| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We will now re-read the confdb debug_level value when processing
the monitor_common_logrotate() function, which occurs when the
monitor receives a SIGHUP.
|
|
|
|
In responder a negative cache is used to indicate that the record has
not been found by previous lookup. This approach is however not
applicable for netgroup lookup because the design of their lookup is a
little different.
This patch removes some pieces of code working with negative cache,
because they didn't fuction well. Instead a new flag has been added to
the positive cache. This flag indicates if the record in the cache
is a record of existing netgroup or it's just a placeholder.
https://fedorahosted.org/sssd/ticket/820
|
|
|
|
|
|
|
|
To avoid wrong or missing netgroup names in the getent_ctx destructor
set_netgroup_entry() now takes the name out of the getent_ctx struct
instead of using a separate argument.
|
|
https://fedorahosted.org/sssd/ticket/817
|
|
When the automatic cleanup happened, if the netgroup had been
created with no contents (to indicate an unknown netgroup), we
weren't saving the hash table address and the talloc_free() was
failing.
|
|
The existence of the getent_ctx is used to track the enumeration cache
timeout.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/735
|
|
|
|
|
|
Currently we do not handle the open nss request after a reconnect and
wait until they timeout (which is a couple of minutes!). This patch adds
a handler that terminates all requests after a reconnect. Then responder
will return matching cache entries or nothing.
|
|
|
|
Useful for optimizing the initgroups operation.
|
|
|
|
|
|
|
|
|
|
Create a new private header and make some functions available for
other object files.
|
|
Previously, it was implicitly using the nss_dom_ctx, but there are
situations where we would want to send a different private context
|
|
We were accidentally returning an error when sysdb_getpwnam()
returned zero results internally in sysdb_initgroups(). The
correct behavior here is to return EOK and a result object with
zero entries.
|
|
Previously, if a second enumeration request arrived while one was
already being processed, each process would receive only a subset
of the total number of available users or groups. This is because
we were maintaining the response object as a global value in the
NSS responder. The second request would come in, see that the data
set was already populated, and start reading from wherever the
cursor was currently pointed.
With this patch, we now move the cursor to the client context
instead of the global NSS context.
Additionally, this patch completely rewrites the approach to
enumerations in the tevent_req style. This makes it much easier to
follow in the code.
In order to ensure that a slow or malicious client cannot hold
onto a reference for the setent result object indefinitely, we
set an expiration on the object. We use the enum_cache_timeout
here, since that is an appropriate value.
If the timeout fires during the normal operation of the get*ent()
loop of a client program, we will save the current values of the
read index so that we can resume as soon as the object has been
refreshed by an implicit setent call.
Instead of deleting the enumeration result object immediately
after the last in-progress client has read it, we'll keep the
object around for the lifetime of enum_cache_timeout. This way,
additional clients making enumeration requests can still access
the results in-memory.
|
|
Various dead assignments were deleted, some return value inspections
were added.
Ticket: #588
|
|
Creates a new function - sss_ncache_prepopulate() - that can be
shared with other responders, such as PAM.
|
|
Rename functions from nss_ncache_* to sss_ncache_*
Move negative cache to responder/common and rename as negcache.c/h
|
|
There was a bug in the negative cache checks (probably a leftover
from when filter_users was global-only) that meant that if a user
was filtered out of a domain, the remaining domains would not be
checked for that user. (Same for groups/initgroups)
|
|
|
|
fill_pwent should return the number of users actually processed. Otherwise in
case of a recoverable error we may end up skipping a large chunk of users.
fill_grent doesn't need to distinguish between number of entries and number of
groups to process since we started adding memberuid. Remove remnants that are
not useful anymore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This patch removes some tab-indentations from pamsrv.c, too.
|
|
Fixes: #290
|
|
Upon receiving SIGHUP, the monitor signals all services to reopen their
debug logs. It is also possible to signal individual services to reopen
their particular files.
Fixes: #332
|
|
I fixed a handful of alignment problems in sss_client and nss responder.
Enumerating group and passwd with getgrent and getpwent now works correctly
on ARM.
Signed-off-by: George McCollister <georgem@novatech-llc.com>
|
|
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so
I decided to fix them. I also made a quick grep through the code and
found other places so I fixed them too.
|
|
We disabled live reconfiguration a long time ago with the intent
of fixing it so that it wasn't completely broken, but we've
decided that live updates are too delicate to handle all cases
gracefully. For the forseeable future, we will rely on process
restart for updating the configuration.
Furthermore, we had not completely disabled live updates. It would
still attempt to run if we sent a SIGHUP. This has also been
eliminated.
|
|
This was a holdover from when the DP and the providers were unique
processes. The NSS and PAM registrations do not need to send the
domain, as it is not ambiguous which one they are talking to.
|
|
Also update BUILD.txt
|
