Age | Commit message (Collapse) | Author | Files | Lines |
|
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
|
|
|
|
|
|
|
|
|
Passing Kerberos context to sss_krb5_get_error_message will allow us to
get better error messages.
|
|
https://fedorahosted.org/sssd/ticket/974
|
|
To be able to add support for new credential cache types easily, this
patch creates a new structure sss_krb5_cc_be that defines common
operations with a credential cache, such as create, check if used or remove.
|
|
With the DIR cache support, it's perfectly legal to specify a ccname
directory that ends with a slash. The create_dir function did not handle
that situation correctly.
|
|
krb5-child-test will be another consumer. It also makes the code more
readable by splitting a huge function.
|
|
The krb5-child-test will want to run the child from the current
directory.
|
|
https://fedorahosted.org/sssd/ticket/1225
|
|
* Allocation check was missing
* a DEBUG statement overwrote errno
|
|
There was an issue with ghost members in nested groups. Consider a
scenario with two groups A and B, B being member of A and having some
ghost members. In such case SSSD stored both groups, then added
membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate
these ghost members to group A. This functionality could have been
solved by memberof plugin but the logic is far more complicated that
changes this patch introduces.
The change is simple: add ghost members at the same time as the group is
created, even if groups are supposed to be stored in two passes. That
way ghost members will be present at the time A -> B membership is
created and they will be propagated as expected.
|
|
This patch extends the RootDSE lookup so that we will perform a
second request to test whether the match rule syntax can be used.
If both groups and initgroups are disabled in the configuration,
this lookup request can be skipped.
|
|
|
|
|
|
|
|
Move it to a private header so it can be reused by other
initgroups C files.
|
|
|
|
SDAP_SCHEMA_AD needs to be calling sdap_initgr_rfc2307bis_recv(),
not sdap_initgr_nested_recv(). By coincidence both recv functions
happened to be identical, but if one or the other changed, this
would break unexpectedly.
|
|
The same block appeared earlier in the function and neither
variable could have changed values since.
|
|
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
|
Previous patch added the possibility to exclude some attributes from a
map when building an attribute list to be sent to server. The original
reason for this functionality is the code handling LDAP initgroups. In
this code, there is no need to fetch members of groups in question. This
can save some performance since the list of members can be pretty long
in some cases. This case apllies only to RFC2307 and generic RFC2307bis,
it doesn't apply for IPA schema.
|
|
This patch adds support for filtering attributes when constructing
attribute list from a map for LDAP query.
|
|
|
|
|
|
This function is no longer necessary because we don't have fake user
entries any more. The original purpose of this function was to check if
there are fake user entries for particular user and, if yes, to update
its membership.
|
|
|
|
The original approach was to store name and original DN in an object in
sysdb. When later referenced as member of a group, it was retrieved by
its original DN and the correct information about its sysdb DN was
stored in the group object which referenced it.
The new approach doesn't use fake user objects, therefore this
information has to be reached differently when constructing group
memberships. The approach is to store all users to a hash table where
original DN is used as the key and username as value. When constructing
group memberships, the name is retrieved from this hash table instead of
sysdb. This hash table is constructed when retrieving user objects from
LDAP server - if the user is not present in sysdb, it is automatically
stored in the hash table.
Another situation is for rfc2307. Because there is no nesting there, we
can construct the SYSDB_GHOST attribute directly and therefore don't
need a hash table of ghost users.
|
|
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
|
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/949
|
|
The subdomains back end request was sending replies in a format the
responder did not understand in case the request failed.
|
|
Active Directory 2008R2 allows only 1500 group members to be
retrieved in a single lookup. However, when we hit such a
situation, we can take advantage of the ASQ lookups, which are not
similarly limited.
With this patch, we will add any members found by ASQ that were
not found by the initial lookup so we will end with a complete
group listing.
https://fedorahosted.org/sssd/ticket/783
|
|
This is necessary because in several places in the code, we are
appending to the attrs returned from this value, and if we relied
on the map size macro, we would be appending after the NULL
terminator if one or more attributes were defined as NULL.
|
|
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
|
https://fedorahosted.org/sssd/ticket/1316
|
|
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
|
|
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
|
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
|
|
|
|