| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Instead of using a single array of gid-domain_pointer pairs, Simo
suggested to use a gid array for each domain an store it with a pointer
to the domain.
|
|
If some of the Posix attributes of an user existing in the cache differ
from the data given in the current PAC the old user entry is drop and a
new one is created with the data from the PAC.
|
|
Groups from subdomains will not have an attribute holding the original
DN because in general it will not be available. This attribute is only
used by IPA HABC to improve performance and remote groups cannot be used
for access control.
|
|
Currently users from subdomains can only be members of groups from the
configured domain and to access those groups a pointer to the domain
struct of the configured domain is used. This patch sets the dom_grp
member of struct pac_grp to point to the domain struct of the configured
for groups from this domain. This is a first step to allow group
membership for groups from subdomains as well. For those groups a
pointer to the related subdomain structure will be saved.
|
|
Currently some user specific data from the PAC is only read when the
user is not already in the cache. Since some of this information is
needed later on, e.g. the domain SID the user belongs to, with this
patch the data is read always from the PAC.
|
|
To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1612
This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.
As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.
The original member attributes are only saved if the LDAP schema
supports nesting.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
For user of the local domain the server-side DN of the groups the user
is a member of is stored with the user object in the cache and used to
improve performance e.g. by the HBAC code. Since subdomain users should
be handled by HBAC as well the group DN is stored in the same way as for
users of the local domain.
This patch also adds code to remove the attribute from the user object
if the user is removed from the group.
|
|
Currently the user was just added to all local groups which are given in
the PAC. With this patch the user is added only to groups he is
currently not a member of and deleted from groups which are not found in
the PAC anymore.
|
|
To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.
Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes
|
|
The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.
|
|
Since winbind can only return lower-cased user name the pac responder
must do the same to avoid inconsistent behaviour.
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
|
|
This adds support for parsing PAC and storing information contained
within. In particular the user and all his memberships are stored. In
case it is necessary, getgrgid() requests are sent to provider for group
resolution.
|
|
This adds only the basic outline of the PAC responder, it won't support
any operations, it will just start and initialize itself.
|
