summaryrefslogtreecommitdiff
path: root/src/responder/pam
AgeCommit message (Collapse)AuthorFilesLines
2013-09-11Fix formating of variables with type: size_tLukas Slebodnik1-1/+1
2013-08-22pam: Bad debug message format and parameter.Michal Zidek1-1/+2
2013-08-08PAM: Set negcache if user is not found after provider checkJakub Hrozek1-0/+10
2013-08-08PAM: Check negcache when searching for fully qualified users, tooJakub Hrozek1-0/+8
2013-07-29Remove unused memory contextLukas Slebodnik1-6/+6
2013-07-18Do not try to set password when authtok_length is zeroOndrej Kos1-2/+6
https://fedorahosted.org/sssd/ticket/1814 When the authtok_length is zero, it shouldn't call sss_authtok_set_password, because it tries to determine lenght of passed string by itself and would read parts of DBus message behind boundaries of authtok.
2013-06-04Lookup domains at startupSumit Bose1-0/+6
To make sure that e.g. the short/NetBIOS domain name is available this patch make sure that the responders send a get_domains request to their backends at startup the collect the domain information or read it from the cache if the backend is offline. For completeness I added this to all responders even if they do not need the information at the moment. Fixes https://fedorahosted.org/sssd/ticket/1951
2013-05-20Fixing critical format string issues.Lukas Slebodnik3-4/+8
--missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
2013-05-02Remove unused TALLOC_CTX from responder_get_domain()Sumit Bose1-2/+2
Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.
2013-04-08Allocate PAM DP request data on responder contextJakub Hrozek3-5/+54
https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik2-14/+12
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik1-1/+1
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-03-20change responder contexts hierarchyPavel Březina1-8/+12
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina1-1/+1
2013-03-19Move SELinux processing to provider.Michal Zidek1-309/+0
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-04Use the same dbg level for all ncache hits.Michal Zidek1-3/+3
We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771
2013-02-26if selinux is disabled, ignore that selogin dir is missingPavel Březina1-3/+15
https://fedorahosted.org/sssd/ticket/1817
2013-02-10Add function get_next_domain()Simo Sorce1-3/+5
Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()
2013-01-15Add domain argument to sysdb selinux functionsSimo Sorce1-2/+4
2013-01-15Add domain argument to sysdb_cache_auth()Simo Sorce1-1/+1
2013-01-15Add domain argument to sysdb_set_user_attr()Simo Sorce2-12/+10
2013-01-15Add domain argument to sysdb_get_user_attr()Simo Sorce1-2/+2
2013-01-15Pass domain to sysdb_get<pw/gr>nam() functionsSimo Sorce1-3/+1
Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.
2013-01-10Change pam data auth tokens.Simo Sorce2-94/+94
Use the new authtok abstraction and interfaces throught the code.
2013-01-10Code can only check for cached passwordsSimo Sorce1-15/+24
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
2012-12-18RESPONDERS: Create a common file with service names and versionsJakub Hrozek1-3/+1
The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
2012-12-14sssd_pam: Cleanup requests cache on sbus reconectSimo Sorce1-1/+4
The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes: https://fedorahosted.org/sssd/ticket/1655
2012-11-19Refactor the way subdomain accounts are savedSimo Sorce1-1/+4
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek1-17/+12
2012-11-02PAM: Do not leak fd after SELinux context file is writtenJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1619 We don't close the fd when we write the selinux login file in the pam responder. This results in a fd leak.
2012-10-29Include talloc log in our debug facilityMichal Zidek1-1/+1
https://fedorahosted.org/sssd/ticket/1495
2012-10-01Add new option default_domain_suffixSumit Bose1-10/+21
2012-09-13SELinux: Always use the default if it exists on the serverJakub Hrozek1-22/+21
https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
2012-09-04Check if the SELinux login directory existsJakub Hrozek1-3/+3
https://fedorahosted.org/sssd/ticket/1492
2012-08-16Only create the SELinux login file if there are mappings on the serverJakub Hrozek1-45/+77
https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.
2012-08-16Do not try to remove the temp login file if already renamedJakub Hrozek1-2/+3
write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.
2012-08-16Build SELinux code in responder conditionallyJakub Hrozek1-0/+7
https://fedorahosted.org/sssd/ticket/1480
2012-08-01Fix bad checkJakub Hrozek1-1/+1
2012-07-27Write SELinux config files in responder instead of PAM moduleJan Zeleny1-5/+95
2012-07-27Move SELinux processing from session to account PAM stackJan Zeleny1-1/+2
The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
2012-07-18PAM: Fix off-by-one-error in the SELinux session codeJakub Hrozek1-1/+1
2012-07-18Fix uninitialized valuesNick Guay1-1/+1
https://fedorahosted.org/sssd/ticket/1379
2012-06-25SELinux user maps: pick just one mapJan Zeleny1-12/+11
This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360
2012-06-21Fix re_expression matching with subdomainsJan Zeleny1-33/+55
This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.
2012-06-12Make re_expression and full_name_format per domain optionsStef Walter2-12/+11
* Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
2012-06-10PAM: Better pam_reply messageStephen Gallagher1-1/+2
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny1-35/+0
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-04-24Send PAM requests for subdomains to the right providerJan Zeleny1-3/+41
2012-04-24Modified responder_get_domain()Jan Zeleny2-2/+2
Now it checks for subdomains as well as for the domain itself
2012-04-24Add conn_name to allow different names for domains and connectionsJan Zeleny1-1/+1