| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC
- move domain_to_basedn() to a separate file to simplify the build of
a test
|
|
The krb5 options were out of sync, causing a runtime abort.
|
|
|
|
This patch removes some tab-indentations from pamsrv.c, too.
|
|
This option is needed for the rare case where a poll() call during
ldap_sasl_interactive_bind_s() is interrupted by a signal.
LDAP_OPT_RESTART enables the handling of the EINTR error instead of
returning an error.
|
|
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
|
|
|
|
|
|
|
dbus_connection_send_with_reply() will report success and return
a NULL pending_reply when the connection is not open for
communication. This patch creates a new wrapper around
dbus_connection_send_with_reply() to properly detect this
condition and report it as an error.
|
|
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
|
|
When the user's password is expired it might also be indicated by
the bind operation returning "INVALID_CREDENTIALS" with the ppolicy
control's errorcode set to "PP_passwordExpired".
|
|
|
|
|
|
As with krb5_ccname_template sequences like %u can be used in the
krb5_ccachedir parameter which are expanded at runtime. If the directory
does not exist, it will be created. Depending on the used sequences it
is created as a public or private directory.
|
|
|
|
Upon receiving SIGHUP, the monitor signals all services to reopen their
debug logs. It is also possible to signal individual services to reopen
their particular files.
Fixes: #332
|
|
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
|
Make the counter optional so that alignment safe macros can be used also where
there is no counter to update.
Change arguments names so that they are not deceiving (ptr normlly identify a
pointer)
Turn the memcpy substitute into an inline function so that passing a pointer to
rp and checking for it doesn't make the compiler spit lots of warnings.
|
|
|
|
There were inconsistencies between what sssd.conf manpage said
and what the code enforces.
|
|
When refactoring talloc_asprintf calls a check was left behind that
cased the backend to go offline immediately.
|
|
Implements a different mechanism for cleanup task. Instead of just
deleting expired entries, this patch adds a new option
account_cache_expiration for domains. If an entry is expired and the last
login was more days in the past that account_cache_expiration, the entry is
deleted.
Groups are deleted if they are expired and and no user references them
(no user has memberof: attribute pointing at that group).
The parameter account_cache_expiration is not LDAP-specific, so that other
future backends might use the same timeout setting.
Fixes: #391
|
|
Do not attempt to validate expired entries in cache, just delete them.
Also increase the cache timeouts.
Fixes: #331
|
|
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
|
Adds a new option that tells resolver which address family to prefer or
use exclusively.
Fixes: #404
|
|
If we're sending a message to the backend, we already know which
domain the request is targeting. Carrying this information is not
useful and confuses the interface.
|
|
This was a holdover from when the DP and the providers were unique
processes. The NSS and PAM registrations do not need to send the
domain, as it is not ambiguous which one they are talking to.
|
|
|
|
|
|
|
|
|
|
Also update BUILD.txt
|
