| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Previously, we were setting the client context PAM lookup timeout
after the first domain replied. However, if the user wasn't a
member of the first domain, their information wasn't being
updated.
This patch ensures that we only set this timeout after the user
has been found or all domains were searched.
|
|
Previously we were only looking up the user, but we need to make
sure that all groups are available for use by access providers.
|
|
|
|
|
|
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
|
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
Previously, this was initialized to zero, so the first domain in
the list wouldn't be checked for ID updates in
pam_check_user_search. This initializes the first domain to check
the provider.
|
|
https://fedorahosted.org/sssd/ticket/719
|
|
|
|
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
|
|
|
|
|
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also update BUILD.txt
|
