| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Different user and group lookup requests used nearly identical code,
this patch unifies some of the related code paths.
|
|
https://fedorahosted.org/sssd/ticket/1609
|
|
Variables dir_cc and file_cc are used in three
modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be
declared with extern in krb5_utils.h.
|
|
We used different debug levels for messages informing
about negative cache hits (old levels 2,3,4). Now it is
only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c
and proposed in the ticket bellow).
https://fedorahosted.org/sssd/ticket/1771
|
|
|
|
|
|
Fixes https://fedorahosted.org/sssd/ticket/1766
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|
|
https://fedorahosted.org/sssd/ticket/1757
When the user entry was missing completely after initgroups, we would
never invalidate the user entry from cache. This led to dangling cache
entried in memory cache if the user was removed from the server while
still being in memory cache.
|
|
|
|
|
|
|
|
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore
fqnames proper value in subdomains, by testing for a parent domain being
present or not.
|
|
If use_fully_qualified_names is used, we need to pass fqdn
to sss_mmap_cache_*_invalidate.
|
|
If a fatal EFAULT error is returned by the internal function that frees used
memory invalidate the whole cache and reinit it. This way we avoid further
corruption and insure clients see consistent data.
Also insure we use the right context in init() and we use talloc_zfree() in
reinit so that if the init() later fails we do not leave around a pointer
to free memory in the callers.
|
|
A recent patch introduced a glaring memory leak in the routines that clean up
memcache memory on initgroups calls.
|
|
Functions nss_cmd_getXXnam remove entries from memory cache if
not found in sysdb cache of a local domain.
|
|
This set of functions enumerate the user's groups and invalidate them all
if the list does not matches what we get from the caller.
|
|
This set of functions enumerate each user/group from all domains
and invalidate any mmap cache record that matches.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
https://fedorahosted.org/sssd/ticket/1376
|
|
One is a copy-and-paste error which was introduce by
1774ee9a61b9d691dadd1a0538f32bcdcc84f72f.
The second fixes a missing explicit setting of the return value. In the
case where we want fully qualified names ret contains the number of
characters from the last snprintf() which is almost ever not 0.
|
|
https://fedorahosted.org/sssd/ticket/1583
|
|
Fixes https://fedorahosted.org/sssd/ticket/1561
|
|
https://fedorahosted.org/sssd/ticket/1551
|
|
|
|
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
https://fedorahosted.org/sssd/ticket/1087
|
|
This patch fixes an issue which resulted in a need to initialize
responder with data from local domain, otherwise it would not correctly
detect requests for subdomains. Similar situation can occur if new
subdomain is added at runtime.
The solution is to ask for a list of subdomains in case there is a
candidate domain identified in the process of matching re_expressions
with given name.
|
|
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
|
|
|
Since there are two attributes storing information about user
memberships of the group we have to include both of them in results.
This will apply only for objects that have ghost members (i.e. they
contain the SYSDB_GHOST attribute). If an object has this attribute,
values of this attribute are not projected to the memberuid attribute.
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1329
|
|
This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.
https://fedorahosted.org/sssd/ticket/1289
|
|
This option is similar to override_homedir, except that it will
take effect only for users that do not have an explicit home
directory specified in LDAP.
https://fedorahosted.org/sssd/ticket/1250
|
|
|
|
|
|
Do not let nss_cmd_initgroups_search() return data itself, but let the
caller return data. This is more intuitive and more consistent with the
rest of the nss_cmd_*_search() functions.
Also fixes a typo - nss_cmd_initgroups_cb used to call getpw_send_reply
instead of initgr_send_reply.
|
|
https://fedorahosted.org/sssd/ticket/1312
|
|
|
|
|
|
|
|
|
|
Now it checks for subdomains as well as for the domain itself
|
|
|
|
|
