| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
With some LDAP server implementations, one server might provide
different "views" of the identites on different ports. One example is
the Active Directory Global catalog. The provider would contact
different view depending on which operation it is performing and against
which SSSD domain.
At the same time, these views run on the same server, which means the same
server options, enumeration, cleanup or Kerberos service should be used.
So instead of using several different failover ports or several
instances of sdap_id_ctx, this patch introduces a new "struct
sdap_id_conn_ctx" that contains the connection cache to the particular
view and an instance of "struct sdap_options" that contains the URI.
No functional changes are present in this patch, currently all providers
use a single connection. Multiple connections will be used later in the
upcoming patches.
|
|
Instead of using boolean variables to denote whether the call is adding
a primary or a secondary server, use a function wrapper that tells what
it's doing by its name.
|
|
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
|
|
users_get_recv() never returns ENOENT. In general it should return EOK
in the case no matching user was found. But since I forget to handle a
SID based filter properly in sdap_get_users_process() an error is
returned in this case which makes get_user_and_group_users_done() work
as expected with this patch.
There is an upcoming enhancement to users_get_recv() which I'm planning
to use for a full fix.
|
|
It does not make much sense to run multiple get_subdomains request in
parallel because all requests will load the same information from the
server. The IPA and AD provider already implement a short timeout to
avoid the multiple requests are running to fast after each other. But if
the timeout is over chances are that if two or more request come in fast
the first request cannot update the timeout and request will run in
parallel. To avoid this the requests are queued and send one after the
other to the provider.
|
|
For some backend targets it might be not desirable to run requests in
parallel but to serialize them. To avoid that each provider has to
implement a queue for this target this patch implements a generic queue
which collects incoming requests before they are send to the target.
|
|
https://fedorahosted.org/sssd/ticket/1929
|
|
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
|
|
https://fedorahosted.org/sssd/ticket/1950
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
|
|
|
|
|
|
The dyndns init function was starting the timer even if the updates were
set to False. This patch splits the init of dynamic updates and the
timer into two functions so that the back end can start the updates
separately from reading the options.
|
|
https://fedorahosted.org/sssd/ticket/1930
On misconfigured id-mapping range variables, the provider should not
start. We were internally correctly setting error code for failure, but
interruption of startup was not performed.
Also raised the debug level of message for this misconfiguration.
|
|
The patch adds support for BE_REQ_BY_SECID and BE_REQ_USER_AND_GROUP to
the LDAP provider. Since the AD and the IPA provider use the same code
they support those request now as well.
Besides allowing that users and groups can be searched by the SID as
well the new request allows to search users and groups in one run, i.e.
if there is not user matching the search criteria groups are searched as
well.
|
|
To allow mapping of SIDs to names or POSIX IDs and back the related
attributes must be read from the FreeIPA directory server.
|
|
This patch add a basic check if the SID returned by the LDAP server is
in a string representation. If not it is assumed that a binary SID was
returned by the LDAP server which is converted into a string
representation which is returned to the caller.
|
|
Because we now always want to store SIDs in the IPA provider, we also need
to always initialize the ID mapping context.
|
|
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
|
|
setup_child() was accepting a parameter it didn't use. Also the function
name was too generic, so I added a sdap prefix.
|
|
--missing arguments.
--format '%s', but argument is integer.
--wrong format string, examle: '%\n'
|
|
In function ad_subdomains_get_netlogon_done:
If variable "reply_count" is zero then variable "reply" will not be
initialized. Therefore we should not continue.
|
|
Added missing variable in DEBUG macro call.
|
|
Instead of continuing to use the initial upn if enterprise principals
are used if should always be replaced. The enterprise principal
is stored in the credential cache and without knowing it the
ccache_for_princ() calls to determine the location of the credential
cache will fail.
Fixes https://fedorahosted.org/sssd/ticket/1921
|
|
Header file selinux/selinux.h was removed in commit 245cc346 from file
ipa_selinux.c, because it breaks build without selinux. But new
error was introduced. This patch fixes compilation with selinux and include
header file selinux/selinux.h only if both macros
exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR.
Now ipa_selinux.c should be correctly built with and without selinux.
|
|
In commit 46222e5191473f9a46aec581273eb2eef22e23be we removed a very
similar DEBUG message while moving the whole piece of code to the idmap
library. But it turned out that the DEBUG message was useful while
testing the functionality, so this patch adds it back.
|
|
Compilation fail if ./configure is called with arguments
--with-selinux --with-semanage and selinux header files are not
installed. We didn't not catch this in fedora, because krb5-devel depends on
libselinux-devel, but other distribution can package it differently.
And API from selinux.h is not used in file ipa_selinux.c
|
|
https://fedorahosted.org/sssd/ticket/1922
Since we always store the SID now, we need to always initialize the ID
mapping object in LDAP provider as well. Some users might want to
configure the LDAP provider with ID mapping, not the AD provider itself.
|
|
https://fedorahosted.org/sssd/ticket/1915
|
|
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.
Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes
https://fedorahosted.org/sssd/ticket/1468
|
|
If enterprise principals are enabled (which is the default in the AD
provider), then the returned UPN might be slightly different from
the one SSSD constructs before attempting the login. This patch makes
SSSD only check if the principal is the same when the enterprise
principals are disabled.
|
|
Because we now always store SIDs in the LDAP provider, we also need to
always initialize the ID mapping context even if ID mapping itself is
off.
|
|
https://fedorahosted.org/sssd/ticket/1504
Implements dynamic DNS updates for the AD provider. By default, the
updates also update the reverse zone and run periodically every 24
hours.
|
|
|
|
This options is mostly provided for future expansion. Currently it is
undocumented and both IPA and AD dynamic DNS updates default to
GSS-TSIG. Allowed values are GSS-TSIG and none.
|
|
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
|
https://fedorahosted.org/sssd/ticket/1832
While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
manually.
This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.
This option is off by default in the IPA provider.
Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg
|
|
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
|
|
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
|
Provides two new layers instead of the previous IPA specific layer:
1) dp_dyndns.c -- a very generic dyndns layer on the DP level. Its
purpose it to make it possible for any back end to use dynamic DNS
updates.
2) sdap_dyndns.c -- a wrapper around dp_dyndns.c that utilizes some
LDAP-specific features like autodetecting the address from the LDAP
connection.
Also converts the dyndns code to new specific error codes.
|
|
This patch add the functionality to handle lookup by SIDs and lookups
for SIDs to the subdomain branch of the IPA ID provider.
|
|
This patch added auto configuration SUDO with ipa provider and compat tree.
https://fedorahosted.org/sssd/ticket/1733
|
|
|
|
|
|
Currently the POSIX ID or the user name are passed in different
parameters to some calls. The method will get cumbersome and error-prone
if new parameters like, e.g. the SID, are added. This patch adds a union
to hold the different kind of parameters.
|
|
|
