Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Also adds some more debugging and fixes a code style issue.
https://fedorahosted.org/sssd/ticket/1182
|
|
|
|
Makes the setent_add_ref() and setent_notify_*() functions more generic
to be reusable by the autofs responder.
|
|
The common function could be reused in new responders
|
|
|
|
|
|
|
|
The conversion to the tevent_req style introduced numerous bugs
related to memory management of the various client requests. In
some circumstances, this could cause memory corruption and
segmentation faults in the NSS responder. This patch makes the
following changes:
1) Rename the internal lookup from subreq to sidereq, to indicate
that it is not a sub-request of the current lookup (and therefore
is not cancelled if the current request is).
2) Change the handling of the callback loops since they call
tevent_req_[done|error], which results in them being freed (and
therefore removed from the cb_list. This was the source of the
memory corruption that would occasionally result in dereferencing
an unreadable request.
3) Remove the unnecessary sss_dp_get_account_int_recv() function
and change sss_dp_get_account_done() so that it only frees the
sidereq. All of the waiting processes have already been signaled
with the final results from sss_dp_get_account_int_done()
|
|
Some NSS maps such as 'services' require more values to be passed
to the data provider than just the name or ID. In these cases, we
will amend an optional component to filter value to pass to the
data provider backend.
|
|
|
|
|
|
the sized_string structure makes it easier to keep track of string lengths
and makes passing around data more compat and readable.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Glib fails if the NULL-terminator is included when a length is
specified.
|
|
|
|
|
|
The patch also updates code using modified functions. Tests have also
been adjusted.
|
|
https://fedorahosted.org/sssd/ticket/954
|
|
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
https://fedorahosted.org/sssd/ticket/928
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
https://fedorahosted.org/sssd/ticket/551
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
|
|
|
|
The existence of the getent_ctx is used to track the enumeration cache
timeout.
|
|
|
|
|
|
|
|
|
|
Useful for optimizing the initgroups operation.
|
|
|
|
Create a new private header and make some functions available for
other object files.
|
|
Previously, it was implicitly using the nss_dom_ctx, but there are
situations where we would want to send a different private context
|
|
We were accidentally returning an error when sysdb_getpwnam()
returned zero results internally in sysdb_initgroups(). The
correct behavior here is to return EOK and a result object with
zero entries.
|
|
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory.
|
|
Various dead assignments were deleted, some return value inspections
were added.
Ticket: #588
|
|
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
|
|
There was a bug in the negative cache checks (probably a leftover
from when filter_users was global-only) that meant that if a user
was filtered out of a domain, the remaining domains would not be
checked for that user. (Same for groups/initgroups)
|
|
|
|
fill_pwent should return the number of users actually processed. Otherwise in
case of a recoverable error we may end up skipping a large chunk of users.
fill_grent doesn't need to distinguish between number of entries and number of
groups to process since we started adding memberuid. Remove remnants that are
not useful anymore.
|