summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2012-08-07Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OCPavel Březina2-3/+3
It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.
2012-08-07Subdomains: Send the DP reply in the correct formatJakub Hrozek1-14/+41
The DP was sending the reply in a format the responder did not expect, so the responder always failed to parse the message.
2012-08-07Failover: Return last tried server if it's still being triedJakub Hrozek1-2/+6
In the failover, we treat both KDC and LDAP on the IPA server as a single "port", numbered 0. This was done in order to make sure that the SSSD always talks to the same server for both LDAP and Kerberos. However, this clever hack breaks when the IPA provider needs to establish an GSSAPI encrypted LDAP connection because we're asking the fail over code to yield a server while no server has yet been marked as tried. This triggers a fail over for the KDC, so in effect, the TGT is received from second server. If the second server is not available for some reason, the whole provider goes offline. The fail over needs to detect that the server asked for is still being resolved and return the same pointer.
2012-08-06IPA: Securely set umask for mkstemp in subdomain providerStephen Gallagher1-0/+3
https://fedorahosted.org/sssd/ticket/1457
2012-08-06IPA: Do not attempt to close the same file twiceStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1456
2012-08-06shadow attributes can contain -1Pavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1393
2012-08-06Removed unused variable assignmentOndrej Kos1-2/+0
https://fedorahosted.org/sssd/ticket/1453
2012-08-03Don't call fo_set_{server,port}_status for SRV serversJakub Hrozek1-2/+3
This bug was producing harmless, but annoying error messages.
2012-08-01Create a domain-realm mapping for krb5.conf to be includedJakub Hrozek1-0/+135
When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings
2012-08-01Add automatic periodic retrieval of subdomainsSimo Sorce1-1/+44
2012-08-01Add online callback to enumerate subdomainsSimo Sorce1-24/+49
2012-08-01Limit refreshes keeping track of last refresh timeSimo Sorce1-26/+46
2012-08-01Change refreshing of subdomainsSimo Sorce3-67/+156
This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.
2012-08-01Expose an initializer function from subdomainSimo Sorce3-32/+46
Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.
2012-08-01Add realm paramter to subdomain listSimo Sorce1-0/+27
This will be used later for setting domain_realm mappings in krb5.conf
2012-08-01Use a more tractable name for subdomain requestSimo Sorce3-10/+8
I am all for readable names, but there is a tradeof between expressing purpose and compactness.
2012-08-0180 col and style fixesSimo Sorce1-20/+48
Something like this: sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb; really is not readable, and we always discourage using obfuscated C, please refrain in future.
2012-08-01Make structure initializer more readableSimo Sorce1-7/+15
2012-08-01Fix wrong elements used in comparisonSimo Sorce1-1/+1
2012-08-01Change subdomain_infoSimo Sorce2-7/+7
Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
2012-08-01Primary server support: new option in AD providerJan Zeleny3-1/+5
This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new option in IPA providerJan Zeleny3-4/+6
This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new options in krb5 providerJan Zeleny8-8/+28
This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
2012-08-01Primary server support: new option in ldap providerJan Zeleny5-4/+11
This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.
2012-08-01Primary server support: AD adaptationJan Zeleny3-35/+77
This patch adds support for the primary server functionality into AD provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: LDAP adaptationJan Zeleny3-35/+84
This patch adds support for the primary server functionality into LDAP provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: krb5 adaptationJan Zeleny3-49/+94
This patch adds support for the primary server functionality into krb5 provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: IPA adaptationJan Zeleny3-35/+77
This patch adds support for the primary server functionality into IPA provider. No backup servers are added at the moment, just the basic support is in place.
2012-08-01Primary server support: support for "disconnecting" connections in LDAPJan Zeleny1-4/+37
This patch adds support for marking existing connections as being disconnected. Each such connection can't be used for new queries and a new one has to be created instead if necessary. This will ensure that pending operations will end gracefully during reconnection. Also all new queries to the server we are reconnecting to will use another (probably newly created) connection.
2012-08-01Primary server support: basic support in failover codeJan Zeleny7-51/+257
Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
2012-08-01Primary server support: introduce concept of reconnectionJan Zeleny2-0/+43
This patch adds two support functions for adding reconnection callbacks and invoking such callbacks. The concept of reconnection is simple: stop using current connection for for new queries to the server without actually going offline.
2012-07-31Unbreak SASLPavel Březina1-9/+12
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data type of sasl_minssf from int to ber_len_t. Unfortunately, default value of ldap_sasl_minssf is -1 but ber_len_t is defined as unsigned long. This made SASL mechanism inoperative.
2012-07-31Support fetching of host from sysdb in SELinux codeJan Zeleny1-11/+55
The host record will be fetched if HBAC is used as access provider since the record is already downloaded and it can be trusted to be valid.
2012-07-31Support fetching of HBAC rules from sysdb in SELinux codeJan Zeleny1-14/+47
If HBAC is active, SELinux code will reuse them instead of downloading them from the server again.
2012-07-31Modify hbac_get_cached_rules() so it can be used outside of HBAC codeJan Zeleny2-14/+22
2012-07-30sudo ldap provider: support autoconfiguration of hostnamesPavel Březina1-6/+275
https://fedorahosted.org/sssd/ticket/1420 sudoHost attribute may contain hostname or fqdn of the machine. Sudo itself supports only one hostname and its fqdn - the one that is returned by gethostbyname(). This patch implements autoconfiguration of hostname and fqdn if it has not been set manually by ldap_sudo_hostnames option.
2012-07-27Remove unused member of be_reqJan Zeleny1-3/+0
2012-07-27Move SELinux processing from session to account PAM stackJan Zeleny2-0/+33
The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
2012-07-27Renamed session provider to selinux providerJan Zeleny6-56/+54
2012-07-27Always free request in data provider PAM callbackJan Zeleny1-2/+3
In case of error the request wasn't freed and the callback just ended.
2012-07-25Provide counter of possible matches in SELinux IPA providerJan Zeleny1-6/+6
The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.
2012-07-25Fix linking of HBAC rules and SELinux user mapsJan Zeleny1-0/+13
Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
2012-07-25Remove ipa_selinux_map_merge()Jan Zeleny3-55/+0
This function is no longer necessary since sysdb interface for copying elements has been implemented.
2012-07-23Added some DEBUG statements into SELinux related codeJan Zeleny1-4/+14
2012-07-23sdap_sudo.c: add missing end of line in few debug messagesPavel Březina1-3/+3
2012-07-18AD: Fix defaults for krb5_canonicalizeStephen Gallagher1-2/+2
The AD provider cannot function with canonicalization because of a bug in Active Directory rendering it unable to complete a password-change while canonicalization is enabled.
2012-07-18Fix uninitialized valuesNick Guay6-14/+14
https://fedorahosted.org/sssd/ticket/1379
2012-07-18IPA: Return and save all SELinux rules in the providerJakub Hrozek1-47/+27
https://fedorahosted.org/sssd/ticket/1421
2012-07-18IPA: Download defaults even if there are no SELinux mappingsJakub Hrozek1-60/+59
We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults.
2012-07-18Modify priority evaluation in SELinux user mapsJan Zeleny1-2/+34
The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395