summaryrefslogtreecommitdiff
path: root/src/responder
AgeCommit message (Collapse)AuthorFilesLines
2010-12-03Add support for server-side pam response messagesSumit Bose1-0/+2
2010-12-02Add a special filter type to handle enumerationsSumit Bose1-1/+1
2010-11-15Introduce pam_verbosity config optionSumit Bose1-11/+90
Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
2010-11-15Avoid long long in messages to PAM client use int64_tSumit Bose1-7/+7
2010-10-26Fix double free issueSumit Bose1-2/+2
2010-10-26Always use talloc_zero() to allocate cmdctxSumit Bose2-3/+3
2010-10-26Remove all nss requests after a reconnectSumit Bose3-1/+26
Currently we do not handle the open nss request after a reconnect and wait until they timeout (which is a couple of minutes!). This patch adds a handler that terminates all requests after a reconnect. Then responder will return matching cache entries or nothing.
2010-10-15sysdb interface for adding fake usersJakub Hrozek1-1/+1
2010-10-15sysdb interface for adding incomplete groupsJakub Hrozek1-1/+1
Useful for optimizing the initgroups operation.
2010-10-13Also return member groups to the clientSumit Bose2-55/+85
2010-10-13Add handling of nested netgroups to nss clientSumit Bose1-1/+4
2010-10-13Add missing tevent_req_done()Sumit Bose1-0/+1
2010-10-13Add netgroup support to the NSS responderStephen Gallagher7-2/+922
2010-10-13Split out some helper functions for the NSS responderStephen Gallagher2-83/+147
Create a new private header and make some functions available for other object files.
2010-10-13Add negative cache features for netgroupsStephen Gallagher2-0/+39
2010-10-13Require explicit setting of callback context for check_cacheStephen Gallagher1-7/+13
Previously, it was implicitly using the nss_dom_ctx, but there are situations where we would want to send a different private context
2010-09-22Initgroups on a non-cached user should go to the data providerStephen Gallagher1-1/+2
We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries.
2010-09-08Handle multiple simultaneous enumeration requestsStephen Gallagher2-289/+717
Previously, if a second enumeration request arrived while one was already being processed, each process would receive only a subset of the total number of available users or groups. This is because we were maintaining the response object as a global value in the NSS responder. The second request would come in, see that the data set was already populated, and start reading from wherever the cursor was currently pointed. With this patch, we now move the cursor to the client context instead of the global NSS context. Additionally, this patch completely rewrites the approach to enumerations in the tevent_req style. This makes it much easier to follow in the code. In order to ensure that a slow or malicious client cannot hold onto a reference for the setent result object indefinitely, we set an expiration on the object. We use the enum_cache_timeout here, since that is an appropriate value. If the timeout fires during the normal operation of the get*ent() loop of a client program, we will save the current values of the read index so that we can resume as soon as the object has been refreshed by an implicit setent call. Instead of deleting the enumeration result object immediately after the last in-progress client has read it, we'll keep the object around for the lifetime of enum_cache_timeout. This way, additional clients making enumeration requests can still access the results in-memory.
2010-09-08Dead assignments cleanup in NSS responderJan Zeleny2-7/+7
Various dead assignments were deleted, some return value inspections were added. Ticket: #588
2010-09-08Move crypto functions into its own subdirJakub Hrozek1-1/+1
A refactoring patch that creates a common util/crypto subdir with per-implementation subdirectories for each underlying crypto library supported by SSSD.
2010-06-17Honor filter_users in PAMStephen Gallagher3-10/+47
2010-06-17Move setup of filter_users and filter_groups to negcache.cStephen Gallagher3-187/+220
Creates a new function - sss_ncache_prepopulate() - that can be shared with other responders, such as PAM.
2010-06-17Refactor the negative cacheStephen Gallagher5-57/+57
Rename functions from nss_ncache_* to sss_ncache_* Move negative cache to responder/common and rename as negcache.c/h
2010-06-17Ensure that all domains are checked for users/groupsStephen Gallagher1-3/+15
There was a bug in the negative cache checks (probably a leftover from when filter_users was global-only) that meant that if a user was filtered out of a domain, the remaining domains would not be checked for that user. (Same for groups/initgroups)
2010-06-14Properly null-terminate socket pathStephen Gallagher1-2/+4
https://fedorahosted.org/sssd/ticket/540
2010-06-10Check the correct variable for NULL after creating timerStephen Gallagher1-1/+1
In several places, we were creating a new timer and assigning it to the tev variable, but then we were checking for NULL from the te variable (which, incidentally, is guaranteed never to be NULL in this situation) https://fedorahosted.org/sssd/ticket/523
2010-06-06Remove dead code from the PAM responderJakub Hrozek2-13/+0
2010-05-26Add support for delayed kinit if offlineSumit Bose1-1/+1
If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
2010-04-16Use SO_PEERCRED on the PAM socketSumit Bose2-1/+55
This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
2010-04-16Revert "Add better checks on PAM socket"Sumit Bose2-140/+1
This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.
2010-04-12sysydb: Finally stop using a common event contextSimo Sorce1-1/+1
This commit completes the migration to a synchronous sysdb
2010-04-12sysdb: remove remaining traces of sysdb_handleSimo Sorce1-1/+0
2010-04-12sysdb: convert sysdb_initgroupsSimo Sorce1-222/+117
2010-04-12Adjust fill_pwent and fill_grentSimo Sorce1-13/+13
fill_pwent should return the number of users actually processed. Otherwise in case of a recoverable error we may end up skipping a large chunk of users. fill_grent doesn't need to distinguish between number of entries and number of groups to process since we started adding memberuid. Remove remnants that are not useful anymore.
2010-04-12sysdb: convert sysdb_enumgrentSimo Sorce1-161/+106
2010-04-12sysdb: convert sysdb_enumpwentSimo Sorce1-172/+116
2010-04-12sysdb: convert sysdb_get_user_attrSimo Sorce1-57/+39
2010-04-12sysdb: convert sysdb_getgrgidSimo Sorce1-193/+109
2010-04-12sysdb: convert sysdb_getgrnamSimo Sorce1-223/+134
2010-04-12sysdb: convert sysdb_getpwuidSimo Sorce1-198/+107
2010-04-12sysdb: convert sysdb_getpwnamSimo Sorce3-448/+309
2010-04-12Remove remaining use of sysdb_transaction_sendSimo Sorce2-232/+32
2010-04-12sysdb: convert sysdb_cache_authSimo Sorce1-47/+39
2010-04-12sysdb: convert sysdb_set_entry/user/group_attrSimo Sorce2-45/+7
2010-03-25Fix warnings from -Wmissing-field-initializersSumit Bose2-18/+18
This patch removes some tab-indentations from pamsrv.c, too.
2010-03-17Fix a series of memory leaks in the SBUSStephen Gallagher2-7/+6
2010-03-17Fixes for client communicationSumit Bose2-9/+17
- catch all errors of send() and recv(), not only EAGAIN - check if send() or recv() return EWOULDBLOCK or EINTR - remove unused parameter from client_send() and client_recv() - fix a debugging message
2010-03-15Fixed buffer alignment in exchange_credentials().George McCollister1-3/+7
buf needs to be 32 bit aligned on ARM. Also made the fix on the server side. Signed-off-by: George McCollister <George.McCollister@gmail.com>
2010-03-15Properly handle dbus send attempts on a closed connectionStephen Gallagher2-44/+15
dbus_connection_send_with_reply() will report success and return a NULL pending_reply when the connection is not open for communication. This patch creates a new wrapper around dbus_connection_send_with_reply() to properly detect this condition and report it as an error.
2010-03-11Add better checks on PAM socketSumit Bose2-1/+136
- check if the public socket belongs to root and has 0666 permissions - use a SCM_CREDENTIALS message if available