Age | Commit message (Collapse) | Author | Files | Lines |
|
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion.
|
|
The DP was sending the reply in a format the responder did not expect,
so the responder always failed to parse the message.
|
|
In the failover, we treat both KDC and LDAP on the IPA server as a single
"port", numbered 0. This was done in order to make sure that the SSSD
always talks to the same server for both LDAP and Kerberos.
However, this clever hack breaks when the IPA provider needs to establish an
GSSAPI encrypted LDAP connection because we're asking the fail over code to
yield a server while no server has yet been marked as tried. This triggers a
fail over for the KDC, so in effect, the TGT is received from second server.
If the second server is not available for some reason, the whole provider
goes offline.
The fail over needs to detect that the server asked for is still being
resolved and return the same pointer.
|
|
https://fedorahosted.org/sssd/ticket/1457
|
|
https://fedorahosted.org/sssd/ticket/1456
|
|
https://fedorahosted.org/sssd/ticket/1393
|
|
https://fedorahosted.org/sssd/ticket/1453
|
|
This bug was producing harmless, but annoying error messages.
|
|
When new subdomains are discovered, the SSSD creates a file that
includes the domain-realm mappings. This file can in turn be included in
the krb5.conf using the includedir directive, such as:
includedir /var/lib/sss/pubconf/realm_mappings
|
|
|
|
|
|
|
|
This patch keeps a local copy of the subdomains in the ipa subdomains plugin
context.
This has 2 advantages:
1. allows to check if anything changed w/o always hitting the sysdb.
2. later will allows us to dump this information w/o having to retrieve it
again. The timestamp also allows to avoid refreshing too often.
|
|
Instead of exporting internal structures, expose an initilizer function
like the autofs code and initialize everything inside the
ipa_subdomains.c file.
|
|
This will be used later for setting domain_realm mappings in krb5.conf
|
|
I am all for readable names, but there is a tradeof between expressing purpose
and compactness.
|
|
Something like this:
sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb;
really is not readable, and we always discourage using obfuscated C, please
refrain in future.
|
|
|
|
|
|
Rename the structure to use a standard name prefix so it is properly
name-spaced, in preparation for changing the structure itself.
|
|
This patch adds support for new config option ad_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
This patch adds support for new config options krb5_backup_server and
krb5_backup_kpasswd. The description of this option's functionality
is included in man page in one of previous patches.
|
|
This patch adds support for new config option ldap_backup_uri. The
description of this option's functionality is included in man page in
previous patch.
|
|
This patch adds support for the primary server functionality into AD
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for the primary server functionality into LDAP
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for the primary server functionality
into krb5 provider. No backup servers are added at the moment,
just the basic support is in place.
|
|
This patch adds support for the primary server functionality into IPA
provider. No backup servers are added at the moment, just the basic
support is in place.
|
|
This patch adds support for marking existing connections as being
disconnected. Each such connection can't be used for new queries and a
new one has to be created instead if necessary. This will ensure that
pending operations will end gracefully during reconnection. Also all new
queries to the server we are reconnecting to will use another (probably
newly created) connection.
|
|
Now there are two list of servers for each service. If currently
selected server is only backup, then an event will be scheduled which
tries to get connection to one of primary servers and if it succeeds,
it starts using this server instead of the one which is currently
connected to.
|
|
This patch adds two support functions for adding reconnection callbacks
and invoking such callbacks. The concept of reconnection is simple: stop
using current connection for for new queries to the server without
actually going offline.
|
|
Patch bc76428246c4ce532abd0eadcd539069fc1d94a8 changed the data
type of sasl_minssf from int to ber_len_t. Unfortunately, default
value of ldap_sasl_minssf is -1 but ber_len_t is defined as
unsigned long. This made SASL mechanism inoperative.
|
|
The host record will be fetched if HBAC is used as access provider since
the record is already downloaded and it can be trusted to be valid.
|
|
If HBAC is active, SELinux code will reuse them instead of downloading
them from the server again.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1420
sudoHost attribute may contain hostname or fqdn of the machine.
Sudo itself supports only one hostname and its fqdn - the one that
is returned by gethostbyname().
This patch implements autoconfiguration of hostname and fqdn if
it has not been set manually by ldap_sudo_hostnames option.
|
|
|
|
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
In case of error the request wasn't freed and the callback just ended.
|
|
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
|
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|
|
This function is no longer necessary since sysdb interface for copying
elements has been implemented.
|
|
|
|
|
|
The AD provider cannot function with canonicalization because of
a bug in Active Directory rendering it unable to complete a
password-change while canonicalization is enabled.
|
|
https://fedorahosted.org/sssd/ticket/1379
|
|
https://fedorahosted.org/sssd/ticket/1421
|
|
We should always download the defaults because even if there are no
rules, we might want to use (or update) the defaults.
|
|
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|