summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2012-11-20fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek4-9/+39
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-19Disable canonicalization during password changesSumit Bose1-2/+43
If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
2012-11-19Fix compare_principal_realm() checkSumit Bose1-9/+3
In case of a short UPN compare_principal_realm() erroneously returns an error.
2012-11-19Just use the service name with krb5_get_init_creds_password()Sumit Bose1-24/+2
Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
2012-11-19LDAP: Make it possible to use full principal in ldap_sasl_authid againJakub Hrozek1-4/+16
2012-11-19LDAP: Checking the principal should not be considered fatalJakub Hrozek1-6/+10
The check is too restrictive as the select_principal_from_keytab can return something else than user requested right now. Consider that user query for host/myserver@EXAMPLE.COM, then the select_principal_from_keytab function will return "myserver" in primary and "EXAMPLE.COM" in realm. So the caller needs to add logic to also break down the principal to get rid of the host/ part. The heuristics would simply get too complex. select_principal_from_keytab will error out anyway if there's no suitable principal at all.
2012-11-19LDAP: Provide a common sdap_set_sasl_options init functionJakub Hrozek4-91/+95
The AD and IPA initialization functions shared the same code. This patch moves the code into a common initialization function.
2012-11-19Do not save HBAC rules in subdomain subtreeSumit Bose3-16/+32
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce2-4/+61
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-19LDAP: Refactor saving ghost usersJakub Hrozek1-88/+99
2012-11-19LDAP: use the correct memory contextJakub Hrozek1-1/+1
The element being reallocated is part of the "group_attrs" array, not attrs.
2012-11-19LDAP: Fix saving empty groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1647 A logic bug in the LDAP provider causes an attempt to allocate a zero-length array for group members while processing an empty group. The allocation would return NULL and saving the empty group would fail.
2012-11-19LDAP: Allocate the temporary context on NULL, not memctxJakub Hrozek1-1/+1
Allocating temporary context on NULL helps vind memory leaks with valgrind and avoid growing memory over time by allocating on a long-lived context.
2012-11-19LDAP: Remove double breakJakub Hrozek1-1/+0
2012-11-18LDAP: Expire even non authenticated connectionsJakub Hrozek1-8/+11
The connections request was terminated before setting the expiry timeout in case no authentication was set. https://fedorahosted.org/sssd/ticket/1649
2012-11-16fix -O3 variable may be uninitialized warningsPavel Březina2-6/+6
2012-11-15sudo: store rules with no sudoHost attributePavel Březina1-0/+7
https://fedorahosted.org/sssd/ticket/1640 Normal rules requires that sudoHost attribute is present. But this attribute is not mandatory for a special rule named cn=defaults. This patch modifies filter so that we store even rules that doesn't have sudoHost attribute specified. SUDO will then decide whether it is allowed or not.
2012-11-15Add ignore_group_members option.Paul B. Henson2-2/+13
https://fedorahosted.org/sssd/ticket/1376
2012-11-14Run IPA subdomain provider if IPA ID provider is configuredSumit Bose2-2/+69
To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
2012-11-12Only build extract_and_send_pac on platforms that support itJakub Hrozek1-104/+18
2012-11-12KRB5: Rename variable to avoid shadowing a global declarationJakub Hrozek1-4/+4
src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’: src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’ shadows a global declaration /usr/include/libgen.h:27: warning: shadowed declaration is here
2012-11-12backend: add PAC to the list of known clientsPavel Březina1-0/+2
2012-11-12subdomains: check request type on one place onlyPavel Březina1-6/+0
The check is now held only in ipa_get_subdomain_account_info_send().
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek1-1/+2
2012-11-10Do not remove a group if it has members from subdomainsSumit Bose1-4/+15
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
2012-11-08Clarify debug message about initgroups and subdomainsSumit Bose1-0/+7
The initgroups request is not handled by the IPA provider for subdomain users on purpose because the group membership information is not available on the IPA server but will be directly written to the cache when the PAC of the user is processed. The old generic debug message "Invalid sub-domain request type" might be misleading. This patch adds a specific message for the initgroups case "Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache." and increase the debug level so that typically this message is not shown anymore because it is expected behaviour. Fixes https://fedorahosted.org/sssd/ticket/1610
2012-11-08do not default fullname to gecos when schema = adPavel Březina1-0/+14
https://fedorahosted.org/sssd/ticket/1482 When we add fullname to user_attrs, then sysdb_add_basic_user() will set fullname to gecos when it initially creates the user object in the cache, but it will be overwritten in the same transaction when sysdb_store_user() adds all the user_attrs.
2012-11-01LDAP: Better debug logging when saving groupsStephen Gallagher1-11/+75
2012-11-01LDAP: Fix off-by-one error when saving ghost usersJakub Hrozek1-1/+1
The ldb_val's length parameter should not include the terminating NULL. This was causing funky behaviour as the users were saved as binary attributes. https://fedorahosted.org/sssd/ticket/1614
2012-10-29Include talloc log in our debug facilityMichal Zidek4-5/+4
https://fedorahosted.org/sssd/ticket/1495
2012-10-26Make sub-domains case-insensitiveSumit Bose1-2/+23
Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.
2012-10-26krb5_auth: update with correct UPN if neededSumit Bose3-0/+133
The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
2012-10-26Use find_or_guess_upn() where neededSumit Bose4-34/+49
2012-10-26Add new call find_or_guess_upn()Sumit Bose4-8/+54
With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
2012-10-26krb5_child: send back the client principalSumit Bose4-5/+42
In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
2012-10-26krb5_mod_ccname: replace wrong memory contextSumit Bose1-1/+1
2012-10-26krb5_child: send PAC to PAC responderSumit Bose1-1/+139
If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
2012-10-26krb5_auth: send different_realm flag to krb5_childSumit Bose2-1/+8
The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
2012-10-26krb5_auth: check if principal belongs to a different realmSumit Bose4-0/+43
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
2012-10-26check_ccache_files: search sub-domains as wellSumit Bose1-4/+14
If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
2012-10-26krb5_auth_send: check for sub-domainsSumit Bose4-11/+37
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
2012-10-26subdomain-id: Generate homedir only for users not groupsSumit Bose1-10/+12
2012-10-24KRB5: Return error when principal selection failsJakub Hrozek1-1/+4
The ldap_child would return a NULL ccache but the error code would still indicate success. https://fedorahosted.org/sssd/ticket/1594
2012-10-24sudo refresh: handle errors properlyPavel Březina1-8/+25
We should test both ret and (dp_error, errno) pair.
2012-10-24sudo: do not fail if usn value is zero but full refresh is completedPavel Březina2-7/+19
https://fedorahosted.org/sssd/ticket/1596 In case that LDAP server contains zero sudo rules, the full refresh completes succussfully and stores current USN value (= 0). But then smart refresh will fail because it takes USN=0 as invalid value.
2012-10-16Make TTL configurable for dynamic dns updatesJames Hogarth3-2/+14
2012-10-15LDAP: Check validity of naming_contextJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
2012-10-12Only call krb5_set_trace_callback on platforms that support itJakub Hrozek2-2/+2
2012-10-12Create ghost users when a user DN is encountered in IPAJakub Hrozek1-37/+276
The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP. https://fedorahosted.org/sssd/ticket/1319