summaryrefslogtreecommitdiff
path: root/src/responder/pac
AgeCommit message (Collapse)AuthorFilesLines
2013-03-20change responder contexts hierarchyPavel Březina1-9/+14
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina1-6/+11
2013-03-04Remove unused functionsJakub Hrozek2-18/+0
2013-02-10Introduce IS_SUBDOMAIN() macroSimo Sorce1-1/+1
Fixes https://fedorahosted.org/sssd/ticket/1766
2013-02-10Parent and subdomains use the same sysdbSimo Sorce1-5/+1
Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.
2013-02-10Change the way domains are linked.Simo Sorce1-10/+1
- Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()
2013-02-10Add function get_next_domain()Simo Sorce1-1/+1
Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
2013-02-10NSS: Add original homedir to home directory template optionsStephen Gallagher1-1/+1
https://fedorahosted.org/sssd/ticket/1805
2013-01-15Add domain argument to sysdb_delete_user()Simo Sorce1-1/+1
Also remove sysdb_delete_domuser()
2013-01-15Add domain argument to sysdb_store_user()Simo Sorce1-1/+1
Also remove sysdb_store_domuser()
2013-01-15Add domain to sysdb_search_group_by_gid()Simo Sorce1-1/+1
Also remove unused sysdb_search_domgroup_by_gid()
2013-01-15Add domain to sysdb_search_user_by_uid()Simo Sorce1-1/+2
Also remove unused sysdb_search_domuser_by_uid()
2013-01-15Add domain argument to sysdb_initgroups()Simo Sorce1-1/+2
2013-01-15Make sysdb_domain_dn() require a domain.Simo Sorce1-1/+1
2013-01-15Make sysdb_user_dn() require a domain explictly.Simo Sorce1-1/+1
2013-01-08Refactor gid handling in the PAC responderSumit Bose3-84/+202
Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
2013-01-08PAC responder: check if existing user differsSumit Bose3-13/+64
If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.
2013-01-08Use hash table to collect GIDs from PAC to avoid dupsSumit Bose1-18/+86
To avoid duplicated entries in the group list all gids are added to a hash table first. Fixes: https://fedorahosted.org/sssd/ticket/1672
2013-01-08Read remote groups from PACSumit Bose1-3/+52
Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
2013-01-08Remote groups do not have an original DN attributeSumit Bose1-40/+34
Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
2013-01-08Save domain and GID for groups from the configured domainSumit Bose3-17/+47
Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.
2013-01-08Always get user data from PACSumit Bose1-7/+7
Currently some user specific data from the PAC is only read when the user is not already in the cache. Since some of this information is needed later on, e.g. the domain SID the user belongs to, with this patch the data is read always from the PAC.
2013-01-08Add find_domain_by_id()Sumit Bose2-0/+42
Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
2013-01-08Use struct pac_grp instead of gid_t for groups from PACSumit Bose3-18/+25
To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.
2012-12-18RESPONDERS: Create a common file with service names and versionsJakub Hrozek1-3/+1
The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
2012-12-10PAC: check the return value of diff_git_listsJakub Hrozek1-0/+4
2012-11-20LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce2-25/+42
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-10Store the original group DN in the subdomain user objectSumit Bose1-26/+58
For user of the local domain the server-side DN of the groups the user is a member of is stored with the user object in the cache and used to improve performance e.g. by the HBAC code. Since subdomain users should be handled by HBAC as well the group DN is stored in the same way as for users of the local domain. This patch also adds code to remove the attribute from the user object if the user is removed from the group.
2012-11-10Get lists of GIDs to be added and deleted and use themSumit Bose1-3/+89
Currently the user was just added to all local groups which are given in the PAC. With this patch the user is added only to groups he is currently not a member of and deleted from groups which are not found in the PAC anymore.
2012-11-10Add pac_user_get_grp_info() to read current group membershipsSumit Bose1-0/+106
To be able to efficiently store group memberships we need to know the current memberships of a user. sysdb_initgroups() is used to read the user entry together with all groups the user is a member of. Some of the group attributes are kept to avoid additional lookups and speed up further processing. Currently sysdb_initgroups() does not return the original DN of the group. Since it is needed to remove memberships later on it is added to the list of requested attributes
2012-11-10Add diff_gid_lists() with testSumit Bose2-0/+172
This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
2012-10-29Include talloc log in our debug facilityMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1495
2012-10-26pac responder: add user principal and name alias to cached user objectSumit Bose3-4/+46
The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.
2012-10-26pac responder: use only lower case user nameSumit Bose2-5/+15
Since winbind can only return lower-cased user name the pac responder must do the same to avoid inconsistent behaviour.
2012-10-26pac responder: fix copy-and-paste errorSumit Bose1-7/+0
This error prevent proper id-mapping in the PAC responder.
2012-09-24SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2-6/+2
The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
2012-07-10pac responder: limit access by checking UIDsSumit Bose1-0/+19
A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
2012-07-06Set file descriptor limits in pac responderSumit Bose1-0/+15
2012-06-21Add range support to PAC responderSumit Bose3-45/+140
2012-06-21PAC responder: add the core functionalitySumit Bose2-2/+471
This adds support for parsing PAC and storing information contained within. In particular the user and all his memberships are stored. In case it is necessary, getgrgid() requests are sent to provider for group resolution.
2012-06-21PAC responder: add some utility functionsJan Zeleny2-0/+549
2012-06-21PAC responder: add basic infrastructureSumit Bose3-0/+340
This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.