hostid backend is configured before filing be requestPavel Březina1-0/+8
2013-01-30Fix minor grammar error in logStephen Gallagher1-1/+1
2013-01-30krb: recreate ccache if it was deletedPavel Březina1-1/+8
https://fedorahosted.org/sssd/ticket/1512 If directory where a ccache file was stored was missing and user was still logged in, we erroneously considered the ccache file still active. Thus the ccache file was not recreated and user was unable to login.
2013-01-28nested groups: fix group lookup hangs if member dn is incorrectPavel Březina1-0/+24
https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
2013-01-25Possible null derefence in ipa_subdomains.c.Michal Zidek1-0/+4
Found by coverity. https://fedorahosted.org/sssd/ticket/1790
2013-01-22fix backend callbacks: remove callback properly from dlistPavel Březina1-6/+18
https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
2013-01-22Fix code styleJakub Hrozek1-1/+2
2013-01-21Make struct be_req opaqueSimo Sorce2-18/+18
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce17-32/+45
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce22-133/+155
In preparation for making be_req opaque
2013-01-21Add be_req_create() helperSimo Sorce3-40/+38
2013-01-21Introduce be_req_terminate() helperSimo Sorce18-129/+84
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove domain from be_req structureSimo Sorce7-64/+46
2013-01-21Pass domain not be_req to access check functionsSimo Sorce5-22/+33
2013-01-21Split simple_access_check function outSimo Sorce3-206/+225
Need to split out the function or new additions to the handler funtion will not allow simple access tests to compile anymore.
2013-01-21Do not pass NULL to ipa_subdomain_retrieve()Simo Sorce1-18/+20
2013-01-21Move hbac_ctx_is_offline()Simo Sorce2-7/+6
2013-01-21Remove hbac_ctx_sdap_id_[ctx|op]()Simo Sorce2-18/+6
2013-01-21Remove hbac_ctx_ev()Simo Sorce2-10/+3
2013-01-21Remove hbac_ctx_be()Simo Sorce3-12/+4
2013-01-21Remove hbac_ctx_sysdb()Simo Sorce2-12/+4
2013-01-21Remove sysdb argument from hbac_get_cached_rules()Simo Sorce3-9/+6