Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Currently the PAC responder deletes a user entry and recreates it if
some attributes seems to be different.
Two of the attributes where the home directory and the shell of the
user. Those two attributes are not available from the PAC but where
generates by the PAC responder. The corresponding ID provider might have
better means to determine those attributes, e.g. read them from LDAP, so
we shouldn't change them here.
The third attribute is the user name. Since the PAC responder does
lookups only based on the UID we can wait until the ID provider updates
the entry.
Fixes https://fedorahosted.org/sssd/ticket/1996
|
|
Instead of copying a block of code that checks whether domain is a subdomain
and uses only name of FQDN as appropriate, wrap the logic into a function.
|
|
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
Instead of using printf-like functions directly, provide two wrappers
that would encapsulate formatting the fully-qualified names. No
functional change is present in this patch.
|
|
|
|
The task of get_my_domain_data() is to read some information about the
configured domain from the cache. While the sysdb interface was
redesigned some changes changed the behaviour so that the data of the
domain of the current request was read. If this domain is a sub-domain
the wrong data was read. As a result group-memberships of the configured
domain were not taken into account.
The original code didn't made it easy to see that always the parent
domain should be used here, because there was no comment indication this
and the function name get_my_domain_data() didn't made it clear either.
Additionally to fixing the issue this patch also adds a comment and
rename the function to get_parent_domain_data().
Fixes https://fedorahosted.org/sssd/ticket/1888
|
|
https://fedorahosted.org/sssd/ticket/1609
|
|
Remove code that tries to get the 'right' sysdb, as it is always going
to get the same answer anyway since the recent patches to rework the
domains/sysdb relationship.
|
|
- Use a double-linked list for domains and subdomains.
- Never remove a subdomain, simply mark it as disabled if it becomes
unused.
- Rework the way subdomains are refreshed.
Now sysdb_update_subdomains() actually updates the current subdomains
and marks as disabled the ones not found in the sysdb or add new ones
found. It never removes them.
Removal of missing domains from sysdb is deferred to the providers,
which will perform it at refresh time, for the ipa provider that is
done by ipa_subdomains_write_mappings() now.
sysdb_update_subdomains() is then used to update the memory hierarchy
of the subdomains.
- Removes sysdb_get_subdomains()
- Removes copy_subdomain()
- Add sysdb_subdomain_delete()
|
|
Use this function instead of explicitly calling domain->next
This function allows to get the next primary domain or to descend into the
subdomains and replaces also get_next_dom_or_subdom()
|
|
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
Instead of using a single array of gid-domain_pointer pairs, Simo
suggested to use a gid array for each domain an store it with a pointer
to the domain.
|
|
If some of the Posix attributes of an user existing in the cache differ
from the data given in the current PAC the old user entry is drop and a
new one is created with the data from the PAC.
|
|
To avoid duplicated entries in the group list all gids are added to a
hash table first.
Fixes: https://fedorahosted.org/sssd/ticket/1672
|
|
Read the group membership of the remote domain the user belongs to from
the PAC and add them to the cache.
Fixes: https://fedorahosted.org/sssd/ticket/1666
|
|
Currently users from subdomains can only be members of groups from the
configured domain and to access those groups a pointer to the domain
struct of the configured domain is used. This patch sets the dom_grp
member of struct pac_grp to point to the domain struct of the configured
for groups from this domain. This is a first step to allow group
membership for groups from subdomains as well. For those groups a
pointer to the related subdomain structure will be saved.
|
|
Currently domains can only be searched by name in the global domain
list. To make it easier to find the domain for a given SID
find_domain_by_id() which returns a pointer to the domain or subdomain
entry in the global domain list if a matching id was found.
|
|
To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.
|
|
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
|
|
This patch adds a new call which compares a list of current GIDs with a
list of new GIDs and return a list of GIDs which are currently missing
and must be added and another list of GIDs which are not used anymore
and must be deleted. The method is the same as used by
diff_string_lists().
|
|
The principal name for the user is generated with the user name and the
domain from the PAC. It is stored in the cache so that if e.g. can be
used by password authentication. Additionally the name alias is stored
to allow case-insensitive searches.
|
|
Since winbind can only return lower-cased user name the pac responder
must do the same to avoid inconsistent behaviour.
|
|
This error prevent proper id-mapping in the PAC responder.
|
|
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.
|
|
|
|
|