summaryrefslogtreecommitdiff
path: root/src/responder/common
AgeCommit message (Collapse)AuthorFilesLines
2012-05-03SSH: Add dp_get_host_send to common responder codeJakub Hrozek2-13/+2
Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176
2012-05-02RESPONDER: check return value from confdb_get_intJakub Hrozek1-0/+7
sss_process_init forgot to check return value of confdb_get_int
2012-04-24Two fixes in responder subdomain codeJan Zeleny1-0/+6
2012-04-24Add domain name to get_account_info requestSumit Bose1-0/+1
2012-04-24Modified responder_get_domain()Jan Zeleny4-10/+39
Now it checks for subdomains as well as for the domain itself
2012-04-24Responder part of the subdomain retrieval workJan Zeleny3-0/+359
2012-04-24Add conn_name to allow different names for domains and connectionsJan Zeleny1-1/+1
2012-03-16Free entry found in negative cacheJakub Hrozek1-0/+3
2012-03-08Use the correct hash table for pending requestsSimo Sorce3-6/+10
The function that handled pending requests on reconnect was checking an orphaned global variable that was never used, redenring the whole function uselsess. This fixes a very nasty bug that was causing requests for which we never received an answer for (for example because the backend failed and was restarted) to be never removed and therefore causing a black hole effect for any other request of the same type. Fixes: https://fedorahosted.org/sssd/ticket/1229
2012-02-17RESPONDERS: Make the fd_limit setting configurableStephen Gallagher1-1/+18
This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197
2012-02-17RESPONDERS: Allow increasing the file-descriptor limitStephen Gallagher2-0/+39
This patch will increase the file descriptor limit to 8k or the limits.conf maximum, whichever is lesser. https://fedorahosted.org/sssd/ticket/1197
2012-02-13Remove setent structure when callback is calledJakub Hrozek2-11/+11
2012-02-10Fix group enumerationJakub Hrozek1-2/+7
Also adds some more debugging and fixes a code style issue. https://fedorahosted.org/sssd/ticket/1182
2012-02-07DP: Add support for hosts in sss_dp_get_accountJan Cholasta2-2/+13
Host requests are directed to the host info handler.
2012-02-05AUTOFS: responderJakub Hrozek1-0/+2
2012-02-05Split the logic to check cache expiration into separate functionJakub Hrozek2-0/+56
2012-02-05RESPONDERS: Refactor setent_req_listJakub Hrozek2-5/+90
Makes the setent_add_ref() and setent_notify_*() functions more generic to be reusable by the autofs responder.
2012-02-02RESPONDERS: Provide a common sss_cmd_send_error functionJakub Hrozek2-0/+18
The common function could be reused in new responders
2012-01-31Refactor nss_cmd_send_emptyJakub Hrozek2-0/+39
2012-01-27NSS: Add service enumeration support to NSS providerStephen Gallagher1-0/+3
2012-01-27DP: Refactor responder_dp_req so it's reusable by other respondersJakub Hrozek2-239/+347
* the internal request is now more generic and is decoupled from account-specific data. There is a new sss_dp_issue_request() wrapper that issues a BE request or registers a callback * the public requests all use struct sss_dp_req_state as the tevent_req state data. This allows to report back data from the internal request even if the caller is just a callback notifier * each specific request now uses an _info structure that contains all the data necessary to construct a DBusMessage passed to provider * each specific request now defines a sss_dp_get_$data_msg callback that is called from the sss_dp_issue_request() common wraper. The purpose of the wrapper is to construct a DBusMessage and bind it to a DBus method so the message can be just sent over to back end The miscellanous changes include: * change SSS_DP_ constants to an enum. This way, a switch() would error if a value is not handled. * rename sss_dp_get_account_int_send() to sss_dp_internal_get_send() request because the internal request is going to handle more than just account data * the DBus return values were renamed from err_maj, err_min to dp_err and dp_ret respectively
2012-01-27NSS: Add negative cache routines for servicesStephen Gallagher2-3/+132
2012-01-27DP: Add support for services in dp requestsStephen Gallagher2-0/+4
2012-01-23DP: Fix bugs in sss_dp_get_account_intStephen Gallagher1-66/+44
The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()
2012-01-21RESPONDER: Extend sss_dp_account_send() to include extra dataStephen Gallagher2-8/+26
Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.
2011-12-20PAM: make initgroups timeout work across multiple clientsStephen Gallagher1-2/+0
Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063
2011-12-16DP: Remove processed callbacksJakub Hrozek1-3/+5
2011-12-16Use the case sensitivity flag in respondersJakub Hrozek3-24/+122
2011-12-16Responders: Split getting domain by name into separate functionJakub Hrozek2-0/+15
2011-12-05Allow using Glib for UTF8 supportStephen Gallagher1-9/+1
2011-11-29RESPONDER: Refactor DP requests into tevent_req styleStephen Gallagher3-366/+481
2011-11-18RESPONDER: Ensure that all input strings are valid UTF-8Stephen Gallagher2-0/+11
2011-11-02RESPONDER: Fix segfault in sss_packet_send()Stephen Gallagher1-0/+5
There are several places (all error-handling) where sss_cmd_done() is called with no response packet created. As a short-term solution, we need to check whether the packet is NULL and simply return EINVAL. client_send() (the consumer) will then forcibly disconnect the client (which will return PAM_SYSTEM_ERR to the client).
2011-10-14Fixed timeout handling in respondersJan Zeleny1-72/+72
2011-10-13Check if dp_requests hash table exists before using itJakub Hrozek1-0/+5
2011-10-03Use explicit base 10 for converting strings to integersJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1013
2011-08-15Do not delete requests inside hash_iterate loopJakub Hrozek1-10/+12
2011-07-29Converge accept_fd_handler and accept_priv_fd_handlerStephen Gallagher1-85/+50
These two functions were almost identical. Better to maintain them as a single function.
2011-05-23Set _GNU_SOURCE globallySumit Bose1-3/+1
2011-05-06Allow changing the log level without restartStephen Gallagher2-0/+15
We will now re-read the confdb debug_level value when processing the monitor_common_logrotate() function, which occurs when the monitor receives a SIGHUP.
2011-05-06Create common sss_monitor_init()Stephen Gallagher1-34/+3
This was implemented almost identically for both the responders and the providers. It is easier to maintain as a single routine. This patch also adds the ability to provide a private context to attach to the sbus_connection for later use.
2011-04-15Add debug logging to the negative cacheStephen Gallagher1-0/+5
2010-12-22Update the ID cache for any PAM requestStephen Gallagher1-0/+2
Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
2010-12-17Fix unchecked return value in set_nonblockingStephen Gallagher1-10/+53
Also fixes the same problem with set_close_on_exec https://fedorahosted.org/sssd/ticket/713
2010-12-02Add a special filter type to handle enumerationsSumit Bose1-1/+1
2010-10-26Fix double free issueSumit Bose1-2/+2
2010-10-26Remove all nss requests after a reconnectSumit Bose2-0/+21
Currently we do not handle the open nss request after a reconnect and wait until they timeout (which is a couple of minutes!). This patch adds a handler that terminates all requests after a reconnect. Then responder will return matching cache entries or nothing.
2010-10-13Add netgroup support to the NSS responderStephen Gallagher2-0/+7
2010-10-13Add negative cache features for netgroupsStephen Gallagher2-0/+39
2010-09-08Handle multiple simultaneous enumeration requestsStephen Gallagher1-0/+11
Previously, if a second enumeration request arrived while one was already being processed, each process would receive only a subset of the total number of available users or groups. This is because we were maintaining the response object as a global value in the NSS responder. The second request would come in, see that the data set was already populated, and start reading from wherever the cursor was currently pointed. With this patch, we now move the cursor to the client context instead of the global NSS context. Additionally, this patch completely rewrites the approach to enumerations in the tevent_req style. This makes it much easier to follow in the code. In order to ensure that a slow or malicious client cannot hold onto a reference for the setent result object indefinitely, we set an expiration on the object. We use the enum_cache_timeout here, since that is an appropriate value. If the timeout fires during the normal operation of the get*ent() loop of a client program, we will save the current values of the read index so that we can resume as soon as the object has been refreshed by an implicit setent call. Instead of deleting the enumeration result object immediately after the last in-progress client has read it, we'll keep the object around for the lifetime of enum_cache_timeout. This way, additional clients making enumeration requests can still access the results in-memory.