summaryrefslogtreecommitdiff
path: root/src/responder
AgeCommit message (Collapse)AuthorFilesLines
2011-07-29Add vetoed_shells optionJohn Hodrien3-1/+17
There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2011-07-21Fix indexing of skipped groupsJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/928
2011-06-27fix typosSimo Sorce1-5/+5
2011-06-02Non-posix group processing - ldap provider and nss responderJan Zeleny1-3/+11
2011-05-31Fix typo in initgroups negative cache checkStephen Gallagher1-1/+1
2011-05-23Set _GNU_SOURCE globallySumit Bose1-3/+1
2011-05-20Add new options to override shell valueJakub Hrozek3-1/+123
https://fedorahosted.org/sssd/ticket/742
2011-05-20Add a new option to override home directory valueJakub Hrozek3-1/+140
https://fedorahosted.org/sssd/ticket/551
2011-05-20Add a new option to override primary GID numberJakub Hrozek2-2/+10
https://fedorahosted.org/sssd/ticket/742
2011-05-06Allow changing the log level without restartStephen Gallagher4-2/+17
We will now re-read the confdb debug_level value when processing the monitor_common_logrotate() function, which occurs when the monitor receives a SIGHUP.
2011-05-06Create common sss_monitor_init()Stephen Gallagher1-34/+3
This was implemented almost identically for both the responders and the providers. It is easier to maintain as a single routine. This patch also adds the ability to provide a private context to attach to the sbus_connection for later use.
2011-05-06Do not leak netgroups hash tableJakub Hrozek1-0/+12
2011-04-25Don't use negative cache in netgroup lookupJan Zeleny2-20/+20
In responder a negative cache is used to indicate that the record has not been found by previous lookup. This approach is however not applicable for netgroup lookup because the design of their lookup is a little different. This patch removes some pieces of code working with negative cache, because they didn't fuction well. Instead a new flag has been added to the positive cache. This flag indicates if the record in the cache is a record of existing netgroup or it's just a placeholder. https://fedorahosted.org/sssd/ticket/820
2011-04-15Fix regression where nonexistent entries were never added to the negative cacheStephen Gallagher1-21/+21
2011-04-15Fix a regression with the negative cache in multi-domain configurationsStephen Gallagher1-3/+18
2011-04-15Add debug logging to the negative cacheStephen Gallagher1-0/+5
2011-04-08Fix unchecked return values of pam_add_responseJakub Hrozek1-4/+12
https://fedorahosted.org/sssd/ticket/798
2011-03-09Change state of hash entry if netgroup cannot be parsedSumit Bose1-0/+2
2011-03-07Refactor set_netgroup_entry()Sumit Bose1-4/+7
To avoid wrong or missing netgroup names in the getent_ctx destructor set_netgroup_entry() now takes the name out of the getent_ctx struct instead of using a separate argument.
2011-03-07Add missing name to struct getent_ctx for missing netgroupSumit Bose1-0/+6
https://fedorahosted.org/sssd/ticket/817
2011-02-21Perform initgroups lookups for all domainsStephen Gallagher1-3/+5
Previously, we were setting the client context PAM lookup timeout after the first domain replied. However, if the user wasn't a member of the first domain, their information wasn't being updated. This patch ensures that we only set this timeout after the user has been found or all domains were searched.
2011-01-21Perform initgroups lookup for PAMStephen Gallagher1-1/+3
Previously we were only looking up the user, but we need to make sure that all groups are available for use by access providers.
2011-01-19Use DEFAULT_PAM_VERBOSITY if config value cannot be retrievedSumit Bose1-1/+1
2011-01-19Add pam_pwd_expiration_warning config optionSumit Bose1-12/+47
2011-01-14Fix missing hash table bugStephen Gallagher1-0/+1
When the automatic cleanup happened, if the netgroup had been created with no contents (to indicate an unknown netgroup), we weren't saving the hash table address and the talloc_free() was failing.
2011-01-11Validate user supplied size of data itemsSumit Bose1-76/+75
Specially crafted packages might lead to an integer overflow and the parsing of the input buffer might not continue as expected. This issue was identified by Sebastian Krahmer <krahmer@suse.de>.
2011-01-06Remove unused enumeration cache timeout checksSumit Bose3-33/+2
The existence of the getent_ctx is used to track the enumeration cache timeout.
2011-01-06Post enumeration tevent request if neededSumit Bose2-8/+43
2011-01-06Return groups and users from all domains during enumerationSumit Bose1-3/+5
2010-12-22Update the ID cache for any PAM requestStephen Gallagher4-8/+23
Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
2010-12-22Ensure ID is checked in all domains for PAMStephen Gallagher1-0/+2
Previously, this was initialized to zero, so the first domain in the list wouldn't be checked for ID updates in pam_check_user_search. This initializes the first domain to check the provider.
2010-12-17Fix possible NULL-dereference in lookup_netgr_step()Sumit Bose1-1/+1
https://fedorahosted.org/sssd/ticket/735
2010-12-17Fix unchecked return value in set_nonblockingStephen Gallagher1-10/+53
Also fixes the same problem with set_close_on_exec https://fedorahosted.org/sssd/ticket/713
2010-12-15Fix uninitialized value error in lookup_netgr_step()Sumit Bose1-146/+181
2010-12-14Remove unused newauthtok variable in LOCAL_pam_handlerSumit Bose1-3/+0
https://fedorahosted.org/sssd/ticket/716
2010-12-14Eliminate possible NULL-dereference in pam_check_user_searchStephen Gallagher1-0/+7
https://fedorahosted.org/sssd/ticket/719
2010-12-03Add support for server-side pam response messagesSumit Bose1-0/+2
2010-12-02Add a special filter type to handle enumerationsSumit Bose1-1/+1
2010-11-15Introduce pam_verbosity config optionSumit Bose1-11/+90
Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
2010-11-15Avoid long long in messages to PAM client use int64_tSumit Bose1-7/+7
2010-10-26Fix double free issueSumit Bose1-2/+2
2010-10-26Always use talloc_zero() to allocate cmdctxSumit Bose2-3/+3
2010-10-26Remove all nss requests after a reconnectSumit Bose3-1/+26
Currently we do not handle the open nss request after a reconnect and wait until they timeout (which is a couple of minutes!). This patch adds a handler that terminates all requests after a reconnect. Then responder will return matching cache entries or nothing.
2010-10-15sysdb interface for adding fake usersJakub Hrozek1-1/+1
2010-10-15sysdb interface for adding incomplete groupsJakub Hrozek1-1/+1
Useful for optimizing the initgroups operation.
2010-10-13Also return member groups to the clientSumit Bose2-55/+85
2010-10-13Add handling of nested netgroups to nss clientSumit Bose1-1/+4
2010-10-13Add missing tevent_req_done()Sumit Bose1-0/+1
2010-10-13Add netgroup support to the NSS responderStephen Gallagher7-2/+922
2010-10-13Split out some helper functions for the NSS responderStephen Gallagher2-83/+147
Create a new private header and make some functions available for other object files.