| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When fixed host names of AD servers are configured in the config file,
we can't know (unlike when service discovery is at play) if the servers
are Global Catalogs or not. This patch adds a private data to servers
read from the config file that denote whether the server can be tried
for contacting the Global Catalog port or just LDAP. The GC or LDAP URIs
are generated based on contents of this private data structure.
Because SSSD sticks to a working server, we don't have to disable or
remove the faulty GC servers from the list.
|
|
As the subdomains are MPG domains, we don't want to store a separate GID
for the subdomain users, but rather just create a UPG.
|
|
Move the part of sdap_save_user into a separate function so that it can
be special cased an only called for users in primary domains, not
subdomain users.
|
|
Because the NSS responder expects the name attribute to contain FQDN,
we must save the name as FQDN in the LDAP provider if the domain we save
to is a subdomain.
|
|
This function will be used later to fill the sdap_domain structures with
search bases.
|
|
The utility function will be reused to guess search base from the base
DN of AD trusted domains.
|
|
By default, the LDAP searches delete the entry from cache if it wasn't
found during a search. But if a search wants to try both Global Catalog
and LDAP, for example, it might be beneficial to have an option to only
delete the entry from cache after the last operation fails to prevent
unnecessary memberof operations for example.
|
|
Previously an sdap_id_ctx was always tied to one domain with a single
set of search bases. But with the introduction of Global Catalog
lookups, primary domain and subdomains might have different search
bases.
This patch introduces a new structure sdap_domain that contains an sssd
domain or subdomain and a set of search bases. With this patch, there is
only one sdap_domain that describes the primary domain.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
The sdap account handler was a function with its own private callback
that directly called the back end handlers. This patch refactors the
handler into a new tevent request that the current sdap handler calls.
This refactoring would allow the caller to specify a custom sdap
connection for use by the handler and optionally retry the same request
with another connection inside a single per-provider handler.
No functional changes are present in this patch.
|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
|
|
users_get_recv() never returns ENOENT. In general it should return EOK
in the case no matching user was found. But since I forget to handle a
SID based filter properly in sdap_get_users_process() an error is
returned in this case which makes get_user_and_group_users_done() work
as expected with this patch.
There is an upcoming enhancement to users_get_recv() which I'm planning
to use for a full fix.
|
|
It does not make much sense to run multiple get_subdomains request in
parallel because all requests will load the same information from the
server. The IPA and AD provider already implement a short timeout to
avoid the multiple requests are running to fast after each other. But if
the timeout is over chances are that if two or more request come in fast
the first request cannot update the timeout and request will run in
parallel. To avoid this the requests are queued and send one after the
other to the provider.
|
|
For some backend targets it might be not desirable to run requests in
parallel but to serialize them. To avoid that each provider has to
implement a queue for this target this patch implements a generic queue
which collects incoming requests before they are send to the target.
|
|
https://fedorahosted.org/sssd/ticket/1929
|
|
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
|
|
https://fedorahosted.org/sssd/ticket/1950
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
|
|
|
|
|
|
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options.
|
|
https://fedorahosted.org/sssd/ticket/1930
On misconfigured id-mapping range variables, the provider should not
start. We were internally correctly setting error code for failure, but
interruption of startup was not performed.
Also raised the debug level of message for this misconfiguration.
|
|
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to
the LDAP provider. Since the AD and the IPA provider use the same code
they support those request now as well.
Besides allowing that users and groups can be searched by the SID as
well the new request allows to search users and groups in one run, i.e.
if there is not user matching the search criteria groups are searched as
well.
|
|
To allow mapping of SIDs to names or POSIX IDs and back the related
attributes must be read from the FreeIPA directory server.
|
|
This patch add a basic check if the SID returned by the LDAP server is
in a string representation. If not it is assumed that a binary SID was
returned by the LDAP server which is converted into a string
representation which is returned to the caller.
|
|
Because we now always want to store SIDs in the IPA provider, we also need
to always initialize the ID mapping context.
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
|
|
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
In function ad_subdomains_get_netlogon_done:
If variable "reply_count" is zero then variable "reply" will not be
initialized. Therefore we should not continue.
|
|
Added missing variable in DEBUG macro call.
|
|
Instead of continuing to use the initial upn if enterprise principals
are used if should always be replaced. The enterprise principal
is stored in the credential cache and without knowing it the
ccache_for_princ() calls to determine the location of the credential
cache will fail.
Fixes https://fedorahosted.org/sssd/ticket/1921
|
|
Header file selinux/selinux.h was removed in commit 245cc346 from file
ipa_selinux.c, because it breaks build without selinux. But new
error was introduced. This patch fixes compilation with selinux and include
header file selinux/selinux.h only if both macros
exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR.
Now ipa_selinux.c should be correctly built with and without selinux.
|
|
In commit 46222e5191473f9a46aec581273eb2eef22e23be we removed a very
similar DEBUG message while moving the whole piece of code to the idmap
library. But it turned out that the DEBUG message was useful while
testing the functionality, so this patch adds it back.
|
|
Compilation fail if ./configure is called with arguments
--with-selinux --with-semanage and selinux header files are not
installed. We didn't not catch this in fedora, because krb5-devel depends on
libselinux-devel, but other distribution can package it differently.
And API from selinux.h is not used in file ipa_selinux.c
|
|
https://fedorahosted.org/sssd/ticket/1922
Since we always store the SID now, we need to always initialize the ID
mapping object in LDAP provider as well. Some users might want to
configure the LDAP provider with ID mapping, not the AD provider itself.
|
|
https://fedorahosted.org/sssd/ticket/1915
|
|
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
If enterprise principals are enabled (which is the default in the AD
provider), then the returned UPN might be slightly different from
the one SSSD constructs before attempting the login. This patch makes
SSSD only check if the principal is the same when the enterprise
principals are disabled.
|
|
Because we now always store SIDs in the LDAP provider, we also need to
always initialize the ID mapping context even if ID mapping itself is
off.
|
|
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
|
|
|
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
|
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
