summaryrefslogtreecommitdiff
path: root/src/responder/pam
AgeCommit message (Collapse)AuthorFilesLines
2012-01-26PAM: Do not overwrite retJakub Hrozek1-3/+1
2012-01-23DP: Fix bugs in sss_dp_get_account_intStephen Gallagher1-0/+1
The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()
2012-01-21RESPONDER: Extend sss_dp_account_send() to include extra dataStephen Gallagher1-1/+1
Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.
2012-01-18PAM: Fix reversed logicJakub Hrozek1-1/+1
2011-12-21sss_get_cased_name utility functionJakub Hrozek1-2/+2
2011-12-20PAM: make initgroups timeout work across multiple clientsStephen Gallagher5-4/+241
Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063
2011-12-16Use the case sensitivity flag in respondersJakub Hrozek1-2/+6
2011-12-16Canonicalize username in PAM providerJakub Hrozek1-0/+27
2011-12-16Responders: Split getting domain by name into separate functionJakub Hrozek1-5/+2
2011-12-05Ignore NULL-terminator when checking UTF8-validityStephen Gallagher1-1/+1
Glib fails if the NULL-terminator is included when a length is specified.
2011-11-29RESPONDER: Refactor DP requests into tevent_req styleStephen Gallagher1-11/+48
2011-11-18RESPONDER: Ensure that all input strings are valid UTF-8Stephen Gallagher1-0/+5
2011-09-28Return users and groups based on aliasJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/926
2011-08-25New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0Pavel Březina1-1/+4
Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);
2011-08-25New DEBUG facility - conversionPavel Březina1-0/+2
https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)
2011-08-15sysdb refactoring: memory context deletedJan Zeleny2-9/+5
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny2-11/+5
The patch also updates code using modified functions. Tests have also been adjusted.
2011-08-04Revert "Allow LDAP to decide when an expiration warning is warranted"Stephen Gallagher1-4/+3
This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6.
2011-08-01Allow LDAP to decide when an expiration warning is warrantedStephen Gallagher1-3/+4
Previously, we were only displaying expiration warnings if the password was going to expire within a day. We'll allow LDAP to make this decision (by whether it passes us the expiration time). In the future, we can add an option to clamp this down to a shorter period if the local admin prefers it.
2011-05-06Allow changing the log level without restartStephen Gallagher1-1/+1
We will now re-read the confdb debug_level value when processing the monitor_common_logrotate() function, which occurs when the monitor receives a SIGHUP.
2011-04-08Fix unchecked return values of pam_add_responseJakub Hrozek1-4/+12
https://fedorahosted.org/sssd/ticket/798
2011-02-21Perform initgroups lookups for all domainsStephen Gallagher1-3/+5
Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.
2011-01-21Perform initgroups lookup for PAMStephen Gallagher1-1/+3
Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.
2011-01-19Use DEFAULT_PAM_VERBOSITY if config value cannot be retrievedSumit Bose1-1/+1
2011-01-19Add pam_pwd_expiration_warning config optionSumit Bose1-12/+47
2011-01-11Validate user supplied size of data itemsSumit Bose1-76/+75
Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.
2010-12-22Update the ID cache for any PAM requestStephen Gallagher3-8/+21
Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
2010-12-22Ensure ID is checked in all domains for PAMStephen Gallagher1-0/+2
Previously, this was initialized to zero, so the first domain in the list wouldn't be checked for ID updates in pam_check_user_search. This initializes the first domain to check the provider.
2010-12-14Remove unused newauthtok variable in LOCAL_pam_handlerSumit Bose1-3/+0
https://fedorahosted.org/sssd/ticket/716
2010-12-14Eliminate possible NULL-dereference in pam_check_user_searchStephen Gallagher1-0/+7
https://fedorahosted.org/sssd/ticket/719
2010-12-03Add support for server-side pam response messagesSumit Bose1-0/+2
2010-11-15Introduce pam_verbosity config optionSumit Bose1-11/+90
Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
2010-11-15Avoid long long in messages to PAM client use int64_tSumit Bose1-7/+7
2010-09-08Move crypto functions into its own subdirJakub Hrozek1-1/+1
A refactoring patch that creates a common util/crypto subdir with per-implementation subdirectories for each underlying crypto library supported by SSSD.
2010-06-17Honor filter_users in PAMStephen Gallagher3-10/+47
2010-06-06Remove dead code from the PAM responderJakub Hrozek2-13/+0
2010-05-26Add support for delayed kinit if offlineSumit Bose1-1/+1
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-04-12sysdb: remove remaining traces of sysdb_handleSimo Sorce1-1/+0
2010-04-12sysdb: convert sysdb_get_user_attrSimo Sorce1-57/+39
2010-04-12sysdb: convert sysdb_getpwnamSimo Sorce2-219/+119
2010-04-12Remove remaining use of sysdb_transaction_sendSimo Sorce2-232/+32
2010-04-12sysdb: convert sysdb_cache_authSimo Sorce1-47/+39
2010-04-12sysdb: convert sysdb_set_entry/user/group_attrSimo Sorce2-45/+7
2010-03-25Fix warnings from -Wmissing-field-initializersSumit Bose1-17/+17
This patch removes some tab-indentations from pamsrv.c, too.
2010-03-17Fix a series of memory leaks in the SBUSStephen Gallagher1-3/+5
2010-03-15Properly handle dbus send attempts on a closed connectionStephen Gallagher1-22/+5
dbus_connection_send_with_reply() will report success and return a NULL pending_reply when the connection is not open for communication. This patch creates a new wrapper around dbus_connection_send_with_reply() to properly detect this condition and report it as an error.
2010-03-08Reopen logs when SIGHUP is caughtJakub Hrozek1-0/+1
Upon receiving SIGHUP, the monitor signals all services to reopen their debug logs. It is also possible to signal individual services to reopen their particular files. Fixes: #332
2010-03-04Add forgotten \n in DEBUG statementsMartin Nagy1-1/+1
Logs from confdb with missing '\n' in the DEBUG statements annoyed me so I decided to fix them. I also made a quick grep through the code and found other places so I fixed them too.
2010-03-04Eliminate monitor reconfigStephen Gallagher1-13/+0
We disabled live reconfiguration a long time ago with the intent of fixing it so that it wasn't completely broken, but we've decided that live updates are too delicate to handle all cases gracefully. For the forseeable future, we will rely on process restart for updating the configuration. Furthermore, we had not completely disabled live updates. It would still attempt to run if we sent a SIGHUP. This has also been eliminated.
2010-02-23Store lastLogin attribute when authenticating onlineJakub Hrozek1-0/+5