Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2012-05-07 | Special-case LDAP_SIZELIMIT_EXCEEDED | Jakub Hrozek | 1 | -4/+9 | |
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322 | |||||
2012-05-07 | Limit krb5_get_init_creds_keytab() to etypes in keytab | Stef Walter | 2 | -0/+36 | |
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375 | |||||
2012-05-07 | Remove erroneous failure message in find_principal_in_keytab | Stef Walter | 1 | -1/+3 | |
* When it's actually a failure, then the callers will print a message. Fine tune this. | |||||
2012-05-04 | If canon'ing principals, write ccache with updated default principal | Stef Walter | 2 | -3/+8 | |
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518 | |||||
2012-05-04 | Modify behavior of pam_pwd_expiration_warning | Jan Zeleny | 2 | -16/+57 | |
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider. | |||||
2012-05-03 | LDAP: Add support for enumeration of ID-mapped users and groups | Stephen Gallagher | 1 | -31/+102 | |
2012-05-03 | LDAP: Treat groups with unmappable SIDs as non-POSIX groups | Stephen Gallagher | 1 | -9/+12 | |
2012-05-03 | LDAP: Add helper function to map IDs | Stephen Gallagher | 5 | -119/+81 | |
This function will also auto-create a new ID map if the domain has not been seen previously. | |||||
2012-05-03 | LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped ↵ | Stephen Gallagher | 2 | -0/+16 | |
entries | |||||
2012-05-03 | LDAP: Add helper routine to convert LDAP blob to SID string | Stephen Gallagher | 5 | -68/+195 | |
2012-05-03 | LDAP: Map the user's primaryGroupID | Stephen Gallagher | 4 | -12/+69 | |
2012-05-03 | LDAP: Enable looking up id-mapped groups by GID | Stephen Gallagher | 1 | -2/+45 | |
2012-05-03 | LDAP: Allow looking up ID-mapped groups by name | Stephen Gallagher | 2 | -29/+125 | |
2012-05-03 | LDAP: Enable looking up id-mapped users by UID | Stephen Gallagher | 1 | -6/+43 | |
2012-05-03 | LDAP: Allow automatically-provisioning a domain and range | Stephen Gallagher | 1 | -3/+43 | |
If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well. | |||||
2012-05-03 | LDAP: Add routine to extract domain SID from an object SID | Stephen Gallagher | 2 | -0/+49 | |
Also makes the domain prefix macros from sss_idmap public. | |||||
2012-05-03 | LDAP: Allow setting a default domain for id-mapping slice 0 | Stephen Gallagher | 4 | -0/+42 | |
2012-05-03 | LDAP: Add autorid compatibility mode | Stephen Gallagher | 4 | -8/+17 | |
2012-05-03 | LDAP: Enable looking up ID-mapped users by name | Stephen Gallagher | 2 | -9/+55 | |
2012-05-03 | LDAP: Initialize ID mapping when configured | Stephen Gallagher | 2 | -0/+10 | |
2012-05-03 | LDAP: Add ID mapping range settings | Stephen Gallagher | 3 | -0/+9 | |
2012-05-03 | LDAP: Add helper routines for ID-mapping | Stephen Gallagher | 2 | -0/+334 | |
2012-05-03 | LDAP: Add id-mapping option | Stephen Gallagher | 3 | -0/+3 | |
2012-05-03 | LDAP: Add objectSID config option | Stephen Gallagher | 3 | -0/+10 | |
2012-05-03 | Read sysdb attribute name, not LDAP attribute map name | Jakub Hrozek | 1 | -2/+2 | |
https://fedorahosted.org/sssd/ticket/1320 | |||||
2012-05-03 | SSH: Add dp_get_host_send to common responder code | Jakub Hrozek | 3 | -30/+24 | |
Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176 | |||||
2012-05-03 | Rename split_service_name_filter | Jakub Hrozek | 1 | -16/+16 | |
The function was used outside services code which was confusing due to its name. This patch renames it to sound more netrual. | |||||
2012-05-03 | IPA: Check return values | Jakub Hrozek | 2 | -2/+12 | |
2012-05-03 | PROXY: return correct return codes | Jakub Hrozek | 1 | -7/+9 | |
We were reporting on the value of "status" instead of "ret'. We also didn't set ret to EOK in cases group contained no members. | |||||
2012-05-02 | DP: return correct error message when subdomains back end target is not ↵ | Jakub Hrozek | 1 | -1/+1 | |
configured The done handler uses the value of status, not ret. | |||||
2012-05-02 | HBAC: Prevent NULL dereference in hbac_evaluate | Jakub Hrozek | 1 | -2/+4 | |
'info' is optional parameter and can be set to NULL | |||||
2012-05-02 | ipa_get_config_send: remove unused assignment | Jakub Hrozek | 1 | -1/+0 | |
2012-05-02 | IPA netgroups: return EOK when there are no netgroups to process | Jakub Hrozek | 1 | -0/+1 | |
If the code fell through the loop, ret would have been random value. | |||||
2012-05-02 | LDAP: check return value of sysdb_attrs_get_el | Jakub Hrozek | 1 | -0/+7 | |
2012-05-01 | execv, excvp and exec_child never return EOK | Stef Walter | 2 | -10/+6 | |
* So don't need to handle that case | |||||
2012-04-24 | Utilize sysdb context within be_req in HBAC | Jan Zeleny | 1 | -2/+2 | |
2012-04-24 | Detect subdomain request in IPA access provider | Jan Zeleny | 1 | -0/+10 | |
2012-04-24 | Accept be_req instead if be_ctx in LDAP access provider | Jan Zeleny | 3 | -15/+16 | |
2012-04-24 | Carry sysdb context and domain info in be_req structure | Jan Zeleny | 2 | -0/+5 | |
2012-04-24 | Basic support for subdomains in auth provider | Jan Zeleny | 3 | -3/+13 | |
2012-04-24 | Add ID operations in subdomains | Jan Zeleny | 3 | -0/+276 | |
2012-04-24 | Add s2n extended operation | Sumit Bose | 2 | -0/+667 | |
2012-04-24 | Add domain name to get_account_info request | Sumit Bose | 2 | -0/+10 | |
2012-04-24 | IPA: Add get-domains target | Sumit Bose | 6 | -0/+425 | |
2012-04-24 | data provider: added subdomains | Sumit Bose | 3 | -2/+167 | |
2012-04-24 | Responder part of the subdomain retrieval work | Jan Zeleny | 1 | -0/+1 | |
2012-04-20 | Get the RootDSE after binding if not successfull before | Jakub Hrozek | 1 | -26/+104 | |
https://fedorahosted.org/sssd/ticket/1258 | |||||
2012-04-20 | Convert read and write operations to sss_atomic_read | Jakub Hrozek | 3 | -78/+52 | |
https://fedorahosted.org/sssd/ticket/1209 | |||||
2012-04-20 | sdap_check_aliases must not error when detects the same user | Jakub Hrozek | 1 | -13/+31 | |
https://fedorahosted.org/sssd/ticket/1307 | |||||
2012-04-20 | Free controls in sdap_rebind_proc | Jakub Hrozek | 1 | -4/+6 | |