summaryrefslogtreecommitdiff
path: root/src/providers
AgeCommit message (Collapse)AuthorFilesLines
2013-01-14let ldap_backup_chpass_uri workPavel Březina1-2/+4
https://fedorahosted.org/sssd/ticket/1760
2013-01-14Fix LDAP authentication - invalid password lengthPavel Březina1-1/+1
sss_authtok_get_password() already returns length without terminating zero. This broke authentication over LDAP because we removed the last password character.
2013-01-10Change pam data auth tokens.Simo Sorce16-373/+429
Use the new authtok abstraction and interfaces throught the code.
2013-01-10Code can only check for cached passwordsSimo Sorce1-4/+17
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
2013-01-10Fix sdap reinit.Simo Sorce1-82/+89
This set of functions had a few important issues: 1. the base_dn was always NULL, as the base array was never actually used to construct any DN. This means each function searched the whole database multiple times. It would try to remove SYSDB_USN from all database entries 3 times. Then it would try to find non updated entries another 3 times and delete them, arguably find empty results the last 2 times. 2. Remove use of sysdb_private.h, that header is *PRIVATE* which means it should not be used anywhere but within sysdb. Do this by using existing functions instead of using ldb calls directly. This is important to keep sysdb as conistent and self-contained as possible.
2013-01-09AD: Add user as a direct member of his primary groupJakub Hrozek1-8/+109
In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. The downside of this approach is that the user is returned as a group member during getgrgid call as well.
2013-01-09AD: replace GID/UID, do not add another oneJakub Hrozek4-7/+41
The code would call sysdb_attrs_add_uint32 which added another UID or GID to the ID=0 we already downloaded from LDAP (0 is the default value) when ID-mapping an entry. This led to funky behaviour later on when we wanted to process the ID.
2013-01-08IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek3-4/+6
It is not a map, but a default context. The name should reflect that.
2013-01-08SELINUX: Process maps even when offlineJakub Hrozek1-226/+429
Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
2013-01-08SYSDB: Remove duplicate selinux definesJakub Hrozek1-0/+1
2013-01-07sudo smart refresh: fix debug messagePavel Březina1-1/+1
2013-01-07sudo smart refresh: do not include usn in filter if no valid usn is knownPavel Březina1-5/+12
https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
2013-01-07Fix tevent_req style for sdap_async_sudo.Simo Sorce1-22/+22
Use correct name for _done() function from the caller. Remove unneded initializzations to NULL for a lot of variables hat are going to be assigned as the first thing done in the functions.
2013-01-04LDAP: initialize refresh function handlerOndrej Kos1-1/+1
2013-01-02let krb5_backup_kpasswd failover workPavel Březina1-2/+2
https://fedorahosted.org/sssd/ticket/1735
2013-01-02failover: Protect against empty host namesMichal Zidek6-8/+8
Added new parameter to split_on_separator that allows to skip empty values. The whole function was rewritten. Unit test case was added to check the new implementation. https://fedorahosted.org/sssd/ticket/1484
2013-01-02set ret to EOK after for loop in sdap_sudo_purge_sudoersPavel Březina1-0/+2
If we are unable to delete some rule from cache we print a debug message and ignore the error. Thus we should set ret to EOK after the for loop otherwise we return whether the last rule was deleted successfully or not. This also removes compilation warning that ret may be used uninitialized (when we don't go inside the loop at all).
2012-12-20krb5 tgt renewal: fix usage of ldb_dn_get_component_val()Sumit Bose1-4/+4
For some reason I was under the impression that the DN components are counted backwards in libldb. This patch corrects this.
2012-12-19Add default section to switch statementSumit Bose1-0/+3
switch statements should always have a default section. In this particular case gcc gave a "'send_fn' may be used uninitialized in this function" warning.
2012-12-18DP: invalidate all cached maps if a request for auto.master comes inJakub Hrozek3-0/+16
If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps
2012-12-18sudo: do full refresh when data provider is back onlinePavel Březina2-7/+75
https://fedorahosted.org/sssd/ticket/1689 Add a online callback if the first full refresh fails due to the provider beeing offline so we can perform the refresh as soon as possible.
2012-12-18sudo: schedule another full refresh in short interval if the first failsPavel Březina2-0/+28
https://fedorahosted.org/sssd/ticket/1689 If the first full refresh of sudo rules fails because the data provider is offline, we will schedule another one in 2, 4, ... minutes.
2012-12-18check dp error in sdap_sudo_full_refresh_done()Pavel Březina1-3/+8
https://fedorahosted.org/sssd/ticket/1689
2012-12-18add sdap_sudo_schedule_refresh()Pavel Březina2-43/+77
Reduces amount of code duplication.
2012-12-18try primary server after retry_timeout + 1 seconds when switching to backupPavel Březina3-1/+13
https://fedorahosted.org/sssd/ticket/1679 The problem is when we are about to reset the server status, we don't get through the timeout (30 seconds) because the "switch to primary server" task is scheduled 30 seconds after fall back to a backup server. Thus the server status remains "not working" and is resetted after another 30 seconds. We need to make sure that the server status is tried after the timeout period. retry_timeout is currently hardcoded to 30, thus the change in man page.
2012-12-17PROXY: fix groups cachingOndrej Kos1-0/+6
https://fedorahosted.org/sssd/ticket/1685 Properly react on deleting group which was not found in sysdb.
2012-12-15let ldap_chpass_uri failover work when using same hostnamePavel Březina1-11/+4
https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
2012-12-11sudo: don't get stuck in rules and smart refresh when offlinePavel Březina1-4/+14
https://fedorahosted.org/sssd/ticket/1682 The problem was in following code: if (ret != EOK || state->dp_error != DP_ERR_OK || state->error != EOK) { tevent_req_error(req, ret); return; } In situation when data provider error occurs (e.g. when offline), ret == EOK but dp_error != DP_ERR_OK and we take the true branch. This results in calling tevent_req_error(req, EOK). Unfortunately, with EOK tevent_req_error only returns false, but does not trigger callback and this tevent request hangs forever, because no tevent_req_done(req) is called.
2012-12-10LDAP: remove dead assignmentJakub Hrozek1-1/+0
2012-12-10let krb5_kpasswd failover workPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1680 There were two errors: 1. kr->kpasswd_srv was never set 2. bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
2012-12-10PROXY: fix negative cacheOndrej Kos1-20/+24
https://fedorahosted.org/sssd/ticket/1685 The PROXY provider wasn't storing credentials to negative cache due to bad return value. This was delegated from attempt to delete these credentials from local cache. Therefore ENOENT is replaced as EOK.
2012-12-07SUDO: strdup the input variableJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1701
2012-12-05Fix comment on wrong lineSimo Sorce1-1/+1
2012-12-05LDAP: Continue adjusting group membership even if there is nothing to addJakub Hrozek1-2/+1
https://fedorahosted.org/sssd/ticket/1695
2012-12-05Add backchannel NSS provider query on initgr callsSimo Sorce1-0/+165
This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.
2012-12-05Hook for mmap cache update on initgroup callsSimo Sorce1-0/+1
This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
2012-12-05Hook to perform a mmap cache update from sssd_nssSimo Sorce1-0/+6
This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
2012-12-04Use an entry type mask macro to filter entry typesSimo Sorce5-5/+6
Avoids hardcoding magic numbers everywhere and self documents why a mask is being applied.
2012-12-04Streamline ipa_account_info handlerSimo Sorce1-74/+55
In particular note that we merge ipa_account_info_netgroups_done() and ipa_account_info_users_done() into a single fucntion called ipa_account_info_done() that handles both cases We also remove the auxiliary function ipa_account_info_complete() that unnecessarily violates the tevent_req style and instead use a new function named ipa_account_info_error_text() to generate error text.
2012-12-04Fix tevent_req style for get_netgroup in ipa_idSimo Sorce1-80/+71
Also do not intermix two tevent_req sequences
2012-12-04Fix ipa_subdomain_id names and tevent_req styleSimo Sorce3-52/+36
2012-12-04Fix tevent_req style for krb5_authSimo Sorce4-371/+334
No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
2012-12-04Missing parameter in DEBUG message.Michal Zidek1-1/+2
2012-12-04Indentation fixJakub Hrozek1-5/+2
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-12-02IPA: Handle bad results from c-ares lookupStephen Gallagher1-1/+11
In some situations, the c-ares lookup can return NULL instead of a list of addresses. In this situation, we need to avoid dereferencing NULL. This patch adds a log message and sets the count to zero so it is handled appropriately below.
2012-11-28idmap: Silence DEBUG messages when dealing with built-in SIDs.Michal Zidek4-79/+108
When converting built-in SID to unix GID/UID a confusing debug message about the failed conversion was printed. This patch special cases these built-in objects. https://fedorahosted.org/sssd/ticket/1593
2012-11-26Save errno before it might be modified.Simo Sorce1-8/+16
The DEBUG() macro may, at any time, change and start calling functions that touch errno. Save errno before logging and then return the saved error.
2012-11-23LDAP: fix uninitialized variableOndrej Kos1-1/+1
initialized variable, was causing build warning
2012-11-20fix SIGSEGV in IPA provider when ldap_sasl_authid is not setPavel Březina1-1/+1
https://fedorahosted.org/sssd/ticket/1657 IPA_HOSTNAME is not stored in ipa_opts->id options so it the option was always NULL here. This caused SIGSEGV when accessed by strchr() in subsequent function.