Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
The name context was not being initialized for local provider
domains because it was handled after skipping over the back-end
initialization routine. This patch moves the name context init
routine to occur earlier.
https://fedorahosted.org/sssd/ticket/1412
|
|
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
Coverity #12800
|
|
Coverity #12801
|
|
|
|
|
|
|
|
|
|
sudosrv_get_sudorules_query_cache()
|
|
|
|
sss_sudo_type represents query type that comes to the responder
sss_dp_sudo_type represents query type to DP that is issued by the responder
I'm leaving current values of sss_dp_sudo_type untouched so the compilation
is not broken. Hovewer, they will be changed to new DP types once the DP
interface is updated.
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1239
Test client was changed accordingly. The new usage is:
sss_sudo_cli username [uid]
If uid is not set, getpwnam(username) is called. It will retrieve
both default options and rules.
|
|
|
|
|
|
This patch modifies behavior of SSSD when putting together content of
the file for pam_selinux. SSSD will now pick only the first user map in
the priority list which matches to the user logging in. Other maps are
ignored.
https://fedorahosted.org/sssd/ticket/1360
|
|
This patch fixes an issue which resulted in a need to initialize
responder with data from local domain, otherwise it would not correctly
detect requests for subdomains. Similar situation can occur if new
subdomain is added at runtime.
The solution is to ask for a list of subdomains in case there is a
candidate domain identified in the process of matching re_expressions
with given name.
|
|
|
|
This adds support for parsing PAC and storing information contained
within. In particular the user and all his memberships are stored. In
case it is necessary, getgrgid() requests are sent to provider for group
resolution.
|
|
|
|
This adds only the basic outline of the PAC responder, it won't support
any operations, it will just start and initialize itself.
|
|
* These are common lines of debug output when starting
up sssd
https://bugzilla.redhat.com/show_bug.cgi?id=811113
|
|
|
|
|
|
|
|
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
|
https://fedorahosted.org/sssd/ticket/1318
|
|
|
|
|
|
Since there are two attributes storing information about user
memberships of the group we have to include both of them in results.
This will apply only for objects that have ghost members (i.e. they
contain the SYSDB_GHOST attribute). If an object has this attribute,
values of this attribute are not projected to the memberuid attribute.
|
|
When fixing an endianness bug, we changed the protocol unnecessarily.
|
|
https://fedorahosted.org/sssd/ticket/1348
|
|
|
|
The fact that we were keeping it in memory for the full duration
of the cache timeout meant that we would never reap the benefits
of the midpoint cache refresh.
https://fedorahosted.org/sssd/ticket/1340
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1329
|
|
This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.
https://fedorahosted.org/sssd/ticket/1289
|
|
This option is similar to override_homedir, except that it will
take effect only for users that do not have an explicit home
directory specified in LDAP.
https://fedorahosted.org/sssd/ticket/1250
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
|
Instead of using account_info request, creates a new ssh specific
request. This improves code readability and will make the code more
flexible in the future.
https://fedorahosted.org/sssd/ticket/1176
|
|
Also changes setautomntent_send so that is only return NULL in case the
tevent_req creation fails.
|
|
|
|
|
|
sss_process_init forgot to check return value of confdb_get_int
|
|
The 'result' pointer must be initialized tin order to always return a
defined value.
|
|
Do not let nss_cmd_initgroups_search() return data itself, but let the
caller return data. This is more intuitive and more consistent with the
rest of the nss_cmd_*_search() functions.
Also fixes a typo - nss_cmd_initgroups_cb used to call getpw_send_reply
instead of initgr_send_reply.
|
|
https://fedorahosted.org/sssd/ticket/1312
|