Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/880
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/878
|
|
https://fedorahosted.org/sssd/ticket/877
|
|
https://fedorahosted.org/sssd/ticket/876
|
|
Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.
https://fedorahosted.org/sssd/ticket/799
|
|
This patch splits checking cache and hash tables into standalone
functions. This will make it easy to reuse the code in a new branch that
uses dereferencing.
|
|
Instead of downloading complete user data which is potentionally very
slow, only download the necessary minimum information and store the
users as dummy entries.
|
|
RFC2307bis code relies heavily on originalDN, so the fake users need to
have an option to store it, too.
|
|
A generic wrapper around ASQ and OpenLDAP dereference searches.
https://fedorahosted.org/sssd/ticket/635
|
|
This dereference method is supported at least by OpenLDAP and
389DS/RHDS
For more details, see:
http://tools.ietf.org/html/draft-masarati-ldap-deref-00
|
|
For more details on ASQ, see:
http://msdn.microsoft.com/en-us/library/aa366976%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa746418%28v=VS.85%29.aspx
|
|
These will be shared by both dereference methods in a later patch.
|
|
Add a private sdap_get_generic_ext_send()/_recv() request that
exposes more of ldap_search_ext options, in particular the server
contols. The existing sdap_generic_search_send()/_recv() request
is now a thin wrapper around the new _ext request.
The other important change is that an entry parsing is a callback now.
That was done in order to allow custom parsing for results such as
OpenLDAP deref or Attribute Scoped Queries.
|
|
Related ticket:
https://fedorahosted.org/sssd/ticket/855
|
|
The label was named fail but used also in success cases.
|
|
This function was not used anywhere
|
|
|
|
|
|
|
|
|
|
We will now re-read the confdb debug_level value when processing
the monitor_common_logrotate() function, which occurs when the
monitor receives a SIGHUP.
|
|
This was implemented almost identically for both the responders
and the providers. It is easier to maintain as a single routine.
This patch also adds the ability to provide a private context to
attach to the sbus_connection for later use.
|
|
|
|
|
|
This patch fixes some issues with setting lastUSN attribute and it adds
check against the highest user/group USN after enumeration to keep
better track of the real highest USN. Optimal solution here would be to
schedule a check of rootDSE entry right after the enumeration finishes,
but for the moment this is good enough.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/825
|
|
A previous patch changed a talloc_steal() into a talloc_move(). Now it
is not enough to change the parent memory context with talloc_steal to
give back the data, but it has to be assigned back too.
Additionally this patch uses the missing pam data as an indication that
a renewal request for this data is currently running.
|
|
|
|
Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
|
|
We were trying to request the krb5 keytab from the auth provider
configuration, but it hasn't yet been set up. Much better to use
the value in the ID provider.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
https://fedorahosted.org/sssd/ticket/700
|
|
The function now supports finding principal in keytab not only based on
realm, but based on both realm and primary/instance parts. The function
also supports * wildcard at the beginning or at the end of primary
principal part. The function for finding principal has been moved to
util/sss_krb5.c, so it can be used in other parts of the code.
|
|
When reconnecting to the LDAP server supporting USNs (either because of new incomming
id operation or invokation of callback responsible for checking status
of the backend), detect whether the highest USN is lower than the one
SSSD has recorded. If so, setup enumeration/cleanup to refresh
potentionally changed account information in the SSSD cache.
Related ticket:
https://fedorahosted.org/sssd/ticket/734
|
|
Related:
https://fedorahosted.org/sssd/ticket/734
|
|
https://fedorahosted.org/sssd/ticket/647
|