summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2012-06-15KRB5: Auto-detect DIR cache support in configureStephen Gallagher4-5/+33
We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
2012-06-15KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_dataStephen Gallagher1-17/+30
2012-06-15LDAP: Fix missing variable in debug messageStephen Gallagher1-1/+1
2012-06-15Fixed debug message in sdap_save_group()Jan Zeleny1-1/+1
2012-06-14Make krb5_ccname_template and krb5_ccachedir configurableJakub Hrozek2-4/+4
2012-06-14Use Kerberos context in KRB5_DEBUGJakub Hrozek2-55/+61
Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
2012-06-14Add support for storing credential caches in the DIR: back endJakub Hrozek5-70/+510
https://fedorahosted.org/sssd/ticket/974
2012-06-14Add a credential cache back end structureJakub Hrozek7-148/+382
To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
2012-06-14Handle trailing slash in the ccname templateJakub Hrozek1-8/+14
With the DIR cache support, it's perfectly legal to specify a ccname directory that ends with a slash. The create_dir function did not handle that situation correctly.
2012-06-14Split parse_krb5_child_response so it can be reusedJakub Hrozek3-119/+170
krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
2012-06-14Allow redefining the KRB5_CHILD pathJakub Hrozek1-3/+7
The krb5-child-test will want to run the child from the current directory.
2012-06-14Provide more debugging in krb5_child and ldap_childJakub Hrozek2-14/+73
https://fedorahosted.org/sssd/ticket/1225
2012-06-14Two small krb5_child fixesJakub Hrozek1-3/+10
* Allocation check was missing * a DEBUG statement overwrote errno
2012-06-13Fix an issue in ghost usersJan Zeleny1-75/+47
There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B. The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces. The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
2012-06-13LDAP: Auto-detect support for the ldap match ruleStephen Gallagher6-5/+107
This patch extends the RootDSE lookup so that we will perform a second request to test whether the match rule syntax can be used. If both groups and initgroups are disabled in the configuration, this lookup request can be skipped.
2012-06-13LDAP: Add support for AD chain matching extension in initgroupsStephen Gallagher3-9/+325
2012-06-13LDAP: Add support for AD chain matching extension in group lookupsStephen Gallagher3-9/+417
2012-06-13LDAP: Add ldap_*_use_matching_rule_in_chain optionsStephen Gallagher4-0/+11
2012-06-12LDAP: Make sdap_initgr_common_store() non-staticStephen Gallagher2-7/+15
Move it to a private header so it can be reused by other initgroups C files.
2012-06-12LDAP: Add helper function to get list of a user's groups from sysdbStephen Gallagher2-33/+69
2012-06-12LDAP: Fix incorrect switch statement in sdap_get_initgr_done()Stephen Gallagher1-1/+1
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(), not sdap_initgr_nested_recv(). By coincidence both recv functions happened to be identical, but if one or the other changed, this would break unexpectedly.
2012-06-12LDAP: Remove redundant checkStephen Gallagher1-11/+0
The same block appeared earlier in the function and neither variable could have changed values since.
2012-06-10IPA subdomains - ask for information about master domainJan Zeleny6-17/+164
The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.
2012-05-31Utilize attribute exclusion in LDAP initgroupsJan Zeleny1-3/+33
Previous patch added the possibility to exclude some attributes from a map when building an attribute list to be sent to server. The original reason for this functionality is the code handling LDAP initgroups. In this code, there is no need to fetch members of groups in question. This can save some performance since the list of members can be pretty long in some cases. This case apllies only to RFC2307 and generic RFC2307bis, it doesn't apply for IPA schema.
2012-05-31Add support for filtering atributesJan Zeleny17-41/+70
This patch adds support for filtering attributes when constructing attribute list from a map for LDAP query.
2012-05-31added DEBUG messages to krb5_child and ldap_childNick Guay2-3/+19
2012-05-31Ghost members - various small changesJan Zeleny1-1/+1
2012-05-31Ghost members - removed sdap_check_aliases()Jan Zeleny4-127/+0
This function is no longer necessary because we don't have fake user entries any more. The original purpose of this function was to check if there are fake user entries for particular user and, if yes, to update its membership.
2012-05-31Ghost members - support in proxy providerJan Zeleny1-6/+8
2012-05-31Ghost members - support in LDAP providerJan Zeleny1-186/+286
The original approach was to store name and original DN in an object in sysdb. When later referenced as member of a group, it was retrieved by its original DN and the correct information about its sysdb DN was stored in the group object which referenced it. The new approach doesn't use fake user objects, therefore this information has to be reached differently when constructing group memberships. The approach is to store all users to a hash table where original DN is used as the key and username as value. When constructing group memberships, the name is retrieved from this hash table instead of sysdb. This hash table is constructed when retrieving user objects from LDAP server - if the user is not present in sysdb, it is automatically stored in the hash table. Another situation is for rfc2307. Because there is no nesting there, we can construct the SYSDB_GHOST attribute directly and therefore don't need a hash table of ghost users.
2012-05-22Fixed issue in SELinux user mapsJan Zeleny1-0/+2
There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
2012-05-22LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek1-12/+10
structure https://fedorahosted.org/sssd/ticket/1343
2012-05-22Warn to syslog when dereference requests failAriel Barria1-2/+2
2012-05-22Simple implementation of Netscape password warning expiration controlJoshua Roys1-22/+74
2012-05-16Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2-2/+2
2012-05-14Fixed two minor memory leaksJan Zeleny2-2/+6
2012-05-14Potential NULL dereference in proxy providerAriel Barria1-1/+1
2012-05-10Filter out IP addresses inappropriate for DNS forward recordsJakub Hrozek1-1/+57
https://fedorahosted.org/sssd/ticket/949
2012-05-10subdomains: Fix error handling in Data ProviderJakub Hrozek1-19/+37
The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.
2012-05-10LDAP: Handle very large Active Directory groupsStephen Gallagher5-45/+271
Active Directory 2008R2 allows only 1500 group members to be retrieved in a single lookup. However, when we hit such a situation, we can take advantage of the ASQ lookups, which are not similarly limited. With this patch, we will add any members found by ASQ that were not found by the initial lookup so we will end with a complete group listing. https://fedorahosted.org/sssd/ticket/783
2012-05-10LDAP: Add attr_count return value to build_attrs_from_map()Stephen Gallagher17-39/+62
This is necessary because in several places in the code, we are appending to the attrs returned from this value, and if we relied on the map size macro, we would be appending after the NULL terminator if one or more attributes were defined as NULL.
2012-05-09Try all KDCs when getting TGT for LDAPJakub Hrozek1-15/+18
When the ldap child process is killed after a timeout, try the next KDC. When none of the ldap child processes succeed, just abort the connection because we wouldn't be able to authenticate to the LDAP server anyway. https://fedorahosted.org/sssd/ticket/1324
2012-05-07Only reset kpasswd server status when performing a chpass operationJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1316
2012-05-07Special-case LDAP_SIZELIMIT_EXCEEDEDJakub Hrozek1-4/+9
Previous version of the SSSD did not abort the async LDAP search operation on errors. In cases where the request ended in progress, such as when the paging was very strictly limited, the old versions at least returned partial data. This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a user-visible regression. https://fedorahosted.org/sssd/ticket/1322
2012-05-07Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2-0/+36
* Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
2012-05-07Remove erroneous failure message in find_principal_in_keytabStef Walter1-1/+3
* When it's actually a failure, then the callers will print a message. Fine tune this.
2012-05-04If canon'ing principals, write ccache with updated default principalStef Walter2-3/+8
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny2-16/+57
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-05-03LDAP: Add support for enumeration of ID-mapped users and groupsStephen Gallagher1-31/+102
2012-05-03LDAP: Treat groups with unmappable SIDs as non-POSIX groupsStephen Gallagher1-9/+12